Top stories
curl 8.21.0 ships a record 18 CVEs, including a 25-year-old flaw
- Category: Security
- Status: confirmed
- Sources: curl 8.21.0 post, curl advisories, AISLE writeup, HN
- Summary: Daniel Stenberg released curl 8.21.0 on 2026-06-24 fixing 18 CVEs, the most in any single curl release and any calendar year. Severities are 4 medium and 14 low, with no high or critical. CVE-2026-8932, an incomplete mTLS configuration match on connection reuse that can lead to authentication reuse across mismatched setups, first shipped on 2001-03-22, making it the oldest curl issue ever reported. Security vendor AISLE says its AI agents found 6 of the 18, ahead of other AI-assisted reporters.
- Comments: AISLE frames the result as evidence that smaller models can outperform larger ones on well-scoped vulnerability tasks; the claim is the vendor's own and the curl post does not attribute the flood to any single tool.
- Why it matters: curl ships on tens of billions of devices, so a record patch set raises broad re-vendoring pressure and feeds the ongoing debate over AI-generated security reports and maintainer load.
- Follow-up: Track downstream re-vendoring and how the report volume interacts with curl pausing vulnerability handling for July 2026.