HomeDefault status
unaffected
8.17.0 (semver)
affected
8.16.0 (semver)
affected
8.15.0 (semver)
affected
8.14.1 (semver)
affected
8.14.0 (semver)
affected
8.13.0 (semver)
affected
8.12.1 (semver)
affected
8.12.0 (semver)
affected
8.11.1 (semver)
affected
8.11.0 (semver)
affected
8.10.1 (semver)
affected
8.10.0 (semver)
affected
8.9.1 (semver)
affected
8.9.0 (semver)
affected
8.8.0 (semver)
affected
8.7.1 (semver)
affected
8.7.0 (semver)
affected
8.6.0 (semver)
affected
8.5.0 (semver)
affected
8.4.0 (semver)
affected
8.3.0 (semver)
affected
8.2.1 (semver)
affected
8.2.0 (semver)
affected
8.1.2 (semver)
affected
8.1.1 (semver)
affected
8.1.0 (semver)
affected
8.0.1 (semver)
affected
8.0.0 (semver)
affected
7.88.1 (semver)
affected
7.88.0 (semver)
affected
7.87.0 (semver)
affected
7.86.0 (semver)
affected
7.85.0 (semver)
affected
7.84.0 (semver)
affected
7.83.1 (semver)
affected
7.83.0 (semver)
affected
7.82.0 (semver)
affected
7.81.0 (semver)
affected
7.80.0 (semver)
affected
7.79.1 (semver)
affected
7.79.0 (semver)
affected
7.78.0 (semver)
affected
7.77.0 (semver)
affected
7.76.1 (semver)
affected
7.76.0 (semver)
affected
7.75.0 (semver)
affected
7.74.0 (semver)
affected
7.73.0 (semver)
affected
7.72.0 (semver)
affected
7.71.1 (semver)
affected
7.71.0 (semver)
affected
7.70.0 (semver)
affected
7.69.1 (semver)
affected
7.69.0 (semver)
affected
7.68.0 (semver)
affected
7.67.0 (semver)
affected
7.66.0 (semver)
affected
7.65.3 (semver)
affected
7.65.2 (semver)
affected
7.65.1 (semver)
affected
7.65.0 (semver)
affected
7.64.1 (semver)
affected
7.64.0 (semver)
affected
7.63.0 (semver)
affected
7.62.0 (semver)
affected
7.61.1 (semver)
affected
7.61.0 (semver)
affected
7.60.0 (semver)
affected
7.59.0 (semver)
affected
7.58.0 (semver)
affected
Description
When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file.
Problem types
CWE-297 Improper Validation of Certificate with Host Mismatch
Product status
8.17.0 (semver)
8.16.0 (semver)
8.15.0 (semver)
8.14.1 (semver)
8.14.0 (semver)
8.13.0 (semver)
8.12.1 (semver)
8.12.0 (semver)
8.11.1 (semver)
8.11.0 (semver)
8.10.1 (semver)
8.10.0 (semver)
8.9.1 (semver)
8.9.0 (semver)
8.8.0 (semver)
8.7.1 (semver)
8.7.0 (semver)
8.6.0 (semver)
8.5.0 (semver)
8.4.0 (semver)
8.3.0 (semver)
8.2.1 (semver)
8.2.0 (semver)
8.1.2 (semver)
8.1.1 (semver)
8.1.0 (semver)
8.0.1 (semver)
8.0.0 (semver)
7.88.1 (semver)
7.88.0 (semver)
7.87.0 (semver)
7.86.0 (semver)
7.85.0 (semver)
7.84.0 (semver)
7.83.1 (semver)
7.83.0 (semver)
7.82.0 (semver)
7.81.0 (semver)
7.80.0 (semver)
7.79.1 (semver)
7.79.0 (semver)
7.78.0 (semver)
7.77.0 (semver)
7.76.1 (semver)
7.76.0 (semver)
7.75.0 (semver)
7.74.0 (semver)
7.73.0 (semver)
7.72.0 (semver)
7.71.1 (semver)
7.71.0 (semver)
7.70.0 (semver)
7.69.1 (semver)
7.69.0 (semver)
7.68.0 (semver)
7.67.0 (semver)
7.66.0 (semver)
7.65.3 (semver)
7.65.2 (semver)
7.65.1 (semver)
7.65.0 (semver)
7.64.1 (semver)
7.64.0 (semver)
7.63.0 (semver)
7.62.0 (semver)
7.61.1 (semver)
7.61.0 (semver)
7.60.0 (semver)
7.59.0 (semver)
7.58.0 (semver)
Credits
Harry Sintonen
Daniel Stenberg
References
www.openwall.com/lists/oss-security/2026/01/07/6
curl.se/docs/CVE-2025-15079.json (json)
curl.se/docs/CVE-2025-15079.html (www)
hackerone.com/reports/3477116 (issue)