CVE-2026-33752HIGH 8.6EPSS p36.5%

CVE-2026-33752CVE-2026-33752

Description

curl_cffi is the a Python binding for curl. Prior to 0.15.0, curl_cffi does not restrict requests to internal IP ranges, and follows redirects automatically via the underlying libcurl. Because of this, an attacker-controlled URL can redirect requests to internal services such as cloud metadata endpoints. In addition, curl_cffi’s TLS impersonation feature can make these requests appear as legitimate browser traffic, which may bypass certain network controls. This vulnerability is fixed in 0.15.0.

Scoring

CVSS 3.18.6 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS0.46% probability of exploitation · percentile 36.5% · 2026-06-19T12:03:05Z
Published2026-04-06
Last modified2026-04-09

Underlying weaknesses· 1

CWE-918

References

  1. https://github.com/lexiforest/curl_cffi/security/advisories/GHSA-qw2m-4pqf-rmpp
  2. https://github.com/lexiforest/curl_cffi/security/advisories/GHSA-qw2m-4pqf-rmpp

1

TypeTargetConfidenceTier
WeaknessServer-Side Request Forgery (SSRF)cwe-9180%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-3784
CVE
CVE-2025-10966
CVE
CVE-2026-5936
CVE
CVE-2026-32627
CVE
CVE-2026-32913
CVE
CVE-2025-9086
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.