CVE-2026-8924
A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This e
CVSS
9.1
Critical
EPSS
0.6%
p47
KEV
—
Exploit Today
14
0-100
Published: Jul 3, 2026 · Last modified: Jul 7, 2026
0.2%EPSS · 30 days0.6%
2026-07-042026-07-17
A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains.
No related CVEs by CWE or product.