Search

Find a vulnerability

Search criteria

    10 vulnerabilities by osquery

    CVE-2026-54001 (GCVE-0-2026-54001)

    Vulnerability from nvd – Published: 2026-07-10 14:49 – Updated: 2026-07-10 14:49
    VLAI
    Title
    osquery: Heap buffer overflow via `authenticode` table (Windows)
    Summary
    osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, on Windows, a local unprivileged attacker can cause a heap buffer out-of-bounds write if there is a query of the authenticode table targeting a maliciously crafted binary, due to publisher information parsing in getOriginalProgramName. If exploited successfully, this could allow a potential local privilege escalation from standard user to SYSTEM. This issue is fixed in version 5.23.1.
    CWE
    • CWE-122 - Heap-based Buffer Overflow
    Assigner
    Impacted products
    Vendor Product Version
    osquery osquery Affected: < 5.23.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "osquery",
              "vendor": "osquery",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.23.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, on Windows, a local unprivileged attacker can cause a heap buffer out-of-bounds write if there is a query of the authenticode table targeting a maliciously crafted binary, due to publisher information parsing in getOriginalProgramName. If exploited successfully, this could allow a potential local privilege escalation from standard user to SYSTEM. This issue is fixed in version 5.23.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-122",
                  "description": "CWE-122: Heap-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T14:49:18.318Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/osquery/osquery/security/advisories/GHSA-hr28-jvpx-68cx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/osquery/osquery/security/advisories/GHSA-hr28-jvpx-68cx"
            },
            {
              "name": "https://github.com/osquery/osquery/pull/8923",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/osquery/osquery/pull/8923"
            },
            {
              "name": "https://github.com/osquery/osquery/commit/59a808cda96d5a089cf6ec147efe152459284d54",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/osquery/osquery/commit/59a808cda96d5a089cf6ec147efe152459284d54"
            },
            {
              "name": "https://github.com/osquery/osquery/releases/tag/5.23.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/osquery/osquery/releases/tag/5.23.1"
            }
          ],
          "source": {
            "advisory": "GHSA-hr28-jvpx-68cx",
            "discovery": "UNKNOWN"
          },
          "title": "osquery: Heap buffer overflow via `authenticode` table (Windows)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-54001",
        "datePublished": "2026-07-10T14:49:18.318Z",
        "dateReserved": "2026-06-11T16:34:11.635Z",
        "dateUpdated": "2026-07-10T14:49:18.318Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-54000 (GCVE-0-2026-54000)

    Vulnerability from nvd – Published: 2026-07-10 14:51 – Updated: 2026-07-10 20:59
    VLAI
    Title
    osquery: Heap buffer overflow in `getProcessCurrentDirectory()` via `processes` table (Windows)
    Summary
    osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, on Windows, a local unprivileged attacker can cause a heap buffer out-of-bounds write if there is a query of the processes table targeting a maliciously crafted process, due to unchecked PEB string lengths in process command-line and current-directory reads. If exploited successfully, this could allow a potential local privilege escalation from standard user to SYSTEM. This issue is fixed in version 5.23.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-122 - Heap-based Buffer Overflow
    Assigner
    Impacted products
    Vendor Product Version
    osquery osquery Affected: < 5.23.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54000",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T20:48:15.449033Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T20:59:11.412Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "osquery",
              "vendor": "osquery",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.23.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, on Windows, a local unprivileged attacker can cause a heap buffer out-of-bounds write if there is a query of the processes table targeting a maliciously crafted process, due to unchecked PEB string lengths in process command-line and current-directory reads. If exploited successfully, this could allow a potential local privilege escalation from standard user to SYSTEM. This issue is fixed in version 5.23.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-122",
                  "description": "CWE-122: Heap-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T14:51:35.142Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/osquery/osquery/security/advisories/GHSA-4r78-6hg6-33gg",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/osquery/osquery/security/advisories/GHSA-4r78-6hg6-33gg"
            },
            {
              "name": "https://github.com/osquery/osquery/pull/8934",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/osquery/osquery/pull/8934"
            },
            {
              "name": "https://github.com/osquery/osquery/commit/3d457c412eb0c986b0c37d8903edae8bc9f9e246",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/osquery/osquery/commit/3d457c412eb0c986b0c37d8903edae8bc9f9e246"
            },
            {
              "name": "https://github.com/osquery/osquery/releases/tag/5.23.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/osquery/osquery/releases/tag/5.23.1"
            }
          ],
          "source": {
            "advisory": "GHSA-4r78-6hg6-33gg",
            "discovery": "UNKNOWN"
          },
          "title": "osquery: Heap buffer overflow in `getProcessCurrentDirectory()` via `processes` table (Windows)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-54000",
        "datePublished": "2026-07-10T14:51:35.142Z",
        "dateReserved": "2026-06-11T16:34:11.635Z",
        "dateUpdated": "2026-07-10T20:59:11.412Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-46388 (GCVE-0-2026-46388)

