Search
Find a vulnerability
Search criteria
33 vulnerabilities
CVE-2026-54414 (GCVE-0-2026-54414)
Vulnerability from cvelistv5 – Published: 2026-06-19 05:41 – Updated: 2026-06-19 12:56
VLAI
Title
FileRise shared-folder upload path traversal allows arbitrary file write and admin takeover
Summary
FileRise before 3.16.0 is vulnerable to path traversal in the shared-folder upload endpoint (/api/folder/uploadToSharedFolder.php), leading to arbitrary file write and administrator account takeover. The upload filename is validated by FolderController with basename() and REGEX_FILE_NAME, which permit URL-encoded sequences (the regex blocks / and \ but not %). The raw filename is then passed to UploadModel::handleUpload, where it is reconstructed as trim(urldecode(basename($fileName))), re-introducing path separators after validation (e.g. ..%2fusers%2fusers.txt becomes ../users/users.txt). UploadNamePolicy::isAllowedForWrite() applies basename() internally and therefore only evaluates the final component (users.txt), allowing the traversal sequence to pass the extension policy. The destination path is then used directly in move_uploaded_file() with no realpath containment check, allowing a write outside the intended upload directory. An attacker who possesses a valid, non-expired, upload-enabled shared-folder link/token (which are designed to be shared publicly) can overwrite users/users.txt to create an administrator account, resulting in unauthenticated admin takeover and, depending on configuration, remote code execution. Exploitation requires possession of a valid, non-expired, upload-enabled shared-folder link/token. This issue is fixed in 3.16.0, which URL-decodes before validation and rejects any path separators in the upload filename.
Severity
9.8 (Critical)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/error311/FileRise/releases/tag… | patch |
| https://github.com/error311/FileRise/blob/v3.15.0… | technical-description |
| https://github.com/error311/FileRise | product |
Impacted products
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://github.com/error311/FileRise",
"defaultStatus": "unaffected",
"product": "FileRise",
"programFiles": [
"src/FileRise/Domain/UploadModel.php",
"src/FileRise/Support/UploadNamePolicy.php",
"src/FileRise/Http/Controllers/FolderController.php"
],
"repo": "https://github.com/error311/FileRise",
"vendor": "error311",
"versions": [
{
"lessThan": "3.16.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Shaxzod Turg\u0027unov (j33d1)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eFileRise before 3.16.0 is vulnerable to path traversal in the shared-folder upload endpoint (\u003ccode\u003e/api/folder/uploadToSharedFolder.php\u003c/code\u003e), leading to arbitrary file write and administrator account takeover. The upload filename is validated by \u003ccode\u003eFolderController\u003c/code\u003e with \u003ccode\u003ebasename()\u003c/code\u003e and \u003ccode\u003eREGEX_FILE_NAME\u003c/code\u003e, which permit URL-encoded sequences (the regex blocks \u003ccode\u003e/\u003c/code\u003e and \u003ccode\u003e\\\u003c/code\u003e but not \u003ccode\u003e%\u003c/code\u003e). The raw filename is then passed to \u003ccode\u003eUploadModel::handleUpload\u003c/code\u003e, where it is reconstructed as \u003ccode\u003etrim(urldecode(basename($fileName)))\u003c/code\u003e, re-introducing path separators after validation (e.g. \u003ccode\u003e..%2fusers%2fusers.txt\u003c/code\u003e becomes \u003ccode\u003e../users/users.txt\u003c/code\u003e). \u003ccode\u003eUploadNamePolicy::isAllowedForWrite()\u003c/code\u003e applies \u003ccode\u003ebasename()\u003c/code\u003e internally and therefore only evaluates the final component (\u003ccode\u003eusers.txt\u003c/code\u003e), allowing the traversal sequence to pass the extension policy. The destination path is then used directly in \u003ccode\u003emove_uploaded_file()\u003c/code\u003e with no realpath containment check, allowing a write outside the intended upload directory. An attacker who possesses a valid, non-expired, upload-enabled shared-folder link/token (which are designed to be shared publicly) can overwrite \u003ccode\u003eusers/users.txt\u003c/code\u003e to create an administrator account, resulting in unauthenticated admin takeover and, depending on configuration, remote code execution. Exploitation requires possession of a valid, non-expired, upload-enabled shared-folder link/token. This issue is fixed in 3.16.0, which URL-decodes before validation and rejects any path separators in the upload filename.\u003c/p\u003e"
}
],
"value": "FileRise before 3.16.0 is vulnerable to path traversal in the shared-folder upload endpoint (/api/folder/uploadToSharedFolder.php), leading to arbitrary file write and administrator account takeover. The upload filename is validated by FolderController with basename() and REGEX_FILE_NAME, which permit URL-encoded sequences (the regex blocks / and \\ but not %). The raw filename is then passed to UploadModel::handleUpload, where it is reconstructed as trim(urldecode(basename($fileName))), re-introducing path separators after validation (e.g. ..%2fusers%2fusers.txt becomes ../users/users.txt). UploadNamePolicy::isAllowedForWrite() applies basename() internally and therefore only evaluates the final component (users.txt), allowing the traversal sequence to pass the extension policy. The destination path is then used directly in move_uploaded_file() with no realpath containment check, allowing a write outside the intended upload directory. An attacker who possesses a valid, non-expired, upload-enabled shared-folder link/token (which are designed to be shared publicly) can overwrite users/users.txt to create an administrator account, resulting in unauthenticated admin takeover and, depending on configuration, remote code execution. Exploitation requires possession of a valid, non-expired, upload-enabled shared-folder link/token. This issue is fixed in 3.16.0, which URL-decodes before validation and rejects any path separators in the upload filename."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T12:56:06.937Z",
"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"shortName": "TuranSec"
},
"references": [
{
"name": "Fixed release v3.16.0",
"tags": [
"patch"
],
"url": "https://github.com/error311/FileRise/releases/tag/v3.16.0"
},
{
"name": "Vulnerable decode-after-validate (UploadModel.php, v3.15.0)",
"tags": [
"technical-description"
],
"url": "https://github.com/error311/FileRise/blob/v3.15.0/src/FileRise/Domain/UploadModel.php#L1023"
},
{
"tags": [
"product"
],
"url": "https://github.com/error311/FileRise"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "FileRise shared-folder upload path traversal allows arbitrary file write and admin takeover",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"assignerShortName": "TuranSec",
"cveId": "CVE-2026-54414",
"datePublished": "2026-06-19T05:41:44.782Z",
"dateReserved": "2026-06-13T16:39:46.122Z",
"dateUpdated": "2026-06-19T12:56:06.937Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54419 (GCVE-0-2026-54419)
Vulnerability from cvelistv5 – Published: 2026-06-18 10:21 – Updated: 2026-06-18 12:05
VLAI
Title
PIAF-HMS multiple unauthenticated SQL injection vulnerabilities via mysql_query
Summary
claudiopizzillo PIAF-HMS (PBX-In-A-Flash Hotel Management System; no released versions, latest commit 389d2633441b65ced1c104212cd62be2bfca21e5) contains multiple unauthenticated SQL injection vulnerabilities. The application has no authentication mechanism and passes user-supplied HTTP parameters directly into deprecated mysql_query() calls via string concatenation, without sanitization, escaping, or parameterization. Affected sinks include rooms.php (DELETE FROM Rooms WHERE ID = $_GET['ID'], unquoted numeric context), checkuser.php (WHERE Ext = '$_GET["Ext"]'), ec.php (date/extension parameters in a WHERE), checkin.php and wakeup.php ($_POST values into INSERT statements), bills.php ($_POST fields built into a WHERE clause), and rates.php and checkout.php. A remote, unauthenticated attacker can inject arbitrary SQL to read, modify, or delete arbitrary records in the backing database (e.g. rooms.php?ID=1 OR 1=1 deletes all room records). Note: queries run via the legacy mysql_* extension, which does not permit stacked statements.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/claudiopizzillo/PIAF-HMS/blob/… | technical-description |
| https://github.com/claudiopizzillo/PIAF-HMS/blob/… | technical-description |
| https://github.com/claudiopizzillo/PIAF-HMS | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| claudiopizzillo | PIAF-HMS |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54419",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T12:01:03.819166Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T12:05:05.175Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/claudiopizzillo/PIAF-HMS",
"defaultStatus": "affected",
"product": "PIAF-HMS",
"programFiles": [
"checkin.php",
"checkout.php",
"rates.php",
"rooms.php",
"bills.php",
"wakeup.php",
"checkuser.php",
"ec.php"
],
"repo": "https://github.com/claudiopizzillo/PIAF-HMS",
"vendor": "claudiopizzillo"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Eshmirzayev Abbos"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eclaudiopizzillo PIAF-HMS (PBX-In-A-Flash Hotel Management System; no released versions, latest commit \u003ccode\u003e389d2633441b65ced1c104212cd62be2bfca21e5\u003c/code\u003e) contains multiple unauthenticated SQL injection vulnerabilities. The application has no authentication mechanism and passes user-supplied HTTP parameters directly into deprecated \u003ccode\u003emysql_query()\u003c/code\u003e calls via string concatenation, without sanitization, escaping, or parameterization. Affected sinks include \u003ccode\u003erooms.php\u003c/code\u003e (\u003ccode\u003eDELETE FROM Rooms WHERE ID = $_GET[\u0027ID\u0027]\u003c/code\u003e, unquoted numeric context), \u003ccode\u003echeckuser.php\u003c/code\u003e (\u003ccode\u003eWHERE Ext = \u0027$_GET[\"Ext\"]\u0027\u003c/code\u003e), \u003ccode\u003eec.php\u003c/code\u003e (date/extension parameters in a \u003ccode\u003eWHERE\u003c/code\u003e), \u003ccode\u003echeckin.php\u003c/code\u003e and \u003ccode\u003ewakeup.php\u003c/code\u003e (\u003ccode\u003e$_POST\u003c/code\u003e values into \u003ccode\u003eINSERT\u003c/code\u003e statements), \u003ccode\u003ebills.php\u003c/code\u003e (\u003ccode\u003e$_POST\u003c/code\u003e fields built into a \u003ccode\u003eWHERE\u003c/code\u003e clause), and \u003ccode\u003erates.php\u003c/code\u003e and \u003ccode\u003echeckout.php\u003c/code\u003e. A remote, unauthenticated attacker can inject arbitrary SQL to read, modify, or delete arbitrary records in the backing database (e.g. \u003ccode\u003erooms.php?ID=1 OR 1=1\u003c/code\u003e deletes all room records). Note: queries run via the legacy mysql_* extension, which does not permit stacked statements.\u003c/p\u003e"
}
],
"value": "claudiopizzillo PIAF-HMS (PBX-In-A-Flash Hotel Management System; no released versions, latest commit 389d2633441b65ced1c104212cd62be2bfca21e5) contains multiple unauthenticated SQL injection vulnerabilities. The application has no authentication mechanism and passes user-supplied HTTP parameters directly into deprecated mysql_query() calls via string concatenation, without sanitization, escaping, or parameterization. Affected sinks include rooms.php (DELETE FROM Rooms WHERE ID = $_GET[\u0027ID\u0027], unquoted numeric context), checkuser.php (WHERE Ext = \u0027$_GET[\"Ext\"]\u0027), ec.php (date/extension parameters in a WHERE), checkin.php and wakeup.php ($_POST values into INSERT statements), bills.php ($_POST fields built into a WHERE clause), and rates.php and checkout.php. A remote, unauthenticated attacker can inject arbitrary SQL to read, modify, or delete arbitrary records in the backing database (e.g. rooms.php?ID=1 OR 1=1 deletes all room records). Note: queries run via the legacy mysql_* extension, which does not permit stacked statements."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T10:21:47.135Z",
"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"shortName": "TuranSec"
},
"references": [
{
"name": "Vulnerable sink: rooms.php DELETE WHERE ID = $_GET[\u0027ID\u0027]",
"tags": [
"technical-description"
],
"url": "https://github.com/claudiopizzillo/PIAF-HMS/blob/389d2633441b65ced1c104212cd62be2bfca21e5/rooms.php#L16"
},
{
"name": "Vulnerable sink: ec.php WHERE with $_GET parameters",
"tags": [
"technical-description"
],
"url": "https://github.com/claudiopizzillo/PIAF-HMS/blob/389d2633441b65ced1c104212cd62be2bfca21e5/ec.php#L57"
},
{
"tags": [
"product"
],
"url": "https://github.com/claudiopizzillo/PIAF-HMS"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "PIAF-HMS multiple unauthenticated SQL injection vulnerabilities via mysql_query"
}
},
"cveMetadata": {
"assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"assignerShortName": "TuranSec",
"cveId": "CVE-2026-54419",
"datePublished": "2026-06-18T10:21:47.135Z",
"dateReserved": "2026-06-13T16:39:46.122Z",
"dateUpdated": "2026-06-18T12:05:05.175Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55746 (GCVE-0-2026-55746)
Vulnerability from cvelistv5 – Published: 2026-06-18 06:46 – Updated: 2026-06-18 12:32
VLAI
Title
Cotonti stored XSS via PFS folder title
Summary
Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to stored Cross-Site Scripting in the Personal File Storage (PFS) module. A folder title (pff_title) is imported with the 'TXT' filter, which does not strip or encode HTML (the tag check in cot_import is disabled), so an authenticated user can store HTML/JavaScript in a folder title. In modules/pfs/inc/pfs.main.php the title is assigned to the template variable PFF_ROW_TITLE without htmlspecialchars(), and modules/pfs/tpl/pfs.tpl outputs {PFF_ROW_TITLE} unescaped. When the folder listing is viewed (including by other users for public folders), the injected script executes in the victim's browser.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Cotonti/Cotonti/blob/f43f1fc38… | technical-description |
| https://github.com/Cotonti/Cotonti | product |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55746",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T12:31:56.717274Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T12:32:08.737Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/Cotonti/Cotonti",
"defaultStatus": "affected",
"product": "Cotonti",
"programFiles": [
"modules/pfs/inc/pfs.main.php"
],
"repo": "https://github.com/Cotonti/Cotonti",
"vendor": "Cotonti",
"versions": [
{
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Saidakbarxon Maxsudxonov (sermikro), Innova Networks"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to stored Cross-Site Scripting in the Personal File Storage (PFS) module. A folder title (pff_title) is imported with the \u0027TXT\u0027 filter, which does not strip or encode HTML (the tag check in cot_import is disabled), so an authenticated user can store HTML/JavaScript in a folder title. In modules/pfs/inc/pfs.main.php the title is assigned to the template variable PFF_ROW_TITLE without htmlspecialchars(), and modules/pfs/tpl/pfs.tpl outputs {PFF_ROW_TITLE} unescaped. When the folder listing is viewed (including by other users for public folders), the injected script executes in the victim\u0027s browser.\u003c/p\u003e"
}
],
"value": "Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to stored Cross-Site Scripting in the Personal File Storage (PFS) module. A folder title (pff_title) is imported with the \u0027TXT\u0027 filter, which does not strip or encode HTML (the tag check in cot_import is disabled), so an authenticated user can store HTML/JavaScript in a folder title. In modules/pfs/inc/pfs.main.php the title is assigned to the template variable PFF_ROW_TITLE without htmlspecialchars(), and modules/pfs/tpl/pfs.tpl outputs {PFF_ROW_TITLE} unescaped. When the folder listing is viewed (including by other users for public folders), the injected script executes in the victim\u0027s browser."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T06:46:57.622Z",
"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"shortName": "TuranSec"
},
"references": [
{
"name": "Vulnerable code: modules/pfs/inc/pfs.main.php",
"tags": [
"technical-description"
],
"url": "https://github.com/Cotonti/Cotonti/blob/f43f1fc38ba4e02027786dad9dac1435c7c52b30/modules/pfs/inc/pfs.main.php#L396"
},
{
"tags": [
"product"
],
"url": "https://github.com/Cotonti/Cotonti"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cotonti stored XSS via PFS folder title"
}
},
"cveMetadata": {
"assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"assignerShortName": "TuranSec",
"cveId": "CVE-2026-55746",
"datePublished": "2026-06-18T06:46:57.622Z",
"dateReserved": "2026-06-17T12:59:17.621Z",
"dateUpdated": "2026-06-18T12:32:08.737Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55745 (GCVE-0-2026-55745)
Vulnerability from cvelistv5 – Published: 2026-06-18 06:07 – Updated: 2026-06-18 12:53
VLAI
Title
Cotonti CSRF in PFS folder edit allows unauthorized folder modification
Summary
Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the Personal File Storage (PFS) module. In modules/pfs/inc/pfs.editfolder.php, the folder update action ('a=update') updates folder metadata (title, description, public/gallery flags) without calling cot_check_xg() to validate the anti-CSRF token. A remote attacker who lures an authenticated user into visiting a malicious page can force the browser to submit a forged request that modifies the victim's folder metadata, including making a private folder public.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Cotonti/Cotonti/blob/f43f1fc38… | technical-description |
| https://github.com/Cotonti/Cotonti | product |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55745",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T12:53:00.493151Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T12:53:11.134Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/Cotonti/Cotonti",
"defaultStatus": "affected",
"product": "Cotonti",
"programFiles": [
"modules/pfs/inc/pfs.editfolder.php"
],
"repo": "https://github.com/Cotonti/Cotonti",
"vendor": "Cotonti",
"versions": [
{
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Saidakbarxon Maxsudxonov (sermikro), Innova Networks"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the Personal File Storage (PFS) module. In modules/pfs/inc/pfs.editfolder.php, the folder update action (\u0027a=update\u0027) updates folder metadata (title, description, public/gallery flags) without calling cot_check_xg() to validate the anti-CSRF token. A remote attacker who lures an authenticated user into visiting a malicious page can force the browser to submit a forged request that modifies the victim\u0027s folder metadata, including making a private folder public.\u003c/p\u003e"
