This is an outdated, currently unmaintained software.
The following is a list of CVEs checked against since its
last release (7.72.0) against an upstream CVE list up until
7.82.0 with no warranty of completion or correctness.

For all CVEs marked "?" see the following discussion with upstream:
https://lists.gnu.org/archive/html/gnunet-developers/2022-04/msg00022.html

CVE-2020-8284 (fixed in cURL 7.74.0) does not apply, as gnurl is built without FTP support.
CVE-2020-8285 (fixed in cURL 7.74.0) most likely does not apply, as gnurl is built without FTP support.
CVE-2020-8286 (fixed in cURL 7.74.0) does not apply (only applies if the designated TLS Backend is OpenSSL).

CVE-2021-22876 (fixed in cURL 7.76.0) does not apply in the upstream user wip/gnunet, as it makes no use of CURLOPT_AUTOREFERER.
CVE-2021-22890 (fixed in cURL 7.76.0): ?

CVE-2021-22897 (fixed in cURL 7.77.0) does not apply in the upstream user wip/gnunet, as it makes no use of CURLOPT_SSL_CIPHER_LIST.
CVE-2021-22898 (fixed in cURL 7.77.0) does not apply, as gnurl is built without Telnet support.
CVE-2021-22901 (fixed in cURL 7.77.0) does not apply, as gnurl is built without OpenSSL.

CVE-2021-22922 (fixed in cURL 7.78.0) does not apply, as gnurl is built without libmetalink.
CVE-2021-22923 (fixed in cURL 7.78.0) does not apply, as gnurl is built without libmetalink.
CVE-2021-22924 (fixed in cURL 7.78.0): ?
CVE-2021-22925 (fixed in cURL 7.78.0) does not apply, as gnurl is built without Telnet support.
CVE-2021-22926 (fixed in cURL 7.78.0) most likely does not apply, as gnurl does not support being built on macOS built to use Secure Transport.

CVE-2021-22945 (fixed in cURL 7.79.0) does not apply, as the current gnurl release is based on curl 7.72.0 and did not enable experimental features.
CVE-2021-22946 (fixed in cURL 7.79.0) does not apply, as gnurl is built without fpt, pop3 and imap support.
CVE-2021-22947 (fixed in cURL 7.79.0) does not apply, as gnurl is built without IMAP, POP3, SMTP and FTP support.
