Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: open-source (3 articles)Clear

Public exploit released for critical libssh2 flaw affecting curl, Git, and more

A public proof-of-concept has been released for a critical flaw in libssh2 (CVE-2026-55200), the client-side SSH library embedded in curl, Git, PHP, backup agents, firmware updaters, and countless appliances. A malicious or compromised SSH server can send a crafted packet that corrupts memory on the connecting client, with no credentials or user interaction needed, potentially leading to code execution. Rated 9.2, the bug affects all versions through 1.11.1. The fix was merged into the source on June 12, but no tagged release exists yet, so distributions are backporting it. The hardest part is that libssh2 is often statically bundled, so package updates miss those copies entirely.

Check
Inventory everything that links libssh2, including statically bundled copies inside curl, Git, PHP, backup tools, and appliances that package managers will not flag, especially anything connecting to untrusted SSH servers.
Affected
Any software using libssh2 through version 1.11.1 that connects to an untrusted or attacker-controlled SSH server (CVE-2026-55200); the malicious server, not the client, triggers the memory corruption without authentication.
Fix
Apply a build that includes the upstream fix, whether a distribution backport or patched source, watch vendor advisories for tagged releases, and restrict outbound SSH to untrusted servers until patched.

Curl's largest security release fixes 18 flaws, including a 25-year-old bug

The curl project shipped its largest-ever security release, version 8.21.0, fixing 18 vulnerabilities, among them a flaw that had gone unnoticed for 25 years. That bug (CVE-2026-8932) lets an application reuse an existing connection even after its client certificate or key changed, allowing an authentication bypass; it affects software built on the libcurl library rather than the command-line tool. Other fixes address credential confusion, memory-corruption bugs, and improper host validation. Most are rated medium or low, but libcurl is embedded in an enormous range of products, from IoT devices to CI/CD pipelines and cars, so the practical reach is large and easy to overlook.

Check
Identify where curl and especially the libcurl library are used across your applications, devices, containers, and build pipelines, since most exposure comes from embedded libcurl rather than the command-line tool.
Affected
Applications and devices built on libcurl before version 8.21.0 (CVE-2026-8932 and others); those using mutual TLS with changing client certificates face an authentication-bypass risk through connection reuse.
Fix
Update to curl and libcurl 8.21.0, rebuild and redeploy software that bundles libcurl, and prioritize systems using mutual TLS or handling credentials, including embedded and IoT devices that update slowly.

AI agent finds 21 FFmpeg zero-days, public exploit code released

A security startup's autonomous AI agent scanned FFmpeg, the open-source media library built into countless video and audio tools, and turned up 21 previously unknown bugs, each with working proof-of-concept code that crashes or corrupts memory when the software processes a malicious media file. Several flaws are 15 to 20 years old; one dates back to 2003. Nine already carry CVE numbers (CVE-2026-39210 through CVE-2026-39218), and the rest are fixed but not yet numbered. The whole run cost about $1,000. Because FFmpeg sits inside browsers, media servers, and apps everywhere, any product that decodes untrusted video could be at risk.

Check
Inventory software and services that bundle FFmpeg or libav, especially media servers and transcoding pipelines that decode untrusted, user-supplied video or audio files.
Affected
FFmpeg builds containing the affected parsers and demuxers (TS, VP9, DASH, and others). Nine flaws tracked as CVE-2026-39210 through CVE-2026-39218; remaining bugs fixed but unnumbered.
Fix
Apply upstream fixes by updating to the newest official FFmpeg build; distributions are shipping patches now. Rebuild any app that statically bundles FFmpeg against the fixed code.