}
],
"value": "Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the Personal File Storage (PFS) module. In modules/pfs/inc/pfs.editfolder.php, the folder update action (\u0027a=update\u0027) updates folder metadata (title, description, public/gallery flags) without calling cot_check_xg() to validate the anti-CSRF token. A remote attacker who lures an authenticated user into visiting a malicious page can force the browser to submit a forged request that modifies the victim\u0027s folder metadata, including making a private folder public."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T06:07:27.281Z",
"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"shortName": "TuranSec"
},
"references": [
{
"name": "Vulnerable code: modules/pfs/inc/pfs.editfolder.php",
"tags": [
"technical-description"
],
"url": "https://github.com/Cotonti/Cotonti/blob/f43f1fc38ba4e02027786dad9dac1435c7c52b30/modules/pfs/inc/pfs.editfolder.php#L90"
},
{
"tags": [
"product"
],
"url": "https://github.com/Cotonti/Cotonti"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cotonti CSRF in PFS folder edit allows unauthorized folder modification"
}
},
"cveMetadata": {
"assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"assignerShortName": "TuranSec",
"cveId": "CVE-2026-55745",
"datePublished": "2026-06-18T06:07:27.281Z",
"dateReserved": "2026-06-17T12:59:17.621Z",
"dateUpdated": "2026-06-18T12:53:11.134Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55744 (GCVE-0-2026-55744)
Vulnerability from cvelistv5 – Published: 2026-06-18 06:06 – Updated: 2026-06-18 12:52
VLAI
Title
Cotonti CSRF in PFS allows forced arbitrary file upload
Summary
Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the Personal File Storage (PFS) module. In modules/pfs/inc/pfs.main.php, the file upload action ('a=upload') processes uploaded files without calling cot_check_xg() to validate the anti-CSRF token, even though sibling actions such as 'delete' (line 272) do. A remote attacker who lures an authenticated user into visiting a malicious page can force the browser to submit a forged multipart request that uploads arbitrary files into the victim's PFS storage.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Cotonti/Cotonti/blob/f43f1fc38… | technical-description |
| https://github.com/Cotonti/Cotonti | product |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55744",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T12:52:14.807252Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T12:52:24.875Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/Cotonti/Cotonti",
"defaultStatus": "affected",
"product": "Cotonti",
"programFiles": [
"modules/pfs/inc/pfs.main.php"
],
"repo": "https://github.com/Cotonti/Cotonti",
"vendor": "Cotonti",
"versions": [
{
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Saidakbarxon Maxsudxonov (sermikro), Innova Networks"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the Personal File Storage (PFS) module. In modules/pfs/inc/pfs.main.php, the file upload action (\u0027a=upload\u0027) processes uploaded files without calling cot_check_xg() to validate the anti-CSRF token, even though sibling actions such as \u0027delete\u0027 (line 272) do. A remote attacker who lures an authenticated user into visiting a malicious page can force the browser to submit a forged multipart request that uploads arbitrary files into the victim\u0027s PFS storage.\u003c/p\u003e"
}
],
"value": "Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the Personal File Storage (PFS) module. In modules/pfs/inc/pfs.main.php, the file upload action (\u0027a=upload\u0027) processes uploaded files without calling cot_check_xg() to validate the anti-CSRF token, even though sibling actions such as \u0027delete\u0027 (line 272) do. A remote attacker who lures an authenticated user into visiting a malicious page can force the browser to submit a forged multipart request that uploads arbitrary files into the victim\u0027s PFS storage."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T06:06:57.715Z",
"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"shortName": "TuranSec"
},
"references": [
{
"name": "Vulnerable code: modules/pfs/inc/pfs.main.php",
"tags": [
"technical-description"
],
"url": "https://github.com/Cotonti/Cotonti/blob/f43f1fc38ba4e02027786dad9dac1435c7c52b30/modules/pfs/inc/pfs.main.php#L118"
},
{
"tags": [
"product"
],
"url": "https://github.com/Cotonti/Cotonti"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cotonti CSRF in PFS allows forced arbitrary file upload"
}
},
"cveMetadata": {
"assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"assignerShortName": "TuranSec",
"cveId": "CVE-2026-55744",
"datePublished": "2026-06-18T06:06:57.715Z",
"dateReserved": "2026-06-17T12:59:17.621Z",
"dateUpdated": "2026-06-18T12:52:24.875Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55742 (GCVE-0-2026-55742)
Vulnerability from cvelistv5 – Published: 2026-06-18 06:05 – Updated: 2026-06-18 12:54
VLAI
Title
Cotonti CSRF in admin.rights.php allows privilege escalation
Summary
Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the administration rights handler. In system/admin/admin.rights.php, the rights update action ('a=update') modifies group access rights (including via cot_auth_add_group) without calling cot_check_xg() to validate the anti-CSRF token. A remote attacker who lures an authenticated administrator into visiting a malicious page can force the browser to submit a forged request that grants elevated permissions to an attacker-controlled group, escalating privileges to administrator. Because Cotonti administrators can modify templates and configuration, this can be further leveraged toward remote code execution.
Severity
9.6 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Cotonti/Cotonti/blob/f43f1fc38… | technical-description |
| https://github.com/Cotonti/Cotonti | product |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55742",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T12:54:26.923984Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T12:54:36.833Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/Cotonti/Cotonti",
"defaultStatus": "affected",
"product": "Cotonti",
"programFiles": [
"system/admin/admin.rights.php"
],
"repo": "https://github.com/Cotonti/Cotonti",
"vendor": "Cotonti",
"versions": [
{
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Saidakbarxon Maxsudxonov (sermikro), Innova Networks"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the administration rights handler. In system/admin/admin.rights.php, the rights update action (\u0027a=update\u0027) modifies group access rights (including via cot_auth_add_group) without calling cot_check_xg() to validate the anti-CSRF token. A remote attacker who lures an authenticated administrator into visiting a malicious page can force the browser to submit a forged request that grants elevated permissions to an attacker-controlled group, escalating privileges to administrator. Because Cotonti administrators can modify templates and configuration, this can be further leveraged toward remote code execution.\u003c/p\u003e"
}
],
"value": "Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the administration rights handler. In system/admin/admin.rights.php, the rights update action (\u0027a=update\u0027) modifies group access rights (including via cot_auth_add_group) without calling cot_check_xg() to validate the anti-CSRF token. A remote attacker who lures an authenticated administrator into visiting a malicious page can force the browser to submit a forged request that grants elevated permissions to an attacker-controlled group, escalating privileges to administrator. Because Cotonti administrators can modify templates and configuration, this can be further leveraged toward remote code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T06:05:46.915Z",
"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"shortName": "TuranSec"
},
"references": [
{
"name": "Vulnerable code: system/admin/admin.rights.php",
"tags": [
"technical-description"
],
"url": "https://github.com/Cotonti/Cotonti/blob/f43f1fc38ba4e02027786dad9dac1435c7c52b30/system/admin/admin.rights.php#L53"
},
{
"tags": [
"product"
],
"url": "https://github.com/Cotonti/Cotonti"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cotonti CSRF in admin.rights.php allows privilege escalation"
}
},
"cveMetadata": {
"assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"assignerShortName": "TuranSec",
"cveId": "CVE-2026-55742",
"datePublished": "2026-06-18T06:05:46.915Z",
"dateReserved": "2026-06-17T12:59:17.621Z",
"dateUpdated": "2026-06-18T12:54:36.833Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55741 (GCVE-0-2026-55741)
Vulnerability from cvelistv5 – Published: 2026-06-18 06:04 – Updated: 2026-06-18 12:53
VLAI
Title
Cotonti CSRF in admin.config.php allows unauthorized configuration changes
Summary
Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the administration configuration handler. In system/admin/admin.config.php, the configuration update action ('a=update') processes POST data via cot_config_update_options() without calling cot_check_xg() to validate the anti-CSRF token (the 'x' parameter), unlike other admin handlers (e.g. admin.structure.php, admin.cache.php). A remote attacker who lures an authenticated administrator into visiting a malicious page can force the browser to submit a forged request that modifies arbitrary core, module, or plugin configuration options, which can be leveraged to weaken security or enable further compromise.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Cotonti/Cotonti/blob/f43f1fc38… | technical-description |
| https://github.com/Cotonti/Cotonti | product |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55741",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T12:53:45.770119Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T12:53:57.740Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/Cotonti/Cotonti",
"defaultStatus": "affected",
"product": "Cotonti",
"programFiles": [
"system/admin/admin.config.php"
],
"repo": "https://github.com/Cotonti/Cotonti",
"vendor": "Cotonti",
"versions": [
{
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Saidakbarxon Maxsudxonov (sermikro), Innova Networks"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the administration configuration handler. In system/admin/admin.config.php, the configuration update action (\u0027a=update\u0027) processes POST data via cot_config_update_options() without calling cot_check_xg() to validate the anti-CSRF token (the \u0027x\u0027 parameter), unlike other admin handlers (e.g. admin.structure.php, admin.cache.php). A remote attacker who lures an authenticated administrator into visiting a malicious page can force the browser to submit a forged request that modifies arbitrary core, module, or plugin configuration options, which can be leveraged to weaken security or enable further compromise.\u003c/p\u003e"
}
],
"value": "Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the administration configuration handler. In system/admin/admin.config.php, the configuration update action (\u0027a=update\u0027) processes POST data via cot_config_update_options() without calling cot_check_xg() to validate the anti-CSRF token (the \u0027x\u0027 parameter), unlike other admin handlers (e.g. admin.structure.php, admin.cache.php). A remote attacker who lures an authenticated administrator into visiting a malicious page can force the browser to submit a forged request that modifies arbitrary core, module, or plugin configuration options, which can be leveraged to weaken security or enable further compromise."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T06:04:28.052Z",
"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"shortName": "TuranSec"
},
"references": [
{
"name": "Vulnerable code: system/admin/admin.config.php",
"tags": [
"technical-description"
],
"url": "https://github.com/Cotonti/Cotonti/blob/f43f1fc38ba4e02027786dad9dac1435c7c52b30/system/admin/admin.config.php#L55"
},
{
"tags": [
"product"
],
"url": "https://github.com/Cotonti/Cotonti"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cotonti CSRF in admin.config.php allows unauthorized configuration changes"
}
},
"cveMetadata": {
"assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"assignerShortName": "TuranSec",
"cveId": "CVE-2026-55741",
"datePublished": "2026-06-18T06:04:19.527Z",
"dateReserved": "2026-06-17T12:59:17.621Z",
"dateUpdated": "2026-06-18T12:53:57.740Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55740 (GCVE-0-2026-55740)
Vulnerability from cvelistv5 – Published: 2026-06-18 05:48 – Updated: 2026-06-18 12:59
VLAI
Title
SQL Injection in Nur-Alam39 bus-ticket bus_info.php via busid parameter
Summary
Nur-Alam39 bus-ticket (no released versions; latest commit 459cabdbeb99c00225b26e46e3c2c30ae1de7bad) contains an unauthenticated SQL injection vulnerability in bus_info.php. The busid parameter received via HTTP POST is concatenated directly into a MySQL query (select * from bus_info where id=$busid) without sanitization, escaping, or parameterization, and in a numeric (unquoted) context. A remote, unauthenticated attacker can inject arbitrary SQL — for example a UNION-based payload such as busid=-1 UNION SELECT 1,2,3,4,5,6 — to read arbitrary data from the bus_service database. The application connects to the database as the MySQL root account with an empty password, increasing the potential impact. The query is executed via mysqli_query(), which does not permit stacked (semicolon-separated) statements.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Nur-Alam39/bus-ticket/blob/459… | technical-description |
| https://github.com/Nur-Alam39/bus-ticket | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Nur-Alam39 | bus-ticket |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55740",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T12:55:37.171019Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T12:59:22.428Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/Nur-Alam39/bus-ticket",
"defaultStatus": "affected",
"product": "bus-ticket",
"programFiles": [
"bus_info.php"
],
"repo": "https://github.com/Nur-Alam39/bus-ticket",
"vendor": "Nur-Alam39"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Eshmurzayev Abbos"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eNur-Alam39 bus-ticket (no released versions; latest commit \u003ccode\u003e459cabdbeb99c00225b26e46e3c2c30ae1de7bad\u003c/code\u003e) contains an unauthenticated SQL injection vulnerability in \u003ccode\u003ebus_info.php\u003c/code\u003e. The \u003ccode\u003ebusid\u003c/code\u003e parameter received via HTTP POST is concatenated directly into a MySQL query (\u003ccode\u003eselect * from bus_info where id=$busid\u003c/code\u003e) without sanitization, escaping, or parameterization, and in a numeric (unquoted) context. A remote, unauthenticated attacker can inject arbitrary SQL \u2014 for example a UNION-based payload such as \u003ccode\u003ebusid=-1 UNION SELECT 1,2,3,4,5,6\u003c/code\u003e \u2014 to read arbitrary data from the \u003ccode\u003ebus_service\u003c/code\u003e database. The application connects to the database as the MySQL \u003ccode\u003eroot\u003c/code\u003e account with an empty password, increasing the potential impact. The query is executed via \u003ccode\u003emysqli_query()\u003c/code\u003e, which does not permit stacked (semicolon-separated) statements.\u003c/p\u003e"
}
],
"value": "Nur-Alam39 bus-ticket (no released versions; latest commit 459cabdbeb99c00225b26e46e3c2c30ae1de7bad) contains an unauthenticated SQL injection vulnerability in bus_info.php. The busid parameter received via HTTP POST is concatenated directly into a MySQL query (select * from bus_info where id=$busid) without sanitization, escaping, or parameterization, and in a numeric (unquoted) context. A remote, unauthenticated attacker can inject arbitrary SQL \u2014 for example a UNION-based payload such as busid=-1 UNION SELECT 1,2,3,4,5,6 \u2014 to read arbitrary data from the bus_service database. The application connects to the database as the MySQL root account with an empty password, increasing the potential impact. The query is executed via mysqli_query(), which does not permit stacked (semicolon-separated) statements."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T05:48:27.016Z",
"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"shortName": "TuranSec"
},
"references": [
{
"name": "Vulnerable code: bus_info.php (busid concatenated into SQL)",
"tags": [
"technical-description"
],
"url": "https://github.com/Nur-Alam39/bus-ticket/blob/459cabdbeb99c00225b26e46e3c2c30ae1de7bad/bus_info.php#L14-L16"
},
{
"tags": [
"product"
],
"url": "https://github.com/Nur-Alam39/bus-ticket"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SQL Injection in Nur-Alam39 bus-ticket bus_info.php via busid parameter"
}
},
"cveMetadata": {
"assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"assignerShortName": "TuranSec",
"cveId": "CVE-2026-55740",
"datePublished": "2026-06-18T05:48:27.016Z",
"dateReserved": "2026-06-17T12:59:17.621Z",
"dateUpdated": "2026-06-18T12:59:22.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55743 (GCVE-0-2026-55743)
Vulnerability from cvelistv5 – Published: 2026-06-17 14:08 – Updated: 2026-06-17 15:40
VLAI
Title
OpenHuman desktop agent shell tool sandbox bypass leads to arbitrary command execution
Summary
The shell tool command allowlist in the SecurityPolicy of OpenHuman desktop agent through 0.54.0 (default Supervised security policy) can be bypassed to execute arbitrary OS commands with the privileges of the desktop user. Two flaws in src/openhuman/security/policy.rs combine: (1) is_args_safe() blocks the find flags -exec and -ok but not the functionally identical -execdir and -okdir, which also execute an arbitrary command for each matched file; and (2) skip_env_assignments() strips leading inline KEY=value environment-variable assignments before allowlist validation, so a command such as GIT_EXTERNAL_DIFF=<cmd> git diff is validated as the allowed git diff but, when executed via the shell, runs <cmd> through git's environment-driven hooks (for example GIT_EXTERNAL_DIFF or GIT_SSH_COMMAND). Because the sandbox is the primary trust boundary between untrusted LLM-processed content and the host operating system, an attacker can achieve remote code execution via indirect prompt injection: a malicious document, email, calendar event, or web page ingested by the agent instructs it to run a benign-looking allowlisted command, resulting in arbitrary command execution, data exfiltration, arbitrary file read/write, and lateral movement on the user's machine. The issue was fixed in commit 60050aa09a870f53ed7e4cd40ed41fd2860329e7 (first released in 0.54.22-staging; first stable release 0.56.0), which blocks -execdir/-okdir for find.
