[Daniel's week] June 5, 2026

Daniel Stenberg daniel at haxx.se
Fri Jun 5 23:50:50 CEST 2026 

Hello!

## missed weeks

Swamped with work, combined with travels both for work and for pleasure, made 
me miss out several weeks of weekly emails! This one is an attempt to get back 
on track.

# security

The tsunami of high quality vulnerability reports for curl is still ongoing. 
Over the recent months we get more than one new report per day on average. At 
the time of this writing we have thirteen pending CVE announcements to do in 
sync with the next release, and I would say that there are good reasons to 
suspect that we might get a few more legitimate reports confirmed before June 
24.More CVEs for a single release than we ever did before. I blogged about the 
situation [3].

The set of pending reports have a lot of things in common and basically all of 
them used AI to some extent to find the issues and create the reports. All of 
the reports so far are severity LOW or MEDIUM. Some of them are what I call C 
mistakes (likely to have been avoided if we hadn’t used the language C), but 
most of them are not. The projected total number of CVEs for the full year of 
2026 is now at maybe 60 or so. Way more than any other year in curl history.

In the last few weeks I had several meetings with and done presentations for 
people involved in critical digital infrastructure and cybersecurity at both 
Swedish national and EU level. Always about using AI to find vulnerabilities 
and the current high quality chaos. The big Mythos scare has at least helped 
to the extent that lots of organizations are now aware of what people can do 
with the help of AI.

I have also done public talks on the topic recently, at the Royal Institute of 
Technology in Stockholm and at the BSides Vilnius conference in Lithuania [1].

My talk at Open Infra Forum in Stockholm on May 21 was also about security, 
but more focused on everything we do in the curl project to try to keep it 
safe.

# curl up

At the end of May a bunch of curl maintainers and curl fans gathered in 
Prague, Czechia, for the curl up 2026 conference [2]. We reused the same city 
and venue as we used in 2025 for convenience, as we liked it so much. The 
event went smoothly and as usual there were 20+ people in a room over the 
weekend talking a lot about curl and related topics. We spent the evenings 
continuing the conversations over dinners and beers. I got to meet and hang 
out with fun and cool people and talk non-stop about my favorite subject. So 
good.

A total of ten separate videos from talks at curl up were uploaded after the 
weekend. The quality of those recordings was certainly lacking, but I think 
they can be appreciated anyway.

# feature freeze

We have entered feature freeze for the coming pending release and I felt I had 
to send an apology to the mailing list for not having merged more of the 
pending pull-requests. The high load of security reports have kept me busy and 
has effectively prevented me from reviewing and progressing some of the 
pending changes as much as I would have wished.

# talk pause

I took on a little too many talks this spring so I decided to take a pause for 
my sanity. No more talks from me until September.

## Coming up

- Monday: curl 8.21.0 rc2
- More security report work for sure

## Links

[1] = https://cybernews.com/security/curl-bug-bounty-ai-security-reports-daniel-stenberg/
[2] = https://daniel.haxx.se/blog/2026/05/28/curl-up-2026-summary/
[3] = https://daniel.haxx.se/blog/2026/05/26/the-pressure/

-- 

  / daniel.haxx.se

More information about the daniel mailing list