JLSEC-2026-389 — Vulnetix

JLSEC-2026-389 PUBLISHED CVSS 9.300000190734863 CRITICAL

The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a *different* URL usingthe wrong host name when it is later retrieved.For example, a URL like `http://example.com%2F127.0.0.1/`, would be allowed bythe parser and get transposed into `http://example.com/127.0.0.1/`. This flawcan be used to circumvent filters, checks and more.

Risk Scores

CVSS v4.0

9.300000190734863

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products

Vendor	Product	Versions
Julia	CURL_jll	0
Julia	LibCURL_jll	7.81.0+0

Timeline

May 4, 2026 CVE Published
May 4, 2026 CVE Updated

References

https://hackerone.com/reports/1553841 url
https://security.gentoo.org/glsa/202212-01 url
https://security.netapp.com/advisory/ntap-20220609-0009/ url

Open in Interactive Console →