Severity
9.6 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/tinyhumansai/openhuman/commit/… | patch |
| https://github.com/tinyhumansai/openhuman/blob/v0… | technical-description |
| https://github.com/tinyhumansai/openhuman | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| tinyhumansai | OpenHuman |
Affected:
0 , ≤ 0.54.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55743",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T15:40:33.751475Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T15:40:47.796Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/tinyhumansai/openhuman",
"defaultStatus": "unaffected",
"platforms": [
"macOS",
"Windows",
"Linux"
],
"product": "OpenHuman",
"programFiles": [
"src/openhuman/security/policy.rs"
],
"programRoutines": [
{
"name": "is_args_safe"
},
{
"name": "skip_env_assignments"
}
],
"repo": "https://github.com/tinyhumansai/openhuman",
"vendor": "tinyhumansai",
"versions": [
{
"lessThanOrEqual": "0.54.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bobur Abdugafforov"
},
{
"lang": "en",
"type": "analyst",
"value": "Zikrillayev Salohiddin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe shell tool command allowlist in the \u003ccode\u003eSecurityPolicy\u003c/code\u003e of OpenHuman desktop agent through 0.54.0 (default Supervised security policy) can be bypassed to execute arbitrary OS commands with the privileges of the desktop user. Two flaws in \u003ccode\u003esrc/openhuman/security/policy.rs\u003c/code\u003e combine: (1) \u003ccode\u003eis_args_safe()\u003c/code\u003e blocks the \u003ccode\u003efind\u003c/code\u003e flags \u003ccode\u003e-exec\u003c/code\u003e and \u003ccode\u003e-ok\u003c/code\u003e but not the functionally identical \u003ccode\u003e-execdir\u003c/code\u003e and \u003ccode\u003e-okdir\u003c/code\u003e, which also execute an arbitrary command for each matched file; and (2) \u003ccode\u003eskip_env_assignments()\u003c/code\u003e strips leading inline \u003ccode\u003eKEY=value\u003c/code\u003e environment-variable assignments before allowlist validation, so a command such as \u003ccode\u003eGIT_EXTERNAL_DIFF=\u0026lt;cmd\u0026gt; git diff\u003c/code\u003e is validated as the allowed \u003ccode\u003egit diff\u003c/code\u003e but, when executed via the shell, runs \u003ccode\u003e\u0026lt;cmd\u0026gt;\u003c/code\u003e through git\u0027s environment-driven hooks (for example \u003ccode\u003eGIT_EXTERNAL_DIFF\u003c/code\u003e or \u003ccode\u003eGIT_SSH_COMMAND\u003c/code\u003e). Because the sandbox is the primary trust boundary between untrusted LLM-processed content and the host operating system, an attacker can achieve remote code execution via indirect prompt injection: a malicious document, email, calendar event, or web page ingested by the agent instructs it to run a benign-looking allowlisted command, resulting in arbitrary command execution, data exfiltration, arbitrary file read/write, and lateral movement on the user\u0027s machine. The issue was fixed in commit \u003ccode\u003e60050aa09a870f53ed7e4cd40ed41fd2860329e7\u003c/code\u003e (first released in 0.54.22-staging; first stable release 0.56.0), which blocks \u003ccode\u003e-execdir\u003c/code\u003e/\u003ccode\u003e-okdir\u003c/code\u003e for \u003ccode\u003efind\u003c/code\u003e.\u003c/p\u003e"
}
],
"value": "The shell tool command allowlist in the SecurityPolicy of OpenHuman desktop agent through 0.54.0 (default Supervised security policy) can be bypassed to execute arbitrary OS commands with the privileges of the desktop user. Two flaws in src/openhuman/security/policy.rs combine: (1) is_args_safe() blocks the find flags -exec and -ok but not the functionally identical -execdir and -okdir, which also execute an arbitrary command for each matched file; and (2) skip_env_assignments() strips leading inline KEY=value environment-variable assignments before allowlist validation, so a command such as GIT_EXTERNAL_DIFF=\u003ccmd\u003e git diff is validated as the allowed git diff but, when executed via the shell, runs \u003ccmd\u003e through git\u0027s environment-driven hooks (for example GIT_EXTERNAL_DIFF or GIT_SSH_COMMAND). Because the sandbox is the primary trust boundary between untrusted LLM-processed content and the host operating system, an attacker can achieve remote code execution via indirect prompt injection: a malicious document, email, calendar event, or web page ingested by the agent instructs it to run a benign-looking allowlisted command, resulting in arbitrary command execution, data exfiltration, arbitrary file read/write, and lateral movement on the user\u0027s machine. The issue was fixed in commit 60050aa09a870f53ed7e4cd40ed41fd2860329e7 (first released in 0.54.22-staging; first stable release 0.56.0), which blocks -execdir/-okdir for find."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-184",
"description": "CWE-184 Incomplete List of Disallowed Inputs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T14:08:33.726Z",
"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"shortName": "TuranSec"
},
"references": [
{
"name": "Fix commit (PR #2636): block find -execdir/-okdir",
"tags": [
"patch"
],
"url": "https://github.com/tinyhumansai/openhuman/commit/60050aa09a870f53ed7e4cd40ed41fd2860329e7"
},
{
"name": "Vulnerable source at v0.53.49-staging: src/openhuman/security/policy.rs",
"tags": [
"technical-description"
],
"url": "https://github.com/tinyhumansai/openhuman/blob/v0.53.49-staging/src/openhuman/security/policy.rs"
},
{
"tags": [
"product"
],
"url": "https://github.com/tinyhumansai/openhuman"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "OpenHuman desktop agent shell tool sandbox bypass leads to arbitrary command execution"
}
},
"cveMetadata": {
"assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"assignerShortName": "TuranSec",
"cveId": "CVE-2026-55743",
"datePublished": "2026-06-17T14:08:33.726Z",
"dateReserved": "2026-06-17T12:59:17.621Z",
"dateUpdated": "2026-06-17T15:40:47.796Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54415 (GCVE-0-2026-54415)
Vulnerability from cvelistv5 – Published: 2026-06-17 14:04 – Updated: 2026-06-17 15:41
VLAI
Title
Broken Access Control in Azuriom CMS Server Routes Allows Account Takeover
Summary
Missing Authorization in the server management routes (routes/admin.php) in Azuriom Azuriom CMS before 1.2.11 on all platforms allows an authenticated attacker with the admin.access permission to create AzLink server tokens and take over non-admin user accounts by changing their passwords and email addresses via crafted HTTP requests to /admin/servers/create and the AzLink API endpoints (/api/azlink/password, /api/azlink/email, /api/azlink/user/{id}).
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/Azuriom/Azuriom/releases/tag/v1.2.11 | vendor-advisoryrelease-notespatch |
| https://github.com/Azuriom/Azuriom/commit/4b744bc… | patch |
| https://github.com/Azuriom/Azuriom | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Azuriom | Azuriom CMS |
Affected:
0 , < 1.2.11
(semver)
|
Date Public
2026-06-08 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54415",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T15:41:05.881670Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T15:41:21.422Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Azuriom CMS",
"repo": "https://github.com/Azuriom/Azuriom",
"vendor": "Azuriom",
"versions": [
{
"lessThan": "1.2.11",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bobur Abdugafforov"
},
{
"lang": "en",
"type": "coordinator",
"value": "Khabibullaev Barkamol"
}
],
"datePublic": "2026-06-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Authorization in the server management routes (\u003ccode\u003eroutes/admin.php\u003c/code\u003e) in \u003cstrong\u003eAzuriom Azuriom CMS before 1.2.11\u003c/strong\u003e on all platforms allows an authenticated attacker with the \u003ccode\u003eadmin.access\u003c/code\u003e permission to create AzLink server tokens and take over non-admin user accounts by changing their passwords and email addresses via crafted HTTP requests to \u003ccode\u003e/admin/servers/create\u003c/code\u003e and the AzLink API endpoints (\u003ccode\u003e/api/azlink/password\u003c/code\u003e, \u003ccode\u003e/api/azlink/email\u003c/code\u003e, \u003ccode\u003e/api/azlink/user/{id}\u003c/code\u003e).\u003c/p\u003e"
}
],
"value": "Missing Authorization in the server management routes (routes/admin.php) in Azuriom Azuriom CMS before 1.2.11 on all platforms allows an authenticated attacker with the admin.access permission to create AzLink server tokens and take over non-admin user accounts by changing their passwords and email addresses via crafted HTTP requests to /admin/servers/create and the AzLink API endpoints (/api/azlink/password, /api/azlink/email, /api/azlink/user/{id})."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T14:10:00.133Z",
"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"shortName": "TuranSec"
},
"references": [
{
"name": "Azuriom CMS v1.2.11 Release",
"tags": [
"vendor-advisory",
"release-notes",
"patch"
],
"url": "https://github.com/Azuriom/Azuriom/releases/tag/v1.2.11"
},
{
"name": "Fixes and improvements (patch commit)",
"tags": [
"patch"
],
"url": "https://github.com/Azuriom/Azuriom/commit/4b744bc0dd11f205f5aa053c6db8a949d3f0608e"
},
{
"name": "Azuriom CMS GitHub Repository",
"tags": [
"product"
],
"url": "https://github.com/Azuriom/Azuriom"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Broken Access Control in Azuriom CMS Server Routes Allows Account Takeover",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"assignerShortName": "TuranSec",
"cveId": "CVE-2026-54415",
"datePublished": "2026-06-17T14:04:59.510Z",
"dateReserved": "2026-06-13T16:39:46.122Z",
"dateUpdated": "2026-06-17T15:41:21.422Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55738 (GCVE-0-2026-55738)
Vulnerability from cvelistv5 – Published: 2026-06-17 13:45 – Updated: 2026-06-17 15:00
VLAI
Title
Stack Buffer Overflow in rxi/microtar raw_to_header() via non-null-terminated TAR name field
Summary
A stack-based buffer overflow exists in the raw_to_header() function in src/microtar.c in rxi microtar 0.1.0. The function copies the 100-byte name and linkname fields of a TAR header with strcpy() without guaranteeing null termination of the source. The POSIX ustar format permits these fixed-width fields to be fully populated with non-null bytes, so a crafted archive whose linkname field (followed by the trailing padding of the 512-byte raw header) contains no null terminator causes strcpy() to read past the end of the 512-byte raw header stack buffer and to write past the destination header buffer. A remote attacker who supplies a crafted TAR archive that the victim opens or parses (via mtar_open(), mtar_read_header(), or mtar_find()) can cause an out-of-bounds read and a stack buffer overflow, resulting in denial of service (crash) and potentially arbitrary code execution. Confirmed with AddressSanitizer: stack-buffer-overflow READ of size 356 in raw_to_header at src/microtar.c:112.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/rxi/microtar/blob/master/src/m… | product |
| https://github.com/rxi/microtar | product |
| https://raw.githubusercontent.com/rxi/microtar/ma… | technical-description |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55738",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T15:00:50.582378Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T15:00:58.607Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/rxi/microtar",
"defaultStatus": "affected",
"product": "microtar",
"programFiles": [
"src/microtar.c"
],
"programRoutines": [
{
"name": "raw_to_header"
}
],
"repo": "https://github.com/rxi/microtar",
"vendor": "rxi",
"versions": [
{
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Saidakbarxon Maxsudxonov"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA stack-based buffer overflow exists in the \u003ccode\u003eraw_to_header()\u003c/code\u003e function in \u003ccode\u003esrc/microtar.c\u003c/code\u003e in rxi microtar 0.1.0. The function copies the 100-byte \u003ccode\u003ename\u003c/code\u003e and \u003ccode\u003elinkname\u003c/code\u003e fields of a TAR header with \u003ccode\u003estrcpy()\u003c/code\u003e without guaranteeing null termination of the source. The POSIX ustar format permits these fixed-width fields to be fully populated with non-null bytes, so a crafted archive whose \u003ccode\u003elinkname\u003c/code\u003e field (followed by the trailing padding of the 512-byte raw header) contains no null terminator causes \u003ccode\u003estrcpy()\u003c/code\u003e to read past the end of the 512-byte raw header stack buffer and to write past the destination header buffer. A remote attacker who supplies a crafted TAR archive that the victim opens or parses (via \u003ccode\u003emtar_open()\u003c/code\u003e, \u003ccode\u003emtar_read_header()\u003c/code\u003e, or \u003ccode\u003emtar_find()\u003c/code\u003e) can cause an out-of-bounds read and a stack buffer overflow, resulting in denial of service (crash) and potentially arbitrary code execution. Confirmed with AddressSanitizer: stack-buffer-overflow READ of size 356 in \u003ccode\u003eraw_to_header\u003c/code\u003e at \u003ccode\u003esrc/microtar.c:112\u003c/code\u003e.\u003c/p\u003e"
}
],
"value": "A stack-based buffer overflow exists in the raw_to_header() function in src/microtar.c in rxi microtar 0.1.0. The function copies the 100-byte name and linkname fields of a TAR header with strcpy() without guaranteeing null termination of the source. The POSIX ustar format permits these fixed-width fields to be fully populated with non-null bytes, so a crafted archive whose linkname field (followed by the trailing padding of the 512-byte raw header) contains no null terminator causes strcpy() to read past the end of the 512-byte raw header stack buffer and to write past the destination header buffer. A remote attacker who supplies a crafted TAR archive that the victim opens or parses (via mtar_open(), mtar_read_header(), or mtar_find()) can cause an out-of-bounds read and a stack buffer overflow, resulting in denial of service (crash) and potentially arbitrary code execution. Confirmed with AddressSanitizer: stack-buffer-overflow READ of size 356 in raw_to_header at src/microtar.c:112."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-170",
"description": "CWE-170 Improper Null Termination",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T13:45:07.535Z",
"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"shortName": "TuranSec"
},
"references": [
{
"tags": [
"product"
],
"url": "https://github.com/rxi/microtar/blob/master/src/microtar.c#L111"
},
{
"tags": [
"product"
],
"url": "https://github.com/rxi/microtar"
},
{
"name": "Vulnerable source code: src/microtar.c (raw_to_header)",
"tags": [
"technical-description"
],
"url": "https://raw.githubusercontent.com/rxi/microtar/master/src/microtar.c"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stack Buffer Overflow in rxi/microtar raw_to_header() via non-null-terminated TAR name field"
}
},
"cveMetadata": {
"assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"assignerShortName": "TuranSec",
"cveId": "CVE-2026-55738",
"datePublished": "2026-06-17T13:45:00.399Z",
"dateReserved": "2026-06-17T12:59:17.620Z",
"dateUpdated": "2026-06-17T15:00:58.607Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54417 (GCVE-0-2026-54417)
Vulnerability from cvelistv5 – Published: 2026-06-17 13:25 – Updated: 2026-06-17 15:01
VLAI
Title
Integer Overflow in rxi/microtar mtar_next() Causes Infinite Loop DoS
Summary
An integer overflow in the mtar_next() function in src/microtar.c in rxi microtar 0.1.0 allows a remote attacker to cause a denial of service (uncontrolled CPU consumption / infinite loop) via a crafted tar archive. mtar_next() computes the offset to the next record as round_up(h.size, 512) + sizeof(mtar_raw_header_t) using 32-bit arithmetic. When the header size field is a multiple of 512 in the range 0xFFFFFC01-0xFFFFFE00 (e.g. 0xFFFFFE00), the addition wraps to 0, so mtar_next() seeks to the current record position instead of advancing. As a result, mtar_find() and any loop that iterates entries with mtar_next() repeat indefinitely over the same record, hanging the process at 100% CPU with no recovery.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/rxi/microtar/blob/master/src/m… | product |
| https://github.com/rxi/microtar | product |
| https://raw.githubusercontent.com/rxi/microtar/ma… | technical-description |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54417",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T15:01:28.255429Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T15:01:35.358Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/rxi/microtar",
"defaultStatus": "affected",
"product": "microtar",
"programFiles": [
"src/microtar.c"
],
"programRoutines": [
{
"name": "mtar_next"
}
],
"repo": "https://github.com/rxi/microtar",
"vendor": "rxi",
"versions": [
{
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Saidakbarxon Maxsudxonov"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn integer overflow in the mtar_next() function in src/microtar.c in rxi microtar 0.1.0 allows a remote attacker to cause a denial of service (uncontrolled CPU consumption / infinite loop) via a crafted tar archive. mtar_next() computes the offset to the next record as round_up(h.size, 512) + sizeof(mtar_raw_header_t) using 32-bit arithmetic. When the header size field is a multiple of 512 in the range 0xFFFFFC01-0xFFFFFE00 (e.g. 0xFFFFFE00), the addition wraps to 0, so mtar_next() seeks to the current record position instead of advancing. As a result, mtar_find() and any loop that iterates entries with mtar_next() repeat indefinitely over the same record, hanging the process at 100% CPU with no recovery.\u003c/p\u003e"
}
],
