Release presentation
Numbers
the 273rd release
8 changes
63 days (total: 10,712)
264 bugfixes (total: 13,640)
538 commits (total: 38,024)
0 new public libcurl function (total: 100)
0 new curl_easy_setopt() option (total: 308)
0 new curl command line option (total: 273)
77 contributors, 48 new (total: 3,619)
37 authors, 21 new (total: 1,451)
4 security fixes (total: 180)
Security
We stopped the bug-bounty but it has not stopped people from finding vulnerabilities in curl.
- CVE-2026-1965: bad reuse of HTTP Negotiate connection
- CVE-2026-3783: token leak with redirect and netrc
- CVE-2026-3784: wrong proxy connection reuse with credentials
- CVE-2026-3805: use after free in SMB connection reuse
Changes
- We stopped the bug-bounty. It’s worth repeating, even if it was no code change.
- The cmake build got a
CURL_BUILD_EVERYTHINGoption - Initial support for MQTTS was merged
- curl now supports fractions for –limit-rate and –max-filesize
- curl’s -J option now uses the redirect name as a backup
- we no longer support OpenSSL-QUIC
- on Windows, curl can now get built to use the native CA store by default
- the minimum Windows version curl supports is now Vista (up from XP)
Pending removals
The following upcoming changes might be worth noticing. See the deprecate documentation for details.
- NTLM support becomes opt-in
- RTMP support is getting dropped
- SMB support becomes opt-in
- Support for c-ares versions before 1.16 goes away
- Support for CMake 3.17 and earlier gets dropped
- TLS-SRP support will be removed
Next
We plan to ship the next curl release on April 29. See you then!