Aisle Discovers 6 New CVEs in Curl, Including the Oldest Issue Ever Reported
ragebol
35 points
25 comments
June 25, 2026
Related Discussions
Found 5 related stories in 125.1ms across 11,625 title embeddings via pgvector HNSW
- Curl will not accept vulnerability reports during July 2026 secret-noun · 757 pts · June 15, 2026 · 68% similar
- AISLE Discovers 38 CVEs in OpenEMR Healthcare Software mmsc · 168 pts · April 28, 2026 · 64% similar
- Mythos Finds a Curl Vulnerability TangerineDream · 638 pts · May 11, 2026 · 63% similar
- A CVE Dispute chmaynard · 12 pts · June 24, 2026 · 60% similar
- CVE-2026-42511 Breakdown: RCE in FreeBSD mmsc · 14 pts · May 07, 2026 · 55% similar
Discussion Highlights (8 comments)
rho138
Someone needs a lesson in accessibility
EmilStenstrom
There's something unnerving about this blog post. Paraphrasing: "The world's top security researches and AI labs are pouring all their VC money into finding as many security issues in curl as possible". At the same time, we know that curl is run by volunteers that needs to handle all of this. I'm not saying that we shouldn't do security review of open source libraries, just saying that this situation puts a lot of pressure on the maintainers. The second unnerving thing is that many of the listed vulnerabilites target embedded libcurl; a library with a much slower update cycle. I'm guessing that many of the listed bugs are still in active use, inside the thousands of applications that use curl internally. Another tricky situation. Both of these stand in contrast to the posts "braggy" style of "we found the most vulnerabilities of all!!!".
shakna
The presentation from the time might be worth watching, if this reads too much like hype PR. [0] [0] https://youtu.be/t4wqREXVEAc
bflesch
Thanks for making open source a bit more secure, even though your website is super laggy with all these ridiculous animations. Based on the eye candy I imagine the team consists of a bunch of VC bros on their macbooks drinking chai lattes. Not sure if that is the impression you want to portray to a technical audience. The eye candy might work with nontechnical crowds though, so you do you. Edit: To elaborate on the nontechnical macbook user angle: If the tagline is "outsmart your adversaries" I wonder how you plan to outsmart anyone if your security company is set up on backdoor-infested MacOS or Windows systems? You can't assume that the backdoors put in by USUK are not known to other foreign adversaries. Maybe I'm wrong and they are a Linux/BSD shop. In that case a report about running a security startup in a secure manner based on an open-source operating system would be a more interesting contribution than yet another CVE.
bagder
I already offered the following comments on Aisle "my experience from working with them on and off for many months now is nothing but good. Skilled, professional engineers without any bureaucracy. They know their stuff, and they've been very good at listening in and adjusting for our needs and wants." Who am I? I'm Daniel, curl lead developer. https://mastodon.social/@bagder/116807425534711479
vessenes
Really nice result, congrats to the Aisle team. What stood out the most to me here was their pitch that harness currently matters most, over and above a specific model capacity. That’s one of my conclusions reading cloudflare’s Mythos debrief as well — the work right now that’s most valuable is in getting the models to loop effectively on tasks - so it’s super interesting to read the same perspective from a clearly effective org.
jdw64
It seems that just from the site's animations and UI layout alone, you can recognize whether they are highly skilled programmers.
moomin
I'm thinking it's rapidly not becoming "can you find a security issue in XYZ?" and "what is the cost of finding a security issue in XYZ?". I want to know what the spend was.