"value": "An integer overflow in the mtar_next() function in src/microtar.c in rxi microtar 0.1.0 allows a remote attacker to cause a denial of service (uncontrolled CPU consumption / infinite loop) via a crafted tar archive. mtar_next() computes the offset to the next record as round_up(h.size, 512) + sizeof(mtar_raw_header_t) using 32-bit arithmetic. When the header size field is a multiple of 512 in the range 0xFFFFFC01-0xFFFFFE00 (e.g. 0xFFFFFE00), the addition wraps to 0, so mtar_next() seeks to the current record position instead of advancing. As a result, mtar_find() and any loop that iterates entries with mtar_next() repeat indefinitely over the same record, hanging the process at 100% CPU with no recovery."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-835",
"description": "CWE-835 Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T13:30:25.140Z",
"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"shortName": "TuranSec"
},
"references": [
{
"tags": [
"product"
],
"url": "https://github.com/rxi/microtar/blob/master/src/microtar.c#L239"
},
{
"tags": [
"product"
],
"url": "https://github.com/rxi/microtar"
},
{
"name": "Vulnerable source code: src/microtar.c (mtar_next)",
"tags": [
"technical-description"
],
"url": "https://raw.githubusercontent.com/rxi/microtar/master/src/microtar.c"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Integer Overflow in rxi/microtar mtar_next() Causes Infinite Loop DoS"
}
},
"cveMetadata": {
"assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"assignerShortName": "TuranSec",
"cveId": "CVE-2026-54417",
"datePublished": "2026-06-17T13:25:54.502Z",
"dateReserved": "2026-06-13T16:39:46.122Z",
"dateUpdated": "2026-06-17T15:01:35.358Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54413 (GCVE-0-2026-54413)
Vulnerability from cvelistv5 – Published: 2026-06-14 17:38 – Updated: 2026-06-15 15:09
VLAI
Summary
driftregion iso14229 through 0.9.0 contains an integer underflow and downstream out-of-bounds read in the Handle_0x27_SecurityAccess() function in iso14229.c that allows a remote unauthenticated attacker to crash a UDS server and potentially read memory past the receive buffer by sending a single-byte 0x27 SecurityAccess request that follows any earlier well-formed 0x27 message. The handler reads the SecurityAccess subFunction from recv_buf[1] without first checking that recv_len is at least 2, then computes the key-data length as the unsigned subtraction (uint16_t)(recv_len - UDS_0X27_REQ_BASE_LEN); when recv_len equals 1 the result underflows to 65535 and is passed as args.len to the application's SecAccessValidateKey or SecAccessRequestSeed callback, which typically iterates or copies that many bytes from the 4-KB receive buffer. Every other UDS sub-function handler in the library (0x10, 0x11, 0x14, 0x19, 0x22, 0x23, 0x28, and others) performs an explicit recv_len lower-bound check before indexing; Handle_0x27_SecurityAccess is the sole outlier. The vulnerable handler reaches over CAN bus, OBD-II, ISO-TP, and DoIP transports and is exposed in the default diagnostic session without prior authentication; deployments on automotive ECUs, industrial controllers, and IoT devices that ship iso14229 as their UDS server are affected.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/driftregion/iso14229 | product |
| https://github.com/driftregion/iso14229/blob/main… | product |
| https://cwe.mitre.org/data/definitions/191.html | technical-description |
| https://cwe.mitre.org/data/definitions/125.html | technical-description |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| driftregion | iso14229 |
Affected:
0 , ≤ 0.9.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54413",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T15:08:54.075425Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T15:09:01.438Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/driftregion/iso14229",
"defaultStatus": "unknown",
"product": "iso14229",
"programFiles": [
"iso14229.c"
],
"programRoutines": [
{
"name": "Handle_0x27_SecurityAccess"
}
],
"repo": "https://github.com/driftregion/iso14229",
"vendor": "driftregion",
"versions": [
{
"lessThanOrEqual": "0.9.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Burxonov Muslimbek"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003edriftregion iso14229 through 0.9.0 contains an integer underflow and downstream out-of-bounds read in the \u003ccode\u003eHandle_0x27_SecurityAccess()\u003c/code\u003e function in \u003ccode\u003eiso14229.c\u003c/code\u003e that allows a remote unauthenticated attacker to crash a UDS server and potentially read memory past the receive buffer by sending a single-byte \u003ccode\u003e0x27\u003c/code\u003e SecurityAccess request that follows any earlier well-formed \u003ccode\u003e0x27\u003c/code\u003e message. The handler reads the SecurityAccess subFunction from \u003ccode\u003erecv_buf[1]\u003c/code\u003e without first checking that \u003ccode\u003erecv_len\u003c/code\u003e is at least 2, then computes the key-data length as the unsigned subtraction \u003ccode\u003e(uint16_t)(recv_len - UDS_0X27_REQ_BASE_LEN)\u003c/code\u003e; when \u003ccode\u003erecv_len\u003c/code\u003e equals 1 the result underflows to 65535 and is passed as \u003ccode\u003eargs.len\u003c/code\u003e to the application\u0027s \u003ccode\u003eSecAccessValidateKey\u003c/code\u003e or \u003ccode\u003eSecAccessRequestSeed\u003c/code\u003e callback, which typically iterates or copies that many bytes from the 4-KB receive buffer. Every other UDS sub-function handler in the library (\u003ccode\u003e0x10\u003c/code\u003e, \u003ccode\u003e0x11\u003c/code\u003e, \u003ccode\u003e0x14\u003c/code\u003e, \u003ccode\u003e0x19\u003c/code\u003e, \u003ccode\u003e0x22\u003c/code\u003e, \u003ccode\u003e0x23\u003c/code\u003e, \u003ccode\u003e0x28\u003c/code\u003e, and others) performs an explicit \u003ccode\u003erecv_len\u003c/code\u003e lower-bound check before indexing; \u003ccode\u003eHandle_0x27_SecurityAccess\u003c/code\u003e is the sole outlier. The vulnerable handler reaches over CAN bus, OBD-II, ISO-TP, and DoIP transports and is exposed in the default diagnostic session without prior authentication; deployments on automotive ECUs, industrial controllers, and IoT devices that ship iso14229 as their UDS server are affected.\u003c/p\u003e"
}
],
"value": "driftregion iso14229 through 0.9.0 contains an integer underflow and downstream out-of-bounds read in the Handle_0x27_SecurityAccess() function in iso14229.c that allows a remote unauthenticated attacker to crash a UDS server and potentially read memory past the receive buffer by sending a single-byte 0x27 SecurityAccess request that follows any earlier well-formed 0x27 message. The handler reads the SecurityAccess subFunction from recv_buf[1] without first checking that recv_len is at least 2, then computes the key-data length as the unsigned subtraction (uint16_t)(recv_len - UDS_0X27_REQ_BASE_LEN); when recv_len equals 1 the result underflows to 65535 and is passed as args.len to the application\u0027s SecAccessValidateKey or SecAccessRequestSeed callback, which typically iterates or copies that many bytes from the 4-KB receive buffer. Every other UDS sub-function handler in the library (0x10, 0x11, 0x14, 0x19, 0x22, 0x23, 0x28, and others) performs an explicit recv_len lower-bound check before indexing; Handle_0x27_SecurityAccess is the sole outlier. The vulnerable handler reaches over CAN bus, OBD-II, ISO-TP, and DoIP transports and is exposed in the default diagnostic session without prior authentication; deployments on automotive ECUs, industrial controllers, and IoT devices that ship iso14229 as their UDS server are affected."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A remote unauthenticated attacker who can send a single SecurityAccess (SID 0x27) UDS request to a server built on iso14229 - over CAN bus, OBD-II, ISO-TP, or DoIP - crashes the diagnostic server process and may incidentally read up to roughly 64 KB of memory past the receive buffer through the callback the underflowed length is handed to. In automotive and industrial deployments this denies UDS diagnostics for the affected ECU or controller and, on bare-metal targets without memory protection, the resulting hard fault can take the whole control loop down for the duration of the watchdog reset cycle. No prior authentication, no SecurityAccess unlock, and no user interaction are required - the SecurityAccess handler is reachable in the default session."
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"exploitMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/AU:Y/V:D",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "A remote attacker on the same diagnostic transport (CAN/OBD-II/ISO-TP/DoIP) sends one well-formed SecurityAccess request followed by a single-byte 0x27 frame; the second frame triggers the integer underflow in Handle_0x27_SecurityAccess and the application\u0027s SecAccessValidateKey or SecAccessRequestSeed callback then reads up to 65535 bytes past the 4-KB receive buffer, crashing the UDS server process or the bare-metal ECU."
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-191",
"description": "CWE-191 Integer Underflow (Wrap or Wraparound)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:38:16.326Z",
"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"shortName": "TuranSec"
},
"references": [
{
"name": "driftregion/iso14229 - upstream repository",
"tags": [
"product"
],
"url": "https://github.com/driftregion/iso14229"
},
{
"name": "Vulnerable Handle_0x27_SecurityAccess() in iso14229.c",
"tags": [
"product"
],
"url": "https://github.com/driftregion/iso14229/blob/main/iso14229.c#L1447"
},
{
"name": "CWE-191: Integer Underflow (Wrap or Wraparound)",
"tags": [
"technical-description"
],
"url": "https://cwe.mitre.org/data/definitions/191.html"
},
{
"name": "CWE-125: Out-of-bounds Read",
"tags": [
"technical-description"
],
"url": "https://cwe.mitre.org/data/definitions/125.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_assigner_notes": "The missing recv_len lower-bound check was verified by direct source inspection of iso14229.c at the v0.9.0 release tag area and at main HEAD: Handle_0x27_SecurityAccess() begins at line 1447 with \u0027uint8_t subFunction = r-\u003erecv_buf[1];\u0027 and reaches the underflowing \u0027len = (uint16_t)(r-\u003erecv_len - UDS_0X27_REQ_BASE_LEN)\u0027 at lines 1473 and 1511 without any guard on recv_len. Every other sub-function handler in the same file (Handle_0x10 at L911, Handle_0x11 at L960, Handle_0x14 at L996, Handle_0x19 at L1038 with per-sub-function checks, Handle_0x23 at L1418, Handle_0x28 at L1534, and others) performs an explicit \u0027if (r-\u003erecv_len \u003c UDS_0X\u003cXX\u003e_REQ_*_LEN) return NegativeResponse(...)\u0027 check before indexing recv_buf - 0x27 is the sole missing one. The recommended fix is the one-liner: \u0027if (r-\u003erecv_len \u003c UDS_0X27_REQ_BASE_LEN) return NegativeResponse(r, UDS_NRC_IncorrectMessageLengthOrInvalidFormat);\u0027 at the top of the handler, matching the project\u0027s existing pattern. The vulnerability was disclosed to the upstream maintainer through a private GitHub security advisory on 2026-05-26. CVSS scoring matches the precedent set by CVE-2026-54412 (MQTT-C OOB read / integer underflow): VC:L for the bounded heap-byte disclosure, VA:H for the crash on resource-constrained embedded targets, AV:N because the same library is deployed behind DoIP-over-Ethernet diagnostic gateways. Downstream consumers using iso14229 strictly over physical CAN-only deployments may locally lower attackVector to ADJACENT when scoring their own environment.",
"x_author": "Burxonov Muslimbek",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"assignerShortName": "TuranSec",
"cveId": "CVE-2026-54413",
"datePublished": "2026-06-14T17:38:16.326Z",
"dateReserved": "2026-06-13T16:39:46.122Z",
"dateUpdated": "2026-06-15T15:09:01.438Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54412 (GCVE-0-2026-54412)
Vulnerability from cvelistv5 – Published: 2026-06-14 17:26 – Updated: 2026-06-15 17:01
VLAI
Summary
LiamBindle MQTT-C through version 1.1.6 contains a heap-based out-of-bounds read and integer underflow in the mqtt_unpack_publish_response() function in src/mqtt.c that allows a remote unauthenticated attacker controlling an MQTT broker - or able to inject MQTT traffic into an unencrypted session - to crash a subscribed MQTT-C client and potentially disclose adjacent heap memory by sending a single crafted PUBLISH packet. The function validates only that the fixed-header remaining_length is at least 4, then reads the 16-bit topic_name_size field from the broker-controlled packet and advances the parse pointer by that value without verifying that topic_name_size plus the surrounding overhead fits within remaining_length; it subsequently computes application_message_size as remaining_length - topic_name_size - 2 (QoS 0) or - 4 (QoS greater than 0) in unsigned arithmetic, producing an integer underflow that is then passed to memmove(). A PUBLISH packet with topic_name_size = 0xFFFF and remaining_length = 7 advances the parse pointer 65535 bytes past the receive buffer (out-of-bounds read) and causes an application_message_size near 2^32, crashing the process when the resulting memmove() is executed.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/LiamBindle/MQTT-C | product |
| https://github.com/LiamBindle/MQTT-C/blob/v1.1.6/… | product |
| https://cwe.mitre.org/data/definitions/125.html | technical-description |
| https://cwe.mitre.org/data/definitions/191.html | technical-description |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| LiamBindle | MQTT-C |
Affected:
0 , ≤ 1.1.6
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54412",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T17:01:08.771614Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T17:01:16.924Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/LiamBindle/MQTT-C",
"defaultStatus": "unknown",
"product": "MQTT-C",
"programFiles": [
"src/mqtt.c"
],
"programRoutines": [
{
"name": "mqtt_unpack_publish_response"
}
],
"repo": "https://github.com/LiamBindle/MQTT-C",
"vendor": "LiamBindle",
"versions": [
{
"lessThanOrEqual": "1.1.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Saidakbarxon Maxsudxonov"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eLiamBindle MQTT-C through version 1.1.6 contains a heap-based out-of-bounds read and integer underflow in the \u003ccode\u003emqtt_unpack_publish_response()\u003c/code\u003e function in \u003ccode\u003esrc/mqtt.c\u003c/code\u003e that allows a remote unauthenticated attacker controlling an MQTT broker - or able to inject MQTT traffic into an unencrypted session - to crash a subscribed MQTT-C client and potentially disclose adjacent heap memory by sending a single crafted PUBLISH packet. The function validates only that the fixed-header \u003ccode\u003eremaining_length\u003c/code\u003e is at least 4, then reads the 16-bit \u003ccode\u003etopic_name_size\u003c/code\u003e field from the broker-controlled packet and advances the parse pointer by that value without verifying that \u003ccode\u003etopic_name_size\u003c/code\u003e plus the surrounding overhead fits within \u003ccode\u003eremaining_length\u003c/code\u003e; it subsequently computes \u003ccode\u003eapplication_message_size\u003c/code\u003e as \u003ccode\u003eremaining_length - topic_name_size - 2\u003c/code\u003e (QoS 0) or \u003ccode\u003e- 4\u003c/code\u003e (QoS greater than 0) in unsigned arithmetic, producing an integer underflow that is then passed to \u003ccode\u003ememmove()\u003c/code\u003e. A PUBLISH packet with \u003ccode\u003etopic_name_size = 0xFFFF\u003c/code\u003e and \u003ccode\u003eremaining_length = 7\u003c/code\u003e advances the parse pointer 65535 bytes past the receive buffer (out-of-bounds read) and causes an \u003ccode\u003eapplication_message_size\u003c/code\u003e near 2^32, crashing the process when the resulting \u003ccode\u003ememmove()\u003c/code\u003e is executed.\u0026nbsp;\u003c/p\u003e"
}
],
"value": "LiamBindle MQTT-C through version 1.1.6 contains a heap-based out-of-bounds read and integer underflow in the mqtt_unpack_publish_response() function in src/mqtt.c that allows a remote unauthenticated attacker controlling an MQTT broker - or able to inject MQTT traffic into an unencrypted session - to crash a subscribed MQTT-C client and potentially disclose adjacent heap memory by sending a single crafted PUBLISH packet. The function validates only that the fixed-header remaining_length is at least 4, then reads the 16-bit topic_name_size field from the broker-controlled packet and advances the parse pointer by that value without verifying that topic_name_size plus the surrounding overhead fits within remaining_length; it subsequently computes application_message_size as remaining_length - topic_name_size - 2 (QoS 0) or - 4 (QoS greater than 0) in unsigned arithmetic, producing an integer underflow that is then passed to memmove(). A PUBLISH packet with topic_name_size = 0xFFFF and remaining_length = 7 advances the parse pointer 65535 bytes past the receive buffer (out-of-bounds read) and causes an application_message_size near 2^32, crashing the process when the resulting memmove() is executed."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A remote attacker controlling an MQTT broker - or able to inject one PUBLISH packet into an unencrypted MQTT session a victim has subscribed to - crashes a subscribed MQTT-C client by sending a single crafted PUBLISH packet whose topic_name_size exceeds the remaining_length field. The vulnerable client advances the parse pointer into unmapped heap memory (out-of-bounds read primitive that may also disclose adjacent heap bytes), then computes application_message_size as an unsigned subtraction that underflows to a value near 2^32, and finally passes that value to memmove(), crashing the process. Any IoT or embedded device built on MQTT-C that connects to a shared, untrusted, or compromised broker is reachable for repeated, unauthenticated denial of service."