    Vulnerability from nvd – Published: 2026-07-10 14:44 – Updated: 2026-07-10 19:03
    VLAI
    Title
    osquery: Unprivileged users can temporarily read file carve contents
    Summary
    osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, an unprivileged attacker can read the contents of an osquery file carve until the carve completes and the temporary files are deleted because in-progress carve directories are not created with private permissions. If the carve targets a directory that the attacker controls, arbitrary file reads are possible, such as sensitive local files. This issue is fixed in version 5.23.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-279 - Incorrect Execution-Assigned Permissions
    • CWE-378 - Creation of Temporary File With Insecure Permissions
    • CWE-379 - Creation of Temporary File in Directory with Insecure Permissions
    Assigner
    Impacted products
    Vendor Product Version
    osquery osquery Affected: < 5.23.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-46388",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T19:03:00.746306Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T19:03:08.593Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "osquery",
              "vendor": "osquery",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.23.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, an unprivileged attacker can read the contents of an osquery file carve until the carve completes and the temporary files are deleted because in-progress carve directories are not created with private permissions. If the carve targets a directory that the attacker controls, arbitrary file reads are possible, such as sensitive local files. This issue is fixed in version 5.23.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-279",
                  "description": "CWE-279: Incorrect Execution-Assigned Permissions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-378",
                  "description": "CWE-378: Creation of Temporary File With Insecure Permissions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-379",
                  "description": "CWE-379: Creation of Temporary File in Directory with Insecure Permissions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T14:44:52.865Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/osquery/osquery/security/advisories/GHSA-fg78-9q98-62hh",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/osquery/osquery/security/advisories/GHSA-fg78-9q98-62hh"
            },
            {
              "name": "https://github.com/osquery/osquery/pull/8961",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/osquery/osquery/pull/8961"
            },
            {
              "name": "https://github.com/osquery/osquery/commit/6dabe9ded33bf9c6fc0f3e37ec364a1cbbd25d68",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/osquery/osquery/commit/6dabe9ded33bf9c6fc0f3e37ec364a1cbbd25d68"
            },
            {
              "name": "https://github.com/osquery/osquery/releases/tag/5.23.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/osquery/osquery/releases/tag/5.23.1"
            }
          ],
          "source": {
            "advisory": "GHSA-fg78-9q98-62hh",
            "discovery": "UNKNOWN"
          },
          "title": "osquery: Unprivileged users can temporarily read file carve contents"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-46388",
        "datePublished": "2026-07-10T14:44:52.865Z",
        "dateReserved": "2026-05-13T19:53:47.922Z",
        "dateUpdated": "2026-07-10T19:03:08.593Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2020-26273 (GCVE-0-2020-26273)

    Vulnerability from nvd – Published: 2020-12-16 01:20 – Updated: 2024-08-04 15:56
    VLAI
    Title
    sqlite ATTACH allows some filesystem access
    Summary
    osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. In osquery before version 4.6.0, by using sqlite's ATTACH verb, someone with administrative access to osquery can cause reads and writes to arbitrary sqlite databases on disk. This _does_ allow arbitrary files to be created, but they will be sqlite databases. It does not appear to allow existing non-sqlite files to be overwritten. This has been patched in osquery 4.6.0. There are several mitigating factors and possible workarounds. In some deployments, the people with access to these interfaces may be considered administrators. In some deployments, configuration is managed by a central tool. This tool can filter for the `ATTACH` keyword. osquery can be run as non-root user. Because this also limits the desired access levels, this requires deployment specific testing and configuration.
    CWE
    • CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    osquery osquery Affected: < 4.6.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:56:04.061Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/osquery/osquery/security/advisories/GHSA-4g56-2482-x7q8"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md#remote-command-execution-using-sqlite-command---load_extension"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/osquery/osquery/commit/c3f9a3dae22d43ed3b4f6a403cbf89da4cba7c3c"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/osquery/osquery/releases/tag/4.6.0"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "osquery",
              "vendor": "osquery",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.6.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. In osquery before version 4.6.0, by using sqlite\u0027s ATTACH verb, someone with administrative access to osquery can cause reads and writes to arbitrary sqlite databases on disk. This _does_ allow arbitrary files to be created, but they will be sqlite databases. It does not appear to allow existing non-sqlite files to be overwritten. This has been patched in osquery 4.6.0. There are several mitigating factors and possible workarounds. In some deployments, the people with access to these interfaces may be considered administrators. In some deployments, configuration is managed by a central tool. This tool can filter for the `ATTACH` keyword. osquery can be run as non-root user. Because this also limits the desired access levels, this requires deployment specific testing and configuration."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-77",
                  "description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-12-16T01:20:19.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/osquery/osquery/security/advisories/GHSA-4g56-2482-x7q8"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md#remote-command-execution-using-sqlite-command---load_extension"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/osquery/osquery/commit/c3f9a3dae22d43ed3b4f6a403cbf89da4cba7c3c"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/osquery/osquery/releases/tag/4.6.0"
            }
          ],
          "source": {
            "advisory": "GHSA-4g56-2482-x7q8",
            "discovery": "UNKNOWN"
          },
          "title": "sqlite ATTACH allows some filesystem access",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security-advisories@github.com",
              "ID": "CVE-2020-26273",
              "STATE": "PUBLIC",
              "TITLE": "sqlite ATTACH allows some filesystem access"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "osquery",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c 4.6.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "osquery"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. In osquery before version 4.6.0, by using sqlite\u0027s ATTACH verb, someone with administrative access to osquery can cause reads and writes to arbitrary sqlite databases on disk. This _does_ allow arbitrary files to be created, but they will be sqlite databases. It does not appear to allow existing non-sqlite files to be overwritten. This has been patched in osquery 4.6.0. There are several mitigating factors and possible workarounds. In some deployments, the people with access to these interfaces may be considered administrators. In some deployments, configuration is managed by a central tool. This tool can filter for the `ATTACH` keyword. osquery can be run as non-root user. Because this also limits the desired access levels, this requires deployment specific testing and configuration."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/osquery/osquery/security/advisories/GHSA-4g56-2482-x7q8",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/osquery/osquery/security/advisories/GHSA-4g56-2482-x7q8"
                },
                {
                  "name": "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md#remote-command-execution-using-sqlite-command---load_extension",
                  "refsource": "MISC",
                  "url": "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md#remote-command-execution-using-sqlite-command---load_extension"
                },
                {
                  "name": "https://github.com/osquery/osquery/commit/c3f9a3dae22d43ed3b4f6a403cbf89da4cba7c3c",
                  "refsource": "MISC",
                  "url": "https://github.com/osquery/osquery/commit/c3f9a3dae22d43ed3b4f6a403cbf89da4cba7c3c"
                },
                {
                  "name": "https://github.com/osquery/osquery/releases/tag/4.6.0",
                  "refsource": "MISC",
                  "url": "https://github.com/osquery/osquery/releases/tag/4.6.0"
                }
              ]
            },
            "source": {
              "advisory": "GHSA-4g56-2482-x7q8",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2020-26273",
        "datePublished": "2020-12-16T01:20:19.000Z",
        "dateReserved": "2020-10-01T00:00:00.000Z",
        "dateUpdated": "2024-08-04T15:56:04.061Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-11081 (GCVE-0-2020-11081)

    Vulnerability from nvd – Published: 2020-07-10 18:45 – Updated: 2024-08-04 11:21
    VLAI
    Title
    osquery susceptible to DLL search order hijacking of zlib1.dll
    Summary
    osquery before version 4.4.0 enables a privilege escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables local escalation. This is fixed in version 4.4.0.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    osquery osquery Affected: < 4.4.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T11:21:14.829Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/osquery/osquery/security/advisories/GHSA-2xwp-8fv7-c5pm"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/osquery/osquery/issues/6426"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/osquery/osquery/pull/6433"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/osquery/osquery/commit/4d4957f12a6aa0becc9d01d9f97061e1e3d809c5"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/osquery/osquery/releases/tag/4.4.0"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "osquery",
              "vendor": "osquery",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.4.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "osquery before version 4.4.0 enables a privilege escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables local escalation. This is fixed in version 4.4.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-114",
                  "description": "CWE-114: Process Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-09-17T16:52:34.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/osquery/osquery/security/advisories/GHSA-2xwp-8fv7-c5pm"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/osquery/osquery/issues/6426"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/osquery/osquery/pull/6433"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/osquery/osquery/commit/4d4957f12a6aa0becc9d01d9f97061e1e3d809c5"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/osquery/osquery/releases/tag/4.4.0"
            }
          ],
          "source": {
            "advisory": "GHSA-2xwp-8fv7-c5pm",
            "discovery": "UNKNOWN"
          },
          "title": "osquery susceptible to DLL search order hijacking of zlib1.dll",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security-advisories@github.com",
              "ID": "CVE-2020-11081",
              "STATE": "PUBLIC",
              "TITLE": "osquery susceptible to DLL search order hijacking of zlib1.dll"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "osquery",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c 4.4.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "osquery"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "osquery before version 4.4.0 enables a privilege escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables local escalation. This is fixed in version 4.4.0."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-114: Process Control"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/osquery/osquery/security/advisories/GHSA-2xwp-8fv7-c5pm",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/osquery/osquery/security/advisories/GHSA-2xwp-8fv7-c5pm"
                },
                {
                  "name": "https://github.com/osquery/osquery/issues/6426",
                  "refsource": "MISC",
                  "url": "https://github.com/osquery/osquery/issues/6426"
                },
                {
                  "name": "https://github.com/osquery/osquery/pull/6433",
                  "refsource": "MISC",
                  "url": "https://github.com/osquery/osquery/pull/6433"
                },
                {
                  "name": "https://github.com/osquery/osquery/commit/4d4957f12a6aa0becc9d01d9f97061e1e3d809c5",
                  "refsource": "MISC",
                  "url": "https://github.com/osquery/osquery/commit/4d4957f12a6aa0becc9d01d9f97061e1e3d809c5"
                },
                {
                  "name": "https://github.com/osquery/osquery/releases/tag/4.4.0",
                  "refsource": "MISC",
                  "url": "https://github.com/osquery/osquery/releases/tag/4.4.0"
                }
              ]
            },
            "source": {
              "advisory": "GHSA-2xwp-8fv7-c5pm",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2020-11081",
        "datePublished": "2020-07-10T18:45:16.000Z",
        "dateReserved": "2020-03-30T00:00:00.000Z",
        "dateUpdated": "2024-08-04T11:21:14.829Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-54000 (GCVE-0-2026-54000)

    Vulnerability from cvelistv5 – Published: 2026-07-10 14:51 – Updated: 2026-07-10 20:59
    VLAI
    Title
    osquery: Heap buffer overflow in `getProcessCurrentDirectory()` via `processes` table (Windows)
    Summary
    osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, on Windows, a local unprivileged attacker can cause a heap buffer out-of-bounds write if there is a query of the processes table targeting a maliciously crafted process, due to unchecked PEB string lengths in process command-line and current-directory reads. If exploited successfully, this could allow a potential local privilege escalation from standard user to SYSTEM. This issue is fixed in version 5.23.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-122 - Heap-based Buffer Overflow
    Assigner
    Impacted products
    Vendor Product Version
    osquery osquery Affected: < 5.23.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54000",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T20:48:15.449033Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T20:59:11.412Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "osquery",
              "vendor": "osquery",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.23.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, on Windows, a local unprivileged attacker can cause a heap buffer out-of-bounds write if there is a query of the processes table targeting a maliciously crafted process, due to unchecked PEB string lengths in process command-line and current-directory reads. If exploited successfully, this could allow a potential local privilege escalation from standard user to SYSTEM. This issue is fixed in version 5.23.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-122",
                  "description": "CWE-122: Heap-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T14:51:35.142Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/osquery/osquery/security/advisories/GHSA-4r78-6hg6-33gg",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/osquery/osquery/security/advisories/GHSA-4r78-6hg6-33gg"
            },
            {
              "name": "https://github.com/osquery/osquery/pull/8934",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/osquery/osquery/pull/8934"
            },
            {
              "name": "https://github.com/osquery/osquery/commit/3d457c412eb0c986b0c37d8903edae8bc9f9e246",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/osquery/osquery/commit/3d457c412eb0c986b0c37d8903edae8bc9f9e246"
            },
            {
              "name": "https://github.com/osquery/osquery/releases/tag/5.23.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/osquery/osquery/releases/tag/5.23.1"
            }
          ],
          "source": {
            "advisory": "GHSA-4r78-6hg6-33gg",
            "discovery": "UNKNOWN"
          },
          "title": "osquery: Heap buffer overflow in `getProcessCurrentDirectory()` via `processes` table (Windows)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-54000",
        "datePublished": "2026-07-10T14:51:35.142Z",
        "dateReserved": "2026-06-11T16:34:11.635Z",
        "dateUpdated": "2026-07-10T20:59:11.412Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-54001 (GCVE-0-2026-54001)

    Vulnerability from cvelistv5 – Published: 2026-07-10 14:49 – Updated: 2026-07-10 14:49
    VLAI
    Title
    osquery: Heap buffer overflow via `authenticode` table (Windows)
    Summary
    osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, on Windows, a local unprivileged attacker can cause a heap buffer out-of-bounds write if there is a query of the authenticode table targeting a maliciously crafted binary, due to publisher information parsing in getOriginalProgramName. If exploited successfully, this could allow a potential local privilege escalation from standard user to SYSTEM. This issue is fixed in version 5.23.1.
    CWE
    • CWE-122 - Heap-based Buffer Overflow
    Assigner
    Impacted products
    Vendor Product Version
    osquery osquery Affected: < 5.23.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "osquery",
              "vendor": "osquery",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.23.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, on Windows, a local unprivileged attacker can cause a heap buffer out-of-bounds write if there is a query of the authenticode table targeting a maliciously crafted binary, due to publisher information parsing in getOriginalProgramName. If exploited successfully, this could allow a potential local privilege escalation from standard user to SYSTEM. This issue is fixed in version 5.23.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-122",
                  "description": "CWE-122: Heap-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T14:49:18.318Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/osquery/osquery/security/advisories/GHSA-hr28-jvpx-68cx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/osquery/osquery/security/advisories/GHSA-hr28-jvpx-68cx"
            },
            {
              "name": "https://github.com/osquery/osquery/pull/8923",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/osquery/osquery/pull/8923"
            },
            {
              "name": "https://github.com/osquery/osquery/commit/59a808cda96d5a089cf6ec147efe152459284d54",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/osquery/osquery/commit/59a808cda96d5a089cf6ec147efe152459284d54"
            },
            {
              "name": "https://github.com/osquery/osquery/releases/tag/5.23.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/osquery/osquery/releases/tag/5.23.1"
            }
          ],
          "source": {
            "advisory": "GHSA-hr28-jvpx-68cx",
            "discovery": "UNKNOWN"
          },
          "title": "osquery: Heap buffer overflow via `authenticode` table (Windows)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-54001",
        "datePublished": "2026-07-10T14:49:18.318Z",
        "dateReserved": "2026-06-11T16:34:11.635Z",
        "dateUpdated": "2026-07-10T14:49:18.318Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-46388 (GCVE-0-2026-46388)

    Vulnerability from cvelistv5 – Published: 2026-07-10 14:44 – Updated: 2026-07-10 19:03
    VLAI
    Title
    osquery: Unprivileged users can temporarily read file carve contents
    Summary
    osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, an unprivileged attacker can read the contents of an osquery file carve until the carve completes and the temporary files are deleted because in-progress carve directories are not created with private permissions. If the carve targets a directory that the attacker controls, arbitrary file reads are possible, such as sensitive local files. This issue is fixed in version 5.23.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-279 - Incorrect Execution-Assigned Permissions
    • CWE-378 - Creation of Temporary File With Insecure Permissions
    • CWE-379 - Creation of Temporary File in Directory with Insecure Permissions
    Assigner
    Impacted products
    Vendor Product Version
    osquery osquery Affected: < 5.23.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-46388",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T19:03:00.746306Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T19:03:08.593Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "osquery",
              "vendor": "osquery",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 5.23.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, an unprivileged attacker can read the contents of an osquery file carve until the carve completes and the temporary files are deleted because in-progress carve directories are not created with private permissions. If the carve targets a directory that the attacker controls, arbitrary file reads are possible, such as sensitive local files. This issue is fixed in version 5.23.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-279",
                  "description": "CWE-279: Incorrect Execution-Assigned Permissions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-378",
                  "description": "CWE-378: Creation of Temporary File With Insecure Permissions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-379",
                  "description": "CWE-379: Creation of Temporary File in Directory with Insecure Permissions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T14:44:52.865Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/osquery/osquery/security/advisories/GHSA-fg78-9q98-62hh",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/osquery/osquery/security/advisories/GHSA-fg78-9q98-62hh"
            },
            {
              "name": "https://github.com/osquery/osquery/pull/8961",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/osquery/osquery/pull/8961"
            },
            {
              "name": "https://github.com/osquery/osquery/commit/6dabe9ded33bf9c6fc0f3e37ec364a1cbbd25d68",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/osquery/osquery/commit/6dabe9ded33bf9c6fc0f3e37ec364a1cbbd25d68"
            },
            {
              "name": "https://github.com/osquery/osquery/releases/tag/5.23.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/osquery/osquery/releases/tag/5.23.1"
            }
          ],
          "source": {
            "advisory": "GHSA-fg78-9q98-62hh",
            "discovery": "UNKNOWN"
          },
          "title": "osquery: Unprivileged users can temporarily read file carve contents"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-46388",
        "datePublished": "2026-07-10T14:44:52.865Z",
        "dateReserved": "2026-05-13T19:53:47.922Z",
        "dateUpdated": "2026-07-10T19:03:08.593Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2020-26273 (GCVE-0-2020-26273)

    Vulnerability from cvelistv5 – Published: 2020-12-16 01:20 – Updated: 2024-08-04 15:56
    VLAI
    Title
    sqlite ATTACH allows some filesystem access
    Summary
    osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. In osquery before version 4.6.0, by using sqlite's ATTACH verb, someone with administrative access to osquery can cause reads and writes to arbitrary sqlite databases on disk. This _does_ allow arbitrary files to be created, but they will be sqlite databases. It does not appear to allow existing non-sqlite files to be overwritten. This has been patched in osquery 4.6.0. There are several mitigating factors and possible workarounds. In some deployments, the people with access to these interfaces may be considered administrators. In some deployments, configuration is managed by a central tool. This tool can filter for the `ATTACH` keyword. osquery can be run as non-root user. Because this also limits the desired access levels, this requires deployment specific testing and configuration.
    CWE
    • CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    osquery osquery Affected: < 4.6.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:56:04.061Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/osquery/osquery/security/advisories/GHSA-4g56-2482-x7q8"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md#remote-command-execution-using-sqlite-command---load_extension"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/osquery/osquery/commit/c3f9a3dae22d43ed3b4f6a403cbf89da4cba7c3c"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/osquery/osquery/releases/tag/4.6.0"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "osquery",
              "vendor": "osquery",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.6.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. In osquery before version 4.6.0, by using sqlite\u0027s ATTACH verb, someone with administrative access to osquery can cause reads and writes to arbitrary sqlite databases on disk. This _does_ allow arbitrary files to be created, but they will be sqlite databases. It does not appear to allow existing non-sqlite files to be overwritten. This has been patched in osquery 4.6.0. There are several mitigating factors and possible workarounds. In some deployments, the people with access to these interfaces may be considered administrators. In some deployments, configuration is managed by a central tool. This tool can filter for the `ATTACH` keyword. osquery can be run as non-root user. Because this also limits the desired access levels, this requires deployment specific testing and configuration."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-77",
                  "description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-12-16T01:20:19.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/osquery/osquery/security/advisories/GHSA-4g56-2482-x7q8"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md#remote-command-execution-using-sqlite-command---load_extension"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/osquery/osquery/commit/c3f9a3dae22d43ed3b4f6a403cbf89da4cba7c3c"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/osquery/osquery/releases/tag/4.6.0"
            }
          ],
          "source": {
            "advisory": "GHSA-4g56-2482-x7q8",
            "discovery": "UNKNOWN"
          },
          "title": "sqlite ATTACH allows some filesystem access",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security-advisories@github.com",
              "ID": "CVE-2020-26273",
              "STATE": "PUBLIC",
              "TITLE": "sqlite ATTACH allows some filesystem access"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "osquery",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c 4.6.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "osquery"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. In osquery before version 4.6.0, by using sqlite\u0027s ATTACH verb, someone with administrative access to osquery can cause reads and writes to arbitrary sqlite databases on disk. This _does_ allow arbitrary files to be created, but they will be sqlite databases. It does not appear to allow existing non-sqlite files to be overwritten. This has been patched in osquery 4.6.0. There are several mitigating factors and possible workarounds. In some deployments, the people with access to these interfaces may be considered administrators. In some deployments, configuration is managed by a central tool. This tool can filter for the `ATTACH` keyword. osquery can be run as non-root user. Because this also limits the desired access levels, this requires deployment specific testing and configuration."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/osquery/osquery/security/advisories/GHSA-4g56-2482-x7q8",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/osquery/osquery/security/advisories/GHSA-4g56-2482-x7q8"
                },
                {
                  "name": "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md#remote-command-execution-using-sqlite-command---load_extension",
                  "refsource": "MISC",
                  "url": "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md#remote-command-execution-using-sqlite-command---load_extension"
                },
                {
                  "name": "https://github.com/osquery/osquery/commit/c3f9a3dae22d43ed3b4f6a403cbf89da4cba7c3c",
                  "refsource": "MISC",
                  "url": "https://github.com/osquery/osquery/commit/c3f9a3dae22d43ed3b4f6a403cbf89da4cba7c3c"
                },
                {
                  "name": "https://github.com/osquery/osquery/releases/tag/4.6.0",
                  "refsource": "MISC",
                  "url": "https://github.com/osquery/osquery/releases/tag/4.6.0"
                }
              ]
            },
            "source": {
              "advisory": "GHSA-4g56-2482-x7q8",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2020-26273",
        "datePublished": "2020-12-16T01:20:19.000Z",
        "dateReserved": "2020-