Rankiteo Logo
Rankiteo
Leader in Cyber Underwriting
Loading...
NEWRankiteo Cyber Underwriting Desktop - Score, price, and bind from your desktop
WindowsmacOSLinux
Download
The cURL project

The cURL project Vendor Cyber Rating & Cyber Score

curl.se

An open source project creating a command line tool and library for transferring data with URLs. Portable, fast, feature rich and stable.


CP A.I CyberSecurity Scoring

CP
Company Information
Website:https://curl.se/
Employees number:3
Number of followers:0
NAICS:5112
Industry Type:Software Development
Homepage:curl.se
CP Risk Score (AI oriented)
Between 750 and 799
logo
CPSoftware Development
Updated:
25/06/2026
785/1000
Fair
Baa
AaaAaABaaBaBCaaCaC
Powered by our proprietary A.I cyber incident model
Insurance prefers TPRM score to calculate premium
CP Global Score (TPRM)
xxxx
logo
CPSoftware Development
•••
Score locked
Instant access to detailed risk factors
Vulnerabilities
Benchmark vs. industry & size peers
Findings

CP
CPFair
Current Score
785Baa (FAIR)
01000
2 incidents
-6 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
785Before Incident
JUNE 2026
791Before Incident
Vulnerability
24 Jun 2026CP
curl project: curl Patches 18 Vulnerabilities Including Password Leak and WebSocket Memory Bugs

curl 8.21.0 Patches Record 18 Vulnerabilities in Single Release

785After Incident
LOW-6
THE1782398225
curl 8.21.0 Patches Record 18 Vulnerabilities in Single Release On June 24, 2026, the curl project released version 8.21.0, addressing a record 18 security vulnerabilities the highest number fixed in a single update for the widely used data transfer tool. This milestone brings the total number of publicly disclosed curl vulnerabilities to 206 since the project’s inception. The update includes fixes for critical issues such as credential leakage, memory corruption in WebSocket handling, and use-after-free (UAF) vulnerabilities in HTTP/2 and socket callbacks. Among the patched flaws, four were rated Medium severity, including: - CVE-2026-8925: A SASL double-free bug leading to memory corruption during authentication. - CVE-2026-8927: An environment-set cross-proxy Digest auth state leak exposing credentials. - CVE-2026-9079: A stale proxy password leak risking unintended credential reuse. - CVE-2026-11856: A cross-origin Digest authentication state leak allowing unauthorized access. The remaining 14 vulnerabilities were classified as Low severity but still pose risks, such as denial-of-service (DoS) via WebSocket memory exhaustion (CVE-2026-11586), SSH host verification bypasses (CVE-2026-9547), and HTTP/3 data exposure (CVE-2026-9545). Other fixes address connection reuse flaws, QUIC UDP datagram loops, and persistent CA trust issues. Despite the security focus, the release introduces new features, including named glob support for URL patterns, HTTP/3 proxy CONNECT, and SHA-256 host public key support via libssh. It also deprecates HTTP/2 stream dependency tracking, NTLM, SMB, and TLS-SRP support, with plans to remove them in future versions. The next curl release is scheduled for September 2, 2026, following a two-week extension to the development cycle. Organizations relying on curl or libcurl are advised to upgrade immediately to mitigate risks from credential exposure and memory corruption.
INCIDENT DETAILS -
TYPE
Vulnerability Disclosure
IMPACT
Data Compromised: Credentials, memory corruption, unauthorized access, denial-of-service, SSH host verification bypass, HTTP/3 data exposureSystems Affected: Systems using curl or libcurlOperational Impact: Potential unauthorized access, credential exposure, memory corruption, and denial-of-serviceIdentity Theft Risk: High (due to credential leakage and PII exposure risks)
DATA BREACH
Type Of Data Compromised: Credentials, authentication states, memory dataSensitivity Of Data: High (credentials, PII risks)Personally Identifiable Information: Potential (via credential leaks)
Vulnerability
24 Jun 2026CP
curl: PoC Exploit Released for libssh2 Remote Code Execution Vulnerability

Critical libssh2 RCE Vulnerability (CVE-2026-55200) Exploitable via Public PoC

785After Incident
CRITICAL-6
THE1782318614
Critical libssh2 RCE Vulnerability (CVE-2026-55200) Exploitable via Public PoC A proof-of-concept (PoC) exploit for CVE-2026-55200, a critical remote code execution (RCE) vulnerability in libssh2, has been released, heightening the risk of attacks against unpatched systems. The flaw affects libssh2 versions up to and including 1.11.1, stemming from an unchecked `packet_length` field in the `ssh2_transport_read()` function. This oversight allows attackers to trigger a 32-bit integer wrap, leading to undersized heap allocations and out-of-bounds writes during packet processing. The PoC, published under the exploitarium repository, includes a C11 verifier demonstrating how a crafted `packet_length` (e.g., `0xffffffff`) can force a tiny memory allocation while retaining a large logical packet size. This mismatch enables subsequent operations to overflow the buffer, corrupting adjacent heap structures. The repository also provides a malicious Python-based SSH server that delivers a malformed packet to exploit vulnerable libssh2 clients without authentication or user interaction, aligning with the vulnerability’s CVSS 9.2 severity rating. Given libssh2’s integration into tools like curl, backup agents, firmware updaters, and embedded appliances, any software linking the library and connecting to untrusted SSH endpoints is at risk. The PoC includes a local RCE harness that models the exploit’s allocation-to-control pattern, confirming code execution feasibility though real-world exploitation depends on target-specific factors like binary layout and mitigations. The upstream fix, introduced in commit 97acf3dfda80c91c3a8c9f2372546301d4a1a7a8, enforces a strict guard against oversized `packet_length` values. However, no new libssh2 release containing the patch has been widely announced, and downstream projects are still backporting fixes. Organizations are advised to identify and patch affected software while restricting connections to untrusted SSH servers.
INCIDENT DETAILS -
TYPE
Remote Code Execution (RCE)
IMPACT
Systems Affected: Software linking libssh2 (e.g., curl, backup agents, firmware updaters, embedded appliances)
MAY 2026
791Before Incident
APRIL 2026
791Before Incident
MARCH 2026
791Before Incident
FEBRUARY 2026
791Before Incident
JANUARY 2026
791Before Incident
DECEMBER 2025
791Before Incident
NOVEMBER 2025
791Before Incident
OCTOBER 2025
791Before Incident
SEPTEMBER 2025
791Before Incident
AUGUST 2025
791Before Incident

Frequently Asked Questions

?
What is the current A.I Rankiteo Cyber Score for CP ?
?
What was CP's A.I Rankiteo Cyber Score in June 2026 ?
?
What was CP's A.I Rankiteo Cyber Score in May 2026 ?
?
What was CP's A.I Rankiteo Cyber Score in April 2026 ?
?
What was CP's A.I Rankiteo Cyber Score in March 2026 ?
?
What was CP's A.I Rankiteo Cyber Score in February 2026 ?
?
What was CP's A.I Rankiteo Cyber Score in January 2026 ?
?
What was CP's A.I Rankiteo Cyber Score in December 2025 ?
?
What was CP's A.I Rankiteo Cyber Score in November 2025 ?
?
What was CP's A.I Rankiteo Cyber Score in October 2025 ?
?
What was CP's A.I Rankiteo Cyber Score in September 2025 ?
?
What was CP's A.I Rankiteo Cyber Score in August 2025 ?
?
What is the average per-incident point impact on CP's A.I Rankiteo Cyber Score over the past 12 months ?
?
Where can I access detailed records of all cyber incidents associated with CP ?
?
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ?
?
Where can I view CP's profile page on Rankiteo ?
?
How accurate is the A.I Rankiteo Risk Scoring methodology ?