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"exploitMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/AU:Y/V:D",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "A malicious MQTT broker, or a network attacker capable of injecting a single MQTT PUBLISH packet into an unencrypted session that the victim client has subscribed to, sends one crafted packet with topic_name_size = 0xFFFF and remaining_length = 7 to crash an MQTT-C-based client process and optionally disclose adjacent heap bytes through the out-of-bounds read primitive."
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-191",
"description": "CWE-191 Integer Underflow (Wrap or Wraparound)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:27:35.016Z",
"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"shortName": "TuranSec"
},
"references": [
{
"name": "LiamBindle/MQTT-C - upstream repository (unmaintained since 2022-10-27)",
"tags": [
"product"
],
"url": "https://github.com/LiamBindle/MQTT-C"
},
{
"name": "Vulnerable mqtt_unpack_publish_response() in src/mqtt.c (v1.1.6)",
"tags": [
"product"
],
"url": "https://github.com/LiamBindle/MQTT-C/blob/v1.1.6/src/mqtt.c#L1334"
},
{
"name": "CWE-125: Out-of-bounds Read",
"tags": [
"technical-description"
],
"url": "https://cwe.mitre.org/data/definitions/125.html"
},
{
"name": "CWE-191: Integer Underflow (Wrap or Wraparound)",
"tags": [
"technical-description"
],
"url": "https://cwe.mitre.org/data/definitions/191.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_assigner_notes": "The vulnerable mqtt_unpack_publish_response() body was verified at exactly the v1.1.6 release tag and at master HEAD; the two are byte-identical for this function. The function performs only a \u0027remaining_length \u003e= 4\u0027 fixed-header sanity check (mqtt.c:1349) and then trusts the broker-controlled 16-bit topic_name_size field at mqtt.c:1354 both as a pointer offset (mqtt.c:1357) and as a subtrahend in the unsigned application_message_size computation (mqtt.c:1367/1369). The last commit to LiamBindle/MQTT-C on master is dated 2022-10-27; the project appears unmaintained and no upstream fix is available. defaultStatus is \u0027unknown\u0027 pending vendor confirmation. CVSS 4.0 is scored 8.7 HIGH and CVSS 3.1 is scored 8.2 HIGH, treating the OOB read as VC:L/C:L (limited heap-byte disclosure subject to allocator layout, often masked by the immediately following crash) and the integer-underflow-driven memmove() crash as VA:H/A:H. Mitigation guidance for downstream consumers: validate topic_name_size + 2 + (qos_level \u003e 0 ? 2 : 0) \u003c= remaining_length before using topic_name_size as a pointer offset or as a subtrahend, or migrate to a maintained MQTT client library (e.g. Eclipse Paho MQTT C, libmosquitto).",
"x_author": "Saidakbarxon Maxsudxonov",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"assignerShortName": "TuranSec",
"cveId": "CVE-2026-54412",
"datePublished": "2026-06-14T17:26:36.740Z",
"dateReserved": "2026-06-13T16:39:46.122Z",
"dateUpdated": "2026-06-15T17:01:16.924Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54411 (GCVE-0-2026-54411)
Vulnerability from cvelistv5 – Published: 2026-06-14 17:21 – Updated: 2026-06-15 16:59
VLAI
Summary
Linux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in the pam_userdb module's plaintext-password comparison path in modules/pam_userdb/pam_userdb.c that allows a local or network-adjacent attacker able to repeatedly drive authentication through a calling service to recover the plaintext password of a target account by measuring response-timing differences. The comparison uses strncmp() (or strncasecmp() when PAM_ICASE_ARG is set) preceded by a length-equality check, so the time to reject a candidate depends on the index of the first differing byte and on whether the candidate's length matches the stored password, leaking the password length and individual prefix bytes. The vulnerable path is reached when the administrator configures pam_userdb with crypt=none, with an unrecognized crypt method, or without a crypt= argument, causing the module to store and compare credentials in plaintext.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-208 - Observable Timing Discrepancy
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/linux-pam/linux-pam | product |
| https://github.com/linux-pam/linux-pam/blob/maste… | product |
| https://github.com/linux-pam/linux-pam/blob/maste… | product |
| https://cwe.mitre.org/data/definitions/208.html | technical-description |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54411",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T16:59:25.401303Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T16:59:37.818Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/linux-pam/linux-pam",
"defaultStatus": "unknown",
"modules": [
"pam_userdb"
],
"product": "Linux-PAM",
"programFiles": [
"modules/pam_userdb/pam_userdb.c"
],
"repo": "https://github.com/linux-pam/linux-pam",
"vendor": "Linux-PAM",
"versions": [
{
"lessThanOrEqual": "1.7.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Xurshidbek Sobirjonov"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eLinux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in the pam_userdb module\u0027s plaintext-password comparison path in \u003ccode\u003emodules/pam_userdb/pam_userdb.c\u003c/code\u003e that allows a local or network-adjacent attacker able to repeatedly drive authentication through a calling service to recover the plaintext password of a target account by measuring response-timing differences. The comparison uses \u003ccode\u003estrncmp()\u003c/code\u003e (or \u003ccode\u003estrncasecmp()\u003c/code\u003e when \u003ccode\u003ePAM_ICASE_ARG\u003c/code\u003e is set) preceded by a length-equality check, so the time to reject a candidate depends on the index of the first differing byte and on whether the candidate\u0027s length matches the stored password, leaking the password length and individual prefix bytes. The vulnerable path is reached when the administrator configures pam_userdb with \u003ccode\u003ecrypt=none\u003c/code\u003e, with an unrecognized crypt method, or without a \u003ccode\u003ecrypt=\u003c/code\u003e argument, causing the module to store and compare credentials in plaintext.\u003c/p\u003e"
}
],
"value": "Linux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in the pam_userdb module\u0027s plaintext-password comparison path in modules/pam_userdb/pam_userdb.c that allows a local or network-adjacent attacker able to repeatedly drive authentication through a calling service to recover the plaintext password of a target account by measuring response-timing differences. The comparison uses strncmp() (or strncasecmp() when PAM_ICASE_ARG is set) preceded by a length-equality check, so the time to reject a candidate depends on the index of the first differing byte and on whether the candidate\u0027s length matches the stored password, leaking the password length and individual prefix bytes. The vulnerable path is reached when the administrator configures pam_userdb with crypt=none, with an unrecognized crypt method, or without a crypt= argument, causing the module to store and compare credentials in plaintext."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "An attacker who can repeatedly drive authentication through a service that invokes pam_userdb with plaintext-password configuration and without an artificial failure delay can measure response-timing differences to learn the correct password length and recover the plaintext password byte by byte. Recovery requires many measurements per character and is sensitive to scheduling and network jitter; recovery of one user\u0027s secret does not by itself yield access to other accounts. Practical exploitation is gated by an administrative misconfiguration (pam_userdb storing passwords in plaintext, reached when the module is configured with crypt=none, with an unknown crypt method, or with no crypt= option) and by the absence of failure-delay or rate-limiting in the calling service."
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/AU:N/V:D",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "An attacker repeatedly authenticates through a service that calls pam_userdb (plaintext mode) and measures the time the service takes to reject each candidate password to learn the password length and recover the password one byte at a time."
}
]
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208 Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:21:43.853Z",
"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"shortName": "TuranSec"
},
"references": [
{
"name": "Linux-PAM - upstream repository",
"tags": [
"product"
],
"url": "https://github.com/linux-pam/linux-pam"
},
{
"name": "Vulnerable plaintext-password comparison in pam_userdb.c (master)",
"tags": [
"product"
],
"url": "https://github.com/linux-pam/linux-pam/blob/master/modules/pam_userdb/pam_userdb.c#L327"
},
{
"name": "pam_consttime_streq helper available for the remediation",
"tags": [
"product"
],
"url": "https://github.com/linux-pam/linux-pam/blob/master/libpam/include/pam_inline.h"
},
{
"name": "CWE-208: Observable Timing Discrepancy",
"tags": [
"technical-description"
],
"url": "https://cwe.mitre.org/data/definitions/208.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_assigner_notes": "The vulnerable comparison was verified by direct source inspection of modules/pam_userdb/pam_userdb.c at tag v1.7.2 and at master HEAD as of disclosure: lines 327-332 perform a length-equality early exit followed by strncmp() / strncasecmp(). Linux-PAM has previously addressed the same weakness class in a sibling module: NEWS for Release 1.7.0 records \"pam_unix: compare password hashes in constant time\", and Release 1.6.0 hardened pam_mkhomedir \"against timing attacks\". The pam_consttime_streq() helper used by those fixes lives in libpam/include/pam_inline.h, which pam_userdb.c already includes, so the remediation in pam_userdb is a drop-in replacement of the strncmp call. The v1.7.2 release notes do not list a pam_userdb hardening change. Exploitation is gated by (a) the administrator having configured pam_userdb with plaintext password storage (crypt=none, unknown crypt method, or no crypt= option), a discouraged but documented configuration; and (b) the calling service not applying an authentication-failure delay - both gates raise attack complexity and bound real-world impact, so CVSS is scored MEDIUM rather than HIGH consistent with prior CWE-208 timing-leak CVE scoring.",
"x_author": "Xurshidbek Sobirjonov",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"assignerShortName": "TuranSec",
"cveId": "CVE-2026-54411",
"datePublished": "2026-06-14T17:21:43.853Z",
"dateReserved": "2026-06-13T16:39:46.122Z",
"dateUpdated": "2026-06-15T16:59:37.818Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54410 (GCVE-0-2026-54410)
Vulnerability from cvelistv5 – Published: 2026-06-14 17:10 – Updated: 2026-06-15 17:05
VLAI
Summary
nanoMODBUS through v1.23.0 contains an off-by-one buffer overflow in the recv_msg_header() function of the Modbus/TCP server that allows remote unauthenticated attackers to write one attacker-controlled byte past the end of the 260-byte receive buffer by sending a crafted MBAP frame whose Length field is set to 255. The overflow corrupts the adjacent buffer-index field of the nanoMODBUS state structure, resulting in denial of service through invalid memory accesses and, on bare-metal and RTOS targets without memory protection, one-byte information disclosure and writes to unintended register addresses on the Write Multiple Registers (FC16) handler path.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/debevv/nanoMODBUS | product |
| https://github.com/debevv/nanoMODBUS/blob/v1.23.0… | product |
| https://cwe.mitre.org/data/definitions/193.html | technical-description |
| https://cwe.mitre.org/data/definitions/787.html | technical-description |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| debevv | nanoMODBUS |
Affected:
0 , ≤ 1.23.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54410",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T17:00:11.456275Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T17:05:25.499Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/debevv/nanoMODBUS",
"defaultStatus": "unknown",
"product": "nanoMODBUS",
"programFiles": [
"nanomodbus.c"
],
"programRoutines": [
{
"name": "recv_msg_header"
}
],
"repo": "https://github.com/debevv/nanoMODBUS",
"vendor": "debevv",
"versions": [
{
"lessThanOrEqual": "1.23.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Burxonov Muslimbek"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003enanoMODBUS through v1.23.0 contains an off-by-one buffer overflow in the recv_msg_header() function of the Modbus/TCP server that allows remote unauthenticated attackers to write one attacker-controlled byte past the end of the 260-byte receive buffer by sending a crafted MBAP frame whose Length field is set to 255. The overflow corrupts the adjacent buffer-index field of the nanoMODBUS state structure, resulting in denial of service through invalid memory accesses and, on bare-metal and RTOS targets without memory protection, one-byte information disclosure and writes to unintended register addresses on the Write Multiple Registers (FC16) handler path.\u003c/p\u003e"
}
],
"value": "nanoMODBUS through v1.23.0 contains an off-by-one buffer overflow in the recv_msg_header() function of the Modbus/TCP server that allows remote unauthenticated attackers to write one attacker-controlled byte past the end of the 260-byte receive buffer by sending a crafted MBAP frame whose Length field is set to 255. The overflow corrupts the adjacent buffer-index field of the nanoMODBUS state structure, resulting in denial of service through invalid memory accesses and, on bare-metal and RTOS targets without memory protection, one-byte information disclosure and writes to unintended register addresses on the Write Multiple Registers (FC16) handler path."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A remote unauthenticated attacker who can reach a Modbus/TCP server built on nanoMODBUS can send a crafted MBAP frame with the Length field set to 255 to overflow the 260-byte receive buffer by one byte, corrupting the adjacent buf_idx field of the nmbs_t struct with an attacker-controlled value. This yields denial of service (subsequent handler calls treat the corrupted buf_idx as a register count / offset and crash, hang, or return invalid data), one-byte information disclosure on bare-metal and RTOS targets without memory protection (ARM Cortex-M, ESP32, STM32 class), and the possibility of writing to unintended register addresses on the FC16 (Write Multiple Registers) handler path. No authentication, no user interaction, and no special configuration are required."
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"exploitMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P/AU:Y",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "An attacker who can reach the TCP listening port of a Modbus/TCP server built on nanoMODBUS (typically TCP/502 on industrial / OT networks) sends a single crafted MBAP frame with Length=255 to corrupt the buf_idx field of the nmbs_t struct, causing denial of service or, on memory-protection-less embedded targets, additional information disclosure or unintended register writes."
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV2_0": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 9,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:C",
"version": "2.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-193",
"description": "CWE-193 Off-by-one Error",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:10:12.275Z",
"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"shortName": "TuranSec"
},
"references": [
{
"name": "nanoMODBUS - upstream repository (vendor)",
"tags": [
"product"
],
"url": "https://github.com/debevv/nanoMODBUS"
},
{
"name": "Vulnerable bounds check at nanomodbus.c line 369 (v1.23.0)",
"tags": [
"product"
],
"url": "https://github.com/debevv/nanoMODBUS/blob/v1.23.0/nanomodbus.c#L369"
},
{
"name": "CWE-193: Off-by-one Error",
"tags": [
"technical-description"
],
"url": "https://cwe.mitre.org/data/definitions/193.html"
},
{
"name": "CWE-787: Out-of-bounds Write",
"tags": [
"technical-description"
],
"url": "https://cwe.mitre.org/data/definitions/787.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_assigner_notes": "Vendor \u0027debevv\u0027 is a single-maintainer GitHub account; nanoMODBUS is MIT-licensed. The vulnerable bounds check was verified by source inspection of v1.22.0, v1.22.1, and v1.23.0 (latest at publish time) - the issue is present in all three; affected range is therefore 0 through v1.23.0 (inclusive) with defaultStatus \u0027unknown\u0027 pending vendor confirmation of a fixed release. CVSS scoring follows the submitter\u0027s CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H = 8.6) and translates to 4.0 with VC:L/VI:L/VA:H, SC/SI/SA:N (= 8.7) and 2.0 with C:P/I:P/A:C (= 9.0).",
"x_author": "Burxonov Muslimbek",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"assignerShortName": "TuranSec",
"cveId": "CVE-2026-54410",
"datePublished": "2026-06-14T17:10:12.275Z",
"dateReserved": "2026-06-13T16:39:46.122Z",
"dateUpdated": "2026-06-15T17:05:25.499Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12183 (GCVE-0-2026-12183)
Vulnerability from cvelistv5 – Published: 2026-06-13 17:36 – Updated: 2026-06-17 14:12
VLAI
Summary
Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability (CWE-287) in the system configuration module. The /php/ajax-login.php endpoint returns userid=1 (administrator) in response to any HTTP POST request that supplies arbitrary credentials (e.g., action=dologin&login=<any_value>&pwd=<any_value>), and subsequent privileged endpoints under /php/ajax-main.php and /modules/* do not validate a server-side session. A remote unauthenticated attacker can invoke any administrative action exposed by the configuration module, including reading and modifying user rules, fuel tank gauges, fuel dispensers, relays, cash registers, bank terminals, fuel cards, price and customer displays, cash collection, and pricing rules.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/ciprobe/bukts_auth_bypass | exploitthird-party-advisory |
| https://bukts.ru/repo-bukts-current | vendor-advisory |
| https://cwe.mitre.org/data/definitions/287.html | technical-description |
| https://cwe.mitre.org/data/definitions/306.html | technical-description |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Nefteprodukttekhnika LLC | BUK TS-G Gas Station Automation System |
Affected:
2.9.1 , ≤ 2.10.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12183",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T17:16:46.158699Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T17:16:58.333Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"Configuration Module (\u041c\u043e\u0434\u0443\u043b\u044c: \u041d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0430)"
],
"platforms": [
"Linux"
],
"product": "BUK TS-G Gas Station Automation System",
"vendor": "Nefteprodukttekhnika LLC",
"versions": [
{
"lessThanOrEqual": "2.10.2",
"status": "affected",
"version": "2.9.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Qahramon Choriyev (ciprobe)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Ziyovuddinov Muhammadyusuf"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eNefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability (CWE-287) in the system configuration module. The \u003ccode\u003e/php/ajax-login.php\u003c/code\u003e endpoint returns \u003ccode\u003euserid=1\u003c/code\u003e (administrator) in response to any HTTP POST request that supplies arbitrary credentials (e.g., \u003ccode\u003eaction=dologin\u0026amp;login=\u0026lt;any_value\u0026gt;\u0026amp;pwd=\u0026lt;any_value\u0026gt;\u003c/code\u003e), and subsequent privileged endpoints under \u003ccode\u003e/php/ajax-main.php\u003c/code\u003e and \u003ccode\u003e/modules/*\u003c/code\u003e do not validate a server-side session. A remote unauthenticated attacker can invoke any administrative action exposed by the configuration module, including reading and modifying user rules, fuel tank gauges, fuel dispensers, relays, cash registers, bank terminals, fuel cards, price and customer displays, cash collection, and pricing rules.\u003c/p\u003e"
}
],
"value": "Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability (CWE-287) in the system configuration module. The /php/ajax-login.php endpoint returns userid=1 (administrator) in response to any HTTP POST request that supplies arbitrary credentials (e.g., action=dologin\u0026login=\u003cany_value\u003e\u0026pwd=\u003cany_value\u003e), and subsequent privileged endpoints under /php/ajax-main.php and /modules/* do not validate a server-side session. A remote unauthenticated attacker can invoke any administrative action exposed by the configuration module, including reading and modifying user rules, fuel tank gauges, fuel dispensers, relays, cash registers, bank terminals, fuel cards, price and customer displays, cash collection, and pricing rules."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A remote unauthenticated attacker can perform any administrative action exposed by the configuration module, including reading and modifying user rules, fuel tank gauges, fuel dispensers (TRK), relays, cash registers, bank terminals, fuel cards and local payment cards, price and customer displays, cash collection, and pricing rules. No valid credentials and no user interaction are required."
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "An unauthenticated remote attacker reaches the BUK-TS Configuration Module login page, submits any password, and uses an HTTP-intercepting proxy to insert a userid field into the login response. The attacker is then granted full administrative access to the gas-station configuration interface, including control over fuel dispensers, tanks, relays, cash registers, and payment terminals."
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T14:12:42.686Z",
"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"shortName": "TuranSec"
},
"references": [
{
"name": "BUK_TS_KILLER - Proof-of-concept exploit for the BUK TS-G authentication bypass",
"tags": [
"exploit",
"third-party-advisory"
],
"url": "https://github.com/ciprobe/bukts_auth_bypass"
},
{
"name": "Nefteprodukttekhnika BUK TS-G - Vendor distribution",
"tags": [
"vendor-advisory"
],
"url": "https://bukts.ru/repo-bukts-current"
},
{
"name": "CWE-287: Improper Authentication",
"tags": [
"technical-description"
],
"url": "https://cwe.mitre.org/data/definitions/287.html"
},
{
"name": "CWE-306: Missing Authentication for Critical Function",
"tags": [
"technical-description"
],
"url": "https://cwe.mitre.org/data/definitions/306.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_assigner_notes": "Vendor identified as Nefteprodukttekhnika LLC (BUK TS-G Gas Station Automation System) based on TuranSec CNA precedent CVE-2026-3843, which covers a SQL Injection / RCE in the same product. This authentication-bypass issue is confirmed present in 2.9.1 and 2.10.2 - the 2.10.2 release fixed the SQL Injection (CVE-2026-3843) but did not address this separate auth-bypass bug. defaultStatus remains \u0027unknown\u0027 pending vendor confirmation of a fixed version. CVSS scoring is aligned with CVE-2026-3843 (VC:H/VI:H/VA:H, SC:L/SI:L/SA:L) so internal CNA scoring stays consistent across the product family. Live target IP and hostname are intentionally omitted from this record.",
"x_author": "Qahramon Choriyev (ciprobe)",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"assignerShortName": "TuranSec",
"cveId": "CVE-2026-12183",
"datePublished": "2026-06-13T17:36:49.109Z",
"dateReserved": "2026-06-13T16:39:43.046Z",
"dateUpdated": "2026-06-17T14:12:42.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6428 (GCVE-0-2026-6428)
Vulnerability from cvelistv5 – Published: 2026-06-13 16:34 – Updated: 2026-06-15 17:19
VLAI
Summary
SQL Injection in reports/catalogue_out.pl in Koha Community Koha through 22.11.37, 23.x, 24.x before 24.11.16, 25.05.x before 25.05.11, 25.11.x before 25.11.05, 26.05.x before 26.05.01, and 26.11.x before 26.11.00 allows an authenticated staff user with the Reports module flag to read arbitrary data from the Koha application database via the Filter URL parameter when the Criteria parameter matches /branchcode/.
The vulnerable sink in sub calculate concatenates the unmodified Filter request parameter directly into a LIKE clause of the auxiliary $strsth2 statement and executes it via DBI without bound parameters:
my $f = @$filters[0];
$f =~ s/\*/%/g;
$strsth2 .= " AND $column LIKE '$f' ";
This enables error-based SQL injection (e.g., via EXTRACTVALUE) and full read access to sensitive tables including borrowers (password hashes, 2FA secrets, PII), borrower_password_recovery, api_keys, and sessions.
Proof of concept (error-based, single request):
GET /cgi-bin/koha/reports/catalogue_out.pl?do_it=1&output=screen&Limit=10&Criteria=branchcode&Filter=x'+AND+EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7c,USER(),0x7c,DATABASE(),0x7e))--+-
Cookie: CGISESSID=<LIBRARIAN_SESSION>
The response body contains the DBI exception leaking the MariaDB version, database user, client IP, and database name, after which arbitrary data can be paged out using LIMIT n,1 / SUBSTRING(...).
The vulnerable sink was introduced in commit 6bb77ae3e4 (2008-07-09); CVE-2015-4633 patched the same class in sibling files but did not generalise the fix to reports/catalogue_out.pl. Fixed in Koha 22.11.38, 24.11.16, 25.05.11, 25.11.05, 26.05.01, and 26.11.00 by replacing the raw concatenation with a parameterised placeholder.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://bugs.koha-community.org/bugzilla3/show_bu… | issue-trackingvendor-advisory |
| https://bugs.koha-community.org/bugzilla3/attachm… | patchvendor-advisory |
| https://koha-community.org/security-releases/ | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Koha Community | Koha |
Affected:
0 , < 22.11.38
(semver)
Affected: 23.05.00 , ≤ 23.11.15 (semver) Affected: 24.05.00 , < 24.11.16 (semver) Affected: 25.05.00 , < 25.05.11 (semver) Affected: 25.11.00 , < 25.11.05 (semver) Affected: 26.05.00 , < 26.05.01 (semver) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6428",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T17:19:10.550362Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T17:19:39.716Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://koha-community.org/",
"defaultStatus": "unaffected",
"product": "Koha",
"programFiles": [
"reports/catalogue_out.pl"
],
"repo": "https://gitlab.com/koha-community/Koha",
"vendor": "Koha Community",
"versions": [
{
"lessThan": "22.11.38",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "23.11.15",
"status": "affected",
"version": "23.05.00",
"versionType": "semver"
},
{
"lessThan": "24.11.16",
"status": "affected",
"version": "24.05.00",
"versionType": "semver"
},
{
"lessThan": "25.05.11",
"status": "affected",
"version": "25.05.00",
"versionType": "semver"
},
{
"lessThan": "25.11.05",
"status": "affected",
"version": "25.11.00",
"versionType": "semver"
},
{
"lessThan": "26.05.01",
"status": "affected",
"version": "26.05.00",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sanjar Tulkinov (Sanjarbiy)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cb\u003eSQL Injection in \u003ccode\u003ereports/catalogue_out.pl\u003c/code\u003e in Koha Community Koha\u003c/b\u003e through 22.11.37, 23.x, 24.x before 24.11.16, 25.05.x before 25.05.11, 25.11.x before 25.11.05, 26.05.x before 26.05.01, and 26.11.x before 26.11.00 allows an authenticated staff user with the \u003ci\u003eReports\u003c/i\u003e module flag to read arbitrary data from the Koha application database via the \u003ccode\u003eFilter\u003c/code\u003e URL parameter when the \u003ccode\u003eCriteria\u003c/code\u003e parameter matches \u003ccode\u003e/branchcode/\u003c/code\u003e.\u003c/p\u003e\u003cp\u003eThe vulnerable sink in \u003ccode\u003esub calculate\u003c/code\u003e concatenates the unmodified \u003ccode\u003eFilter\u003c/code\u003e request parameter directly into a \u003ccode\u003eLIKE\u003c/code\u003e clause of the auxiliary \u003ccode\u003e$strsth2\u003c/code\u003e statement and executes it via DBI without bound parameters:\u003c/p\u003e\u003cpre\u003emy $f = @$filters[0];\n$f =~ s/\\*/%/g;\n$strsth2 .= \" AND $column LIKE \u0027$f\u0027 \";\u003c/pre\u003e\u003cp\u003eThis enables error-based SQL injection (e.g., via \u003ccode\u003eEXTRACTVALUE\u003c/code\u003e) and full read access to sensitive tables including \u003ccode\u003eborrowers\u003c/code\u003e (password hashes, 2FA secrets, PII), \u003ccode\u003eborrower_password_recovery\u003c/code\u003e, \u003ccode\u003eapi_keys\u003c/code\u003e, and \u003ccode\u003esessions\u003c/code\u003e.\u003c/p\u003e\u003cp\u003e\u003cb\u003eProof of concept (error-based, single request):\u003c/b\u003e\u003c/p\u003e\u003cpre\u003eGET /cgi-bin/koha/reports/catalogue_out.pl?do_it=1\u0026amp;output=screen\u0026amp;Limit=10\u0026amp;Criteria=branchcode\u0026amp;Filter=x\u0027+AND+EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7c,USER(),0x7c,DATABASE(),0x7e))--+-\nCookie: CGISESSID=\u0026lt;LIBRARIAN_SESSION\u0026gt;\u003c/pre\u003e\u003cp\u003eThe response body contains the DBI exception leaking the MariaDB version, database user, client IP, and database name, after which arbitrary data can be paged out using \u003ccode\u003eLIMIT n,1\u003c/code\u003e / \u003ccode\u003eSUBSTRING(...)\u003c/code\u003e.\u003c/p\u003e\u003cp\u003eThe vulnerable sink was introduced in commit \u003ccode\u003e6bb77ae3e4\u003c/code\u003e (2008-07-09); CVE-2015-4633 patched the same class in sibling files but did not generalise the fix to \u003ccode\u003ereports/catalogue_out.pl\u003c/code\u003e. \u003cb\u003eFixed in\u003c/b\u003e Koha 22.11.38, 24.11.16, 25.05.11, 25.11.05, 26.05.01, and 26.11.00 by replacing the raw concatenation with a parameterised placeholder.\u003c/p\u003e"
}
],
"value": "SQL Injection in reports/catalogue_out.pl in Koha Community Koha through 22.11.37, 23.x, 24.x before 24.11.16, 25.05.x before 25.05.11, 25.11.x before 25.11.05, 26.05.x before 26.05.01, and 26.11.x before 26.11.00 allows an authenticated staff user with the Reports module flag to read arbitrary data from the Koha application database via the Filter URL parameter when the Criteria parameter matches /branchcode/.\n\n\n\nThe vulnerable sink in sub calculate concatenates the unmodified Filter request parameter directly into a LIKE clause of the auxiliary $strsth2 statement and executes it via DBI without bound parameters:\n\n\n\nmy $f = @$filters[0];\n$f =~ s/\\*/%/g;\n$strsth2 .= \" AND $column LIKE \u0027$f\u0027 \";\n\n\n\nThis enables error-based SQL injection (e.g., via EXTRACTVALUE) and full read access to sensitive tables including borrowers (password hashes, 2FA secrets, PII), borrower_password_recovery, api_keys, and sessions.\n\n\n\nProof of concept (error-based, single request):\n\n\n\nGET /cgi-bin/koha/reports/catalogue_out.pl?do_it=1\u0026output=screen\u0026Limit=10\u0026Criteria=branchcode\u0026Filter=x\u0027+AND+EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7c,USER(),0x7c,DATABASE(),0x7e))--+-\nCookie: CGISESSID=\u003cLIBRARIAN_SESSION\u003e\n\n\n\nThe response body contains the DBI exception leaking the MariaDB version, database user, client IP, and database name, after which arbitrary data can be paged out using LIMIT n,1 / SUBSTRING(...).\n\n\n\nThe vulnerable sink was introduced in commit 6bb77ae3e4 (2008-07-09); CVE-2015-4633 patched the same class in sibling files but did not generalise the fix to reports/catalogue_out.pl. Fixed in Koha 22.11.38, 24.11.16, 25.05.11, 25.11.05, 26.05.01, and 26.11.00 by replacing the raw concatenation with a parameterised placeholder."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "An authenticated staff user holding the Reports module permission can inject arbitrary SQL into the auxiliary $strsth2 statement built inside sub calculate when $tablename eq \u0027branches\u0027. Because the statement is sent to DBI without bound parameters, the attacker can read any row and column accessible to the Koha application database user, including the borrowers table (password hashes, two-factor authentication secrets, personally identifiable information), borrower_password_recovery, api_keys, sessions, and all circulation data. Error-based exfiltration is single-request (EXTRACTVALUE) and exposed through the DBI exception surfaced by the Reports CGI; time-based extraction and denial of service against the database remain possible even after the related information-disclosure issue (Koha bug 42366) is patched."
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"exploitMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "LOW",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/AU:Y/V:C/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "An authenticated staff user holding the Reports module flag sends a crafted GET request to /cgi-bin/koha/reports/catalogue_out.pl with Criteria=branchcode and a malicious Filter parameter to read arbitrary data from the Koha application database."
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV2_0": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:N/A:P",
"version": "2.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-13T16:35:56.718Z",
"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"shortName": "TuranSec"
},
"references": [
{
"name": "Koha Bug 42361 - SQL Injection in reports/catalogue_out.pl via Filter parameter",
"tags": [
"issue-tracking",
"vendor-advisory"
],
"url": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42361"
},
{
"name": "Bug 42361: Fix SQL injection in catalogue_out.pl (official patch)",
"tags": [
"patch",
"vendor-advisory"
],
"url": "https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=199539"
},
{
"name": "Koha Community Security Releases",
"tags": [
"vendor-advisory"
],
"url": "https://koha-community.org/security-releases/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_author": "Sanjar Tulkinov (Sanjarbiy)",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"assignerShortName": "TuranSec",
"cveId": "CVE-2026-6428",
"datePublished": "2026-06-13T16:34:10.326Z",
"dateReserved": "2026-04-16T12:58:10.800Z",
"dateUpdated": "2026-06-15T17:19:39.716Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31843 (GCVE-0-2026-31843)
Vulnerability from cvelistv5 – Published: 2026-04-16 13:02 – Updated: 2026-04-16 19:30
VLAI
Summary
The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any() without authentication middleware, enabling remote access without credentials. User-controlled input is directly written into executable PHP files using file_put_contents(). These files are later executed via require() during normal payment processing workflows, resulting in remote code execution under default application behavior. The payment secret token mentioned by the vendor is unrelated to this endpoint and does not mitigate the vulnerability.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control leading to unauthorized modification of executable application files
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/shaxzodbek-uzb/pay-uz | product |
| https://github.com/goodoneuz/pay-uz/blob/master/s… | issue-tracking |
| https://github.com/goodoneuz/pay-uz/blob/master/s… | issue-tracking |
| https://packagist.org/packages/goodoneuz/pay-uz | product |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31843",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-16T17:23:59.905688Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T19:30:21.203Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://packagist.org/packages/goodoneuz/pay-uz",
"defaultStatus": "affected",
"packageName": "goodoneuz/pay-uz",
"product": "pay-uz",
"repo": "https://github.com/shaxzodbek-uzb/pay-uz/",
"vendor": "goodoneuz",
"versions": [
{
"status": "affected",
"version": "\u003c= 2.2.24"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe goodoneuz/pay-uz Laravel package (\u0026lt;= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any() without authentication middleware, enabling remote access without credentials. User-controlled input is directly written into executable PHP files using file_put_contents(). These files are later executed via require() during normal payment processing workflows, resulting in remote code execution under default application behavior. The payment secret token mentioned by the vendor is unrelated to this endpoint and does not mitigate the vulnerability.\u003c/p\u003e"
}
],
"value": "The goodoneuz/pay-uz Laravel package (\u003c= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any() without authentication middleware, enabling remote access without credentials. User-controlled input is directly written into executable PHP files using file_put_contents(). These files are later executed via require() during normal payment processing workflows, resulting in remote code execution under default application behavior. The payment secret token mentioned by the vendor is unrelated to this endpoint and does not mitigate the vulnerability."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "An unauthenticated attacker can modify executable PHP payment hook files, resulting in injection of malicious PHP code. When these modified files are executed during payment processing via require(), this leads to remote code execution with web server privileges and full application compromise."
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV2_0": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control leading to unauthorized modification of executable application files",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T13:07:39.550Z",
"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"shortName": "TuranSec"
},
"references": [
{
"tags": [
"product"
],
"url": "https://github.com/shaxzodbek-uzb/pay-uz"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/goodoneuz/pay-uz/blob/master/src/routes/web.php"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/goodoneuz/pay-uz/blob/master/src/Http/Controllers/ApiController.php"
},
{
"tags": [
"product"
],
"url": "https://packagist.org/packages/goodoneuz/pay-uz"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"assignerShortName": "TuranSec",
"cveId": "CVE-2026-31843",
"datePublished": "2026-04-16T13:02:55.701Z",
"dateReserved": "2026-03-09T18:20:23.398Z",
"dateUpdated": "2026-04-16T19:30:21.203Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31845 (GCVE-0-2026-31845)
Vulnerability from cvelistv5 – Published: 2026-04-11 18:26 – Updated: 2026-04-13 17:44
VLAI
Summary
A reflected cross-site scripting (XSS) vulnerability exists in Rukovoditel CRM version 3.6.4 and earlier in the Zadarma telephony API endpoint (/api/tel/zadarma.php). The application directly reflects user-supplied input from the 'zd_echo' GET parameter into the HTTP response without proper sanitization, output encoding, or content-type restrictions.
The vulnerable code is:
if (isset($_GET['zd_echo'])) exit($_GET['zd_echo']);
An unauthenticated attacker can exploit this issue by crafting a malicious URL containing JavaScript payloads. When a victim visits the link, the payload executes in the context of the application within the victim's browser, potentially leading to session hijacking, credential theft, phishing, or account takeover.
The issue is fixed in version 3.7, which introduces proper input validation and output encoding to prevent script injection.
Severity
9.3 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Rukovoditel | Rukovoditel CRM |
Affected:
3.6.4
Unaffected: 3.7 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31845",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T17:43:52.300455Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T17:44:03.965Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Rukovoditel CRM",
"vendor": "Rukovoditel",
"versions": [
{
"status": "affected",
"version": "3.6.4"
},
{
"status": "unaffected",
"version": "3.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Shukrullo Raximov (Mothra)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA reflected cross-site scripting (XSS) vulnerability exists in Rukovoditel CRM version 3.6.4 and earlier in the Zadarma telephony API endpoint (/api/tel/zadarma.php). The application directly reflects user-supplied input from the \u0027zd_echo\u0027 GET parameter into the HTTP response without proper sanitization, output encoding, or content-type restrictions.\u003c/p\u003e\u003cp\u003eThe vulnerable code is:\u003c/p\u003e\u003cp\u003eif (isset($_GET[\u0027zd_echo\u0027])) exit($_GET[\u0027zd_echo\u0027]);\u003c/p\u003e\u003cp\u003eAn unauthenticated attacker can exploit this issue by crafting a malicious URL containing JavaScript payloads. When a victim visits the link, the payload executes in the context of the application within the victim\u0027s browser, potentially leading to session hijacking, credential theft, phishing, or account takeover.\u003c/p\u003e\u003cp\u003eThe issue is fixed in version 3.7, which introduces proper input validation and output encoding to prevent script injection.\u003c/p\u003e"
}
],
"value": "A reflected cross-site scripting (XSS) vulnerability exists in Rukovoditel CRM version 3.6.4 and earlier in the Zadarma telephony API endpoint (/api/tel/zadarma.php). The application directly reflects user-supplied input from the \u0027zd_echo\u0027 GET parameter into the HTTP response without proper sanitization, output encoding, or content-type restrictions.\n\nThe vulnerable code is:\n\nif (isset($_GET[\u0027zd_echo\u0027])) exit($_GET[\u0027zd_echo\u0027]);\n\nAn unauthenticated attacker can exploit this issue by crafting a malicious URL containing JavaScript payloads. When a victim visits the link, the payload executes in the context of the application within the victim\u0027s browser, potentially leading to session hijacking, credential theft, phishing, or account takeover.\n\nThe issue is fixed in version 3.7, which introduces proper input validation and output encoding to prevent script injection."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV2_0": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-11T18:42:30.728Z",
"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"shortName": "TuranSec"
},
"references": [
{
"url": "https://forum.rukovoditel.net/viewtopic.php?p=22499#p22499"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
},
"cveMetadata": {
"assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"assignerShortName": "TuranSec",
"cveId": "CVE-2026-31845",
"datePublished": "2026-04-11T18:26:46.481Z",
"dateReserved": "2026-03-09T18:20:23.398Z",
"dateUpdated": "2026-04-13T17:44:03.965Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31842 (GCVE-0-2026-31842)
Vulnerability from cvelistv5 – Published: 2026-04-07 11:17 – Updated: 2026-04-07 16:30
VLAI
Title
Tinyproxy HTTP request parsing desynchronization via case-sensitive Transfer-Encoding handling
Summary
Tinyproxy through 1.11.3 is vulnerable to HTTP request parsing desynchronization due to a case-sensitive comparison of the Transfer-Encoding header in src/reqs.c. The is_chunked_transfer() function uses strcmp() to compare the header value against "chunked", even though RFC 7230 specifies that transfer-coding names are case-insensitive. By sending a request with Transfer-Encoding: Chunked, an unauthenticated remote attacker can cause Tinyproxy to misinterpret the request as having no body. In this state, Tinyproxy sets content_length.client to -1, skips pull_client_data_chunked(), forwards request headers upstream, and transitions into relay_connection() raw TCP forwarding while unread body data remains buffered. This leads to inconsistent request state between Tinyproxy and backend servers. RFC-compliant backends (e.g., Node.js, Nginx) will continue waiting for chunked body data, causing connections to hang indefinitely. This behavior enables application-level denial of service through backend worker exhaustion. Additionally, in deployments where Tinyproxy is used for request-body inspection, filtering, or security enforcement, the unread body may be forwarded without proper inspection, resulting in potential security control bypass.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/tinyproxy/tinyproxy/issues/604 | issue-trackingtechnical-descriptionthird-party-advisory |
| https://github.com/tinyproxy/tinyproxy | product |
| https://datatracker.ietf.org/doc/html/rfc7230 | technical-description |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Tinyproxy Project | Tinyproxy |
Affected:
0 , ≤ 1.11.3
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31842",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T16:30:26.482367Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T16:30:44.774Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/tinyproxy/tinyproxy",
"defaultStatus": "unaffected",
"platforms": [
"all"
],
"product": "Tinyproxy",
"vendor": "Tinyproxy Project",
"versions": [
{
"lessThanOrEqual": "1.11.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muxammadiyev G\u0027iyosiddin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eTinyproxy through 1.11.3 is vulnerable to HTTP request parsing desynchronization due to a case-sensitive comparison of the Transfer-Encoding header in src/reqs.c. The is_chunked_transfer() function uses strcmp() to compare the header value against \"chunked\", even though RFC 7230 specifies that transfer-coding names are case-insensitive. By sending a request with Transfer-Encoding: Chunked, an unauthenticated remote attacker can cause Tinyproxy to misinterpret the request as having no body. In this state, Tinyproxy sets content_length.client to -1, skips pull_client_data_chunked(), forwards request headers upstream, and transitions into relay_connection() raw TCP forwarding while unread body data remains buffered. This leads to inconsistent request state between Tinyproxy and backend servers. RFC-compliant backends (e.g., Node.js, Nginx) will continue waiting for chunked body data, causing connections to hang indefinitely. This behavior enables application-level denial of service through backend worker exhaustion. Additionally, in deployments where Tinyproxy is used for request-body inspection, filtering, or security enforcement, the unread body may be forwarded without proper inspection, resulting in potential security control bypass.\u003c/p\u003e"
}
],
"value": "Tinyproxy through 1.11.3 is vulnerable to HTTP request parsing desynchronization due to a case-sensitive comparison of the Transfer-Encoding header in src/reqs.c. The is_chunked_transfer() function uses strcmp() to compare the header value against \"chunked\", even though RFC 7230 specifies that transfer-coding names are case-insensitive. By sending a request with Transfer-Encoding: Chunked, an unauthenticated remote attacker can cause Tinyproxy to misinterpret the request as having no body. In this state, Tinyproxy sets content_length.client to -1, skips pull_client_data_chunked(), forwards request headers upstream, and transitions into relay_connection() raw TCP forwarding while unread body data remains buffered. This leads to inconsistent request state between Tinyproxy and backend servers. RFC-compliant backends (e.g., Node.js, Nginx) will continue waiting for chunked body data, causing connections to hang indefinitely. This behavior enables application-level denial of service through backend worker exhaustion. Additionally, in deployments where Tinyproxy is used for request-body inspection, filtering, or security enforcement, the unread body may be forwarded without proper inspection, resulting in potential security control bypass."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "An unauthenticated remote attacker can trigger HTTP request parsing desynchronization using a mixed-case Transfer-Encoding header (e.g., \u0027Chunked\u0027), leading to backend connection hangs and denial of service. In certain deployments, request-body inspection and filtering mechanisms relying on Tinyproxy may also be bypassed."
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV2_0": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T11:17:33.621Z",
"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"shortName": "TuranSec"
},
"references": [
{
"name": "Upstream issue report and reproduction details",
"tags": [
"issue-tracking",
"technical-description",
"third-party-advisory"
],
"url": "https://github.com/tinyproxy/tinyproxy/issues/604"
},
{
"name": "Tinyproxy upstream project",
"tags": [
"product"
],
"url": "https://github.com/tinyproxy/tinyproxy"
},
{
"name": "RFC 7230: transfer-coding names are case-insensitive",
"tags": [
"technical-description"
],
"url": "https://datatracker.ietf.org/doc/html/rfc7230"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Tinyproxy HTTP request parsing desynchronization via case-sensitive Transfer-Encoding handling",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"assignerShortName": "TuranSec",
"cveId": "CVE-2026-31842",
"datePublished": "2026-04-07T11:17:33.621Z",
"dateReserved": "2026-03-09T18:20:23.398Z",
"dateUpdated": "2026-04-07T16:30:44.774Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5463 (GCVE-0-2026-5463)
Vulnerability from cvelistv5 – Published: 2026-04-03 04:32 – Updated: 2026-04-03 15:35
VLAI
Summary
Command injection vulnerability in console.run_module_with_output() in pymetasploit3 through version 1.0.6 allows attackers to inject newline characters into module options such as RHOSTS. This breaks the intended command structure and causes the Metasploit console to execute additional unintended commands, potentially leading to arbitrary command execution and manipulation of Metasploit sessions.
Severity
8.6 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-77 - Improper neutralization of special elements leading to command injection
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Dan McInerney | pymetasploit3 |
Affected:
0 , ≤ 1.0.6
(python)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5463",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-03T15:34:20.114267Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T15:35:09.337Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org/project/pymetasploit3/",
"defaultStatus": "unaffected",
"packageName": "pymetasploit3",
"product": "pymetasploit3",
"vendor": "Dan McInerney",
"versions": [
{
"lessThanOrEqual": "1.0.6",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abdivasiyev Sunnatillo"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Command injection vulnerability in console.run_module_with_output() in pymetasploit3 through version 1.0.6 allows attackers to inject newline characters into module options such as RHOSTS. This breaks the intended command structure and causes the Metasploit console to execute additional unintended commands, potentially leading to arbitrary command execution and manipulation of Metasploit sessions."
}
],
"value": "Command injection vulnerability in console.run_module_with_output() in pymetasploit3 through version 1.0.6 allows attackers to inject newline characters into module options such as RHOSTS. This breaks the intended command structure and causes the Metasploit console to execute additional unintended commands, potentially leading to arbitrary command execution and manipulation of Metasploit sessions."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "An attacker who can control module option values such as RHOSTS may inject newline characters to execute arbitrary commands in the Metasploit console context. This may allow execution of unintended modules, manipulation of active sessions, and abuse of automated exploitation workflows."
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV2_0": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper neutralization of special elements leading to command injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T04:32:23.872Z",
"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"shortName": "TuranSec"
},
"references": [
{
"url": "https://github.com/DanMcInerney/pymetasploit3"
},
{
"url": "https://pypi.org/project/pymetasploit3/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"assignerShortName": "TuranSec",
"cveId": "CVE-2026-5463",
"datePublished": "2026-04-03T04:32:23.872Z",
"dateReserved": "2026-04-03T04:28:08.555Z",
"dateUpdated": "2026-04-03T15:35:09.337Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5128 (GCVE-0-2026-5128)
Vulnerability from cvelistv5 – Published: 2026-03-30 09:18 – Updated: 2026-03-31 12:38
VLAI
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2026-03-31T12:38:28.035Z",
"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"shortName": "TuranSec"
},
"rejectedReasons": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
}
],
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"assignerShortName": "TuranSec",
"cveId": "CVE-2026-5128",
"datePublished": "2026-03-30T09:18:05.381Z",
"dateRejected": "2026-03-31T12:38:28.035Z",
"dateReserved": "2026-03-30T09:09:01.638Z",
"dateUpdated": "2026-03-31T12:38:28.035Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3945 (GCVE-0-2026-3945)
Vulnerability from cvelistv5 – Published: 2026-03-30 07:05 – Updated: 2026-03-30 15:02
VLAI
Summary
An integer overflow vulnerability in the HTTP chunked transfer encoding parser in tinyproxy up to and including version 1.11.3 allows an unauthenticated remote attacker to cause a denial of service (DoS). The issue occurs because chunk size values are parsed using strtol() without properly validating overflow conditions (e.g., errno == ERANGE). A crafted chunk size such as 0x7fffffffffffffff (LONG_MAX) bypasses the existing validation check (chunklen < 0), leading to a signed integer overflow during arithmetic operations (chunklen + 2). This results in incorrect size calculations, causing the proxy to attempt reading an extremely large amount of request-body data and holding worker connections open indefinitely. An attacker can exploit this behavior to exhaust all available worker slots, preventing new connections from being accepted and causing complete service unavailability. Upstream addressed this issue in commit bb7edc4; however, the latest stable release (1.11.3) remains affected at the time of publication.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-190 - Integer Overflow or Wraparound
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/tinyproxy/tinyproxy/issues/602 | issue-trackingtechnical-description |
| https://github.com/tinyproxy/tinyproxy/pull/603 | patch |
| https://github.com/tinyproxy/tinyproxy/commit/969852c | patch |
| https://github.com/tinyproxy/tinyproxy/commit/bb7edc4 | patch |
| https://github.com/tinyproxy/tinyproxy/releases | release-notes |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3945",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-30T15:01:46.663274Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T15:02:33.584Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "tinyproxy",
"vendor": "tinyproxy",
"versions": [
{
"status": "affected",
"version": "\u003c=1.11.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muxammadiyev G\u0027iyosiddin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn integer overflow vulnerability in the HTTP chunked transfer encoding parser in tinyproxy up to and including version 1.11.3 allows an unauthenticated remote attacker to cause a denial of service (DoS). The issue occurs because chunk size values are parsed using strtol() without properly validating overflow conditions (e.g., errno == ERANGE). A crafted chunk size such as 0x7fffffffffffffff (LONG_MAX) bypasses the existing validation check (chunklen \u0026lt; 0), leading to a signed integer overflow during arithmetic operations (chunklen + 2). This results in incorrect size calculations, causing the proxy to attempt reading an extremely large amount of request-body data and holding worker connections open indefinitely. An attacker can exploit this behavior to exhaust all available worker slots, preventing new connections from being accepted and causing complete service unavailability. Upstream addressed this issue in commit bb7edc4; however, the latest stable release (1.11.3) remains affected at the time of publication.\u003c/p\u003e"
}
],
"value": "An integer overflow vulnerability in the HTTP chunked transfer encoding parser in tinyproxy up to and including version 1.11.3 allows an unauthenticated remote attacker to cause a denial of service (DoS). The issue occurs because chunk size values are parsed using strtol() without properly validating overflow conditions (e.g., errno == ERANGE). A crafted chunk size such as 0x7fffffffffffffff (LONG_MAX) bypasses the existing validation check (chunklen \u003c 0), leading to a signed integer overflow during arithmetic operations (chunklen + 2). This results in incorrect size calculations, causing the proxy to attempt reading an extremely large amount of request-body data and holding worker connections open indefinitely. An attacker can exploit this behavior to exhaust all available worker slots, preventing new connections from being accepted and causing complete service unavailability. Upstream addressed this issue in commit bb7edc4; however, the latest stable release (1.11.3) remains affected at the time of publication."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "An unauthenticated remote attacker can send crafted HTTP requests with chunked transfer encoding to keep worker connections occupied, exhausting the MaxClients limit and causing denial of service for legitimate users."
}
]
}
],
"metrics": [
{
"cvssV2_0": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T07:07:56.745Z",
"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"shortName": "TuranSec"
},
"references": [
{
"tags": [
"issue-tracking",
"technical-description"
],
"url": "https://github.com/tinyproxy/tinyproxy/issues/602"
},
{
"tags": [
"patch"
],
"url": "https://github.com/tinyproxy/tinyproxy/pull/603"
},
{
"tags": [
"patch"
],
"url": "https://github.com/tinyproxy/tinyproxy/commit/969852c"
},
{
"tags": [
"patch"
],
"url": "https://github.com/tinyproxy/tinyproxy/commit/bb7edc4"
},
{
"tags": [
"release-notes"
],
"url": "https://github.com/tinyproxy/tinyproxy/releases"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "TuranSec CNA"
}
}
},
"cveMetadata": {
"assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"assignerShortName": "TuranSec",
"cveId": "CVE-2026-3945",
"datePublished": "2026-03-30T07:05:23.295Z",
"dateReserved": "2026-03-11T08:30:57.837Z",
"dateUpdated": "2026-03-30T15:02:33.584Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4809 (GCVE-0-2026-4809)
Vulnerability from cvelistv5 – Published: 2026-03-26 11:03 – Updated: 2026-03-26 13:41
VLAI
Title
Unsafe Client MIME Type Handling Can Enable Arbitrary File Upload in plank/laravel-mediable
Summary
plank/laravel-mediable through version 6.4.0 can allow upload of a dangerous file type when an application using the package accepts or prefers a client-supplied MIME type during file upload handling. In that configuration, a remote attacker can submit a file containing executable PHP code while declaring a benign image MIME type, resulting in arbitrary file upload. If the uploaded file is stored in a web-accessible and executable location, this may lead to remote code execution. At the time of publication, no patch was available and the vendor had not responded to coordinated disclosure attempts.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| plank | laravel-mediable |
Affected:
<= 6.4.0
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4809",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-26T13:41:20.442496Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T13:41:27.981Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "laravel-mediable",
"vendor": "plank",
"versions": [
{
"status": "affected",
"version": "\u003c= 6.4.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sobirjonov Xurshidbek"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "plank/laravel-mediable through version 6.4.0 can allow upload of a dangerous file type when an application using the package accepts or prefers a client-supplied MIME type during file upload handling. In that configuration, a remote attacker can submit a file containing executable PHP code while declaring a benign image MIME type, resulting in arbitrary file upload. If the uploaded file is stored in a web-accessible and executable location, this may lead to remote code execution. At the time of publication, no patch was available and the vendor had not responded to coordinated disclosure attempts."
}
],
"value": "plank/laravel-mediable through version 6.4.0 can allow upload of a dangerous file type when an application using the package accepts or prefers a client-supplied MIME type during file upload handling. In that configuration, a remote attacker can submit a file containing executable PHP code while declaring a benign image MIME type, resulting in arbitrary file upload. If the uploaded file is stored in a web-accessible and executable location, this may lead to remote code execution. At the time of publication, no patch was available and the vendor had not responded to coordinated disclosure attempts."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A remote attacker can upload a file containing executable PHP code while supplying a benign image MIME type. If the consuming application accepts the client-controlled MIME type and stores uploaded files in a web-accessible executable location, this can result in arbitrary file upload and remote code execution."
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV2_0": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T11:03:27.086Z",
"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"shortName": "TuranSec"
},
"references": [
{
"name": "Project repository",
"url": "https://github.com/plank/laravel-mediable"
},
{
"name": "Release 6.4.0",
"url": "https://github.com/plank/laravel-mediable/releases/tag/6.4.0"
},
{
"name": "Upstream project homepage",
"url": "https://github.com/plank/laravel-mediable"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unsafe Client MIME Type Handling Can Enable Arbitrary File Upload in plank/laravel-mediable",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"assignerShortName": "TuranSec",
"cveId": "CVE-2026-4809",
"datePublished": "2026-03-26T11:03:27.086Z",
"dateReserved": "2026-03-25T12:35:26.385Z",
"dateUpdated": "2026-03-26T13:41:27.981Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31851 (GCVE-0-2026-31851)
Vulnerability from cvelistv5 – Published: 2026-03-23 12:21 – Updated: 2026-03-26 10:47
VLAI
Title
Lack of Rate Limiting Enables Brute-Force Attacks in Nexxt Nebula 300+
Summary
Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement rate limiting or account lockout mechanisms on authentication interfaces. An attacker can perform unlimited authentication attempts against endpoints that rely on credential validation, enabling brute-force attacks to guess administrative credentials without restriction.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Nexxt Solutions | Nebula 300+ |
Affected:
<= 12.01.01.37
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31851",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-23T15:16:32.320223Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T15:51:38.714Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Nebula 300+",
"vendor": "Nexxt Solutions",
"versions": [
{
"status": "affected",
"version": "\u003c= 12.01.01.37"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Angel Barre (call4pwn)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement rate limiting or account lockout mechanisms on authentication interfaces. An attacker can perform unlimited authentication attempts against endpoints that rely on credential validation, enabling brute-force attacks to guess administrative credentials without restriction."
}
],
"value": "Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement rate limiting or account lockout mechanisms on authentication interfaces. An attacker can perform unlimited authentication attempts against endpoints that rely on credential validation, enabling brute-force attacks to guess administrative credentials without restriction."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "An attacker can perform unlimited authentication attempts, enabling brute-force attacks against administrative credentials."
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T10:47:04.841Z",
"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"shortName": "TuranSec"
},
"references": [
{
"url": "https://www.nexxtsolutions.com/connectivity/internal-products/ARN02304U6/"
},
{
"url": "https://nexxt-connectivity-frontend.s3.amazonaws.com/media/docs/Nebula300+_v12.01.01.37.zip"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Lack of Rate Limiting Enables Brute-Force Attacks in Nexxt Nebula 300+",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"assignerShortName": "TuranSec",
"cveId": "CVE-2026-31851",
"datePublished": "2026-03-23T12:21:54.907Z",
"dateReserved": "2026-03-09T18:20:23.399Z",
"dateUpdated": "2026-03-26T10:47:04.841Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31850 (GCVE-0-2026-31850)
Vulnerability from cvelistv5 – Published: 2026-03-23 12:21 – Updated: 2026-03-26 10:46
VLAI
Title
Plaintext Storage of Credentials in Configuration Backup in Nexxt Nebula 300+
Summary
Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 stores sensitive information, including administrative credentials and WiFi pre-shared keys, in plaintext within exported configuration backup files. These backup files can be obtained through legitimate functionality or other weaknesses and do not apply encryption or hashing, allowing attackers to directly extract sensitive information.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-256 - Plaintext Storage of a Password
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Nexxt Solutions | Nebula 300+ |
Affected:
<= 12.01.01.37
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31850",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-23T15:07:10.958896Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T15:51:46.991Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Nebula 300+",
"vendor": "Nexxt Solutions",
"versions": [
{
"status": "affected",
"version": "\u003c= 12.01.01.37"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Angel Barre (call4pwn)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 stores sensitive information, including administrative credentials and WiFi pre-shared keys, in plaintext within exported configuration backup files. These backup files can be obtained through legitimate functionality or other weaknesses and do not apply encryption or hashing, allowing attackers to directly extract sensitive information."
}
],
"value": "Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 stores sensitive information, including administrative credentials and WiFi pre-shared keys, in plaintext within exported configuration backup files. These backup files can be obtained through legitimate functionality or other weaknesses and do not apply encryption or hashing, allowing attackers to directly extract sensitive information."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "An attacker who obtains a configuration backup file can extract administrative credentials and WiFi pre-shared keys in plaintext."
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-256",
"description": "CWE-256 Plaintext Storage of a Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T10:46:21.810Z",
"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"shortName": "TuranSec"
},
"references": [
{
"url": "https://www.nexxtsolutions.com/connectivity/internal-products/ARN02304U6/"
},
{
"url": "https://nexxt-connectivity-frontend.s3.amazonaws.com/media/docs/Nebula300+_v12.01.01.37.zip"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Plaintext Storage of Credentials in Configuration Backup in Nexxt Nebula 300+",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"assignerShortName": "TuranSec",
"cveId": "CVE-2026-31850",
"datePublished": "2026-03-23T12:21:41.917Z",
"dateReserved": "2026-03-09T18:20:23.399Z",
"dateUpdated": "2026-03-26T10:46:21.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31849 (GCVE-0-2026-31849)
Vulnerability from cvelistv5 – Published: 2026-03-23 12:16 – Updated: 2026-03-26 10:45
VLAI
Title
Missing CSRF Protection on Administrative Endpoints in Nexxt Nebula 300+
Summary
Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement CSRF protections on state-changing endpoints such as /goform/setSysTools and other administrative interfaces. As a result, an attacker can craft malicious web requests that are executed in the context of an authenticated administrator’s browser, leading to unauthorized configuration changes, including enabling services or modifying system settings.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Nexxt Solutions | Nebula 300+ |
Affected:
<= 12.01.01.37
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31849",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-23T15:17:48.215554Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T15:51:53.375Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Nebula 300+",
"vendor": "Nexxt Solutions",
"versions": [
{
"status": "affected",
"version": "\u003c= 12.01.01.37"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Angel Barre (call4pwn)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement CSRF protections on state-changing endpoints such as \u003ccode\u003e/goform/setSysTools\u003c/code\u003e and other administrative interfaces. As a result, an attacker can craft malicious web requests that are executed in the context of an authenticated administrator\u2019s browser, leading to unauthorized configuration changes, including enabling services or modifying system settings."
}
],
"value": "Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement CSRF protections on state-changing endpoints such as /goform/setSysTools and other administrative interfaces. As a result, an attacker can craft malicious web requests that are executed in the context of an authenticated administrator\u2019s browser, leading to unauthorized configuration changes, including enabling services or modifying system settings."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A remote attacker can cause an authenticated administrator\u0027s browser to send forged state-changing requests, resulting in unauthorized configuration changes."
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T10:45:40.996Z",
"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"shortName": "TuranSec"
},
"references": [
{
"name": "Official product page",
"url": "https://www.nexxtsolutions.com/connectivity/internal-products/ARN02304U6/"
},
{
"name": "Firmware download",
"url": "https://nexxt-connectivity-frontend.s3.amazonaws.com/media/docs/Nebula300+_v12.01.01.37.zip"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Missing CSRF Protection on Administrative Endpoints in Nexxt Nebula 300+",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"assignerShortName": "TuranSec",
"cveId": "CVE-2026-31849",
"datePublished": "2026-03-23T12:16:59.624Z",
"dateReserved": "2026-03-09T18:20:23.399Z",
"dateUpdated": "2026-03-26T10:45:40.996Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31848 (GCVE-0-2026-31848)
Vulnerability from cvelistv5 – Published: 2026-03-23 12:09 – Updated: 2026-03-26 10:45
VLAI
Title
Reversible ecos_pw Cookie Allows Authentication Bypass in Nexxt Nebula 300+
Summary
Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 uses the ecos_pw cookie for authentication, which contains Base64-encoded credential data combined with a static suffix. Because the encoding is reversible and lacks integrity protection, an attacker can reconstruct or forge a valid cookie value without proper authentication. This allows unauthorized administrative access to protected endpoints.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-312 - Cleartext Storage of Sensitive Information
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Nexxt Solutions | Nebula 300+ |
Affected:
<= 12.01.01.37
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31848",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-23T15:16:34.823978Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T15:51:59.795Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Nebula 300+",
"vendor": "Nexxt Solutions",
"versions": [
{
"status": "affected",
"version": "\u003c= 12.01.01.37"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Angel Barre (call4pwn)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 uses the \u003ccode\u003eecos_pw\u003c/code\u003e cookie for authentication, which contains Base64-encoded credential data combined with a static suffix. Because the encoding is reversible and lacks integrity protection, an attacker can reconstruct or forge a valid cookie value without proper authentication. This allows unauthorized administrative access to protected endpoints."
}
],
"value": "Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 uses the ecos_pw cookie for authentication, which contains Base64-encoded credential data combined with a static suffix. Because the encoding is reversible and lacks integrity protection, an attacker can reconstruct or forge a valid cookie value without proper authentication. This allows unauthorized administrative access to protected endpoints."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "An attacker who obtains or reconstructs the ecos_pw cookie value can authenticate as an administrator and gain unauthorized access to the device."
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312 Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T10:45:19.121Z",
"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"shortName": "TuranSec"
},
"references": [
{
"name": "Official product page",
"url": "https://www.nexxtsolutions.com/connectivity/internal-products/ARN02304U6/"
},
{
"name": "Firmware download",
"url": "https://nexxt-connectivity-frontend.s3.amazonaws.com/media/docs/Nebula300+_v12.01.01.37.zip"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Reversible ecos_pw Cookie Allows Authentication Bypass in Nexxt Nebula 300+",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"assignerShortName": "TuranSec",
"cveId": "CVE-2026-31848",
"datePublished": "2026-03-23T12:09:30.338Z",
"dateReserved": "2026-03-09T18:20:23.399Z",
"dateUpdated": "2026-03-26T10:45:19.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31847 (GCVE-0-2026-31847)
Vulnerability from cvelistv5 – Published: 2026-03-23 12:07 – Updated: 2026-03-26 10:52
VLAI
Title
Hidden Functionality Enables Remote Telnet Activation via /goform/setSysTools in Nexxt Nebula 300+
Summary
Hidden functionality in the /goform/setSysTools endpoint in Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 allows remote enablement of a Telnet service. By sending a crafted POST request with parameters such as telnetManageEn=true and telnetPwd, an authenticated attacker can activate a Telnet service on port 23. This exposes a privileged diagnostic interface that is not intended for external access and can be used to interact with the underlying system.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-912 - Hidden Functionality
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Nexxt Solutions | Nebula 300+ |
Affected:
<= 12.01.01.37 , ≤ Nebula300+_v12.01.01.37
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31847",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-23T15:16:37.215985Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T15:52:16.990Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Nebula 300+",
"vendor": "Nexxt Solutions",
"versions": [
{
"lessThanOrEqual": "Nebula300+_v12.01.01.37",
"status": "affected",
"version": "\u003c= 12.01.01.37",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Angel Barre (call4pwn)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Hidden functionality in the \u003ccode\u003e/goform/setSysTools\u003c/code\u003e endpoint in Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 allows remote enablement of a Telnet service. By sending a crafted POST request with parameters such as \u003ccode\u003etelnetManageEn=true\u003c/code\u003e and \u003ccode\u003etelnetPwd\u003c/code\u003e, an authenticated attacker can activate a Telnet service on port 23. This exposes a privileged diagnostic interface that is not intended for external access and can be used to interact with the underlying system."
}
],
"value": "Hidden functionality in the /goform/setSysTools endpoint in Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 allows remote enablement of a Telnet service. By sending a crafted POST request with parameters such as telnetManageEn=true and telnetPwd, an authenticated attacker can activate a Telnet service on port 23. This exposes a privileged diagnostic interface that is not intended for external access and can be used to interact with the underlying system."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "An attacker who can invoke the affected functionality can enable a privileged Telnet service remotely, exposing a diagnostic management interface and enabling further compromise of the device."
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-912",
"description": "CWE-912 Hidden Functionality",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T10:52:50.115Z",
"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"shortName": "TuranSec"
},
"references": [
{
"name": "Official product page",
"url": "https://www.nexxtsolutions.com/connectivity/internal-products/ARN02304U6/"
},
{
"name": "Firmware download",
"url": "https://nexxt-connectivity-frontend.s3.amazonaws.com/media/docs/Nebula300+_v12.01.01.37.zip"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Hidden Functionality Enables Remote Telnet Activation via /goform/setSysTools in Nexxt Nebula 300+",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"assignerShortName": "TuranSec",
"cveId": "CVE-2026-31847",
"datePublished": "2026-03-23T12:07:05.062Z",
"dateReserved": "2026-03-09T18:20:23.399Z",
"dateUpdated": "2026-03-26T10:52:50.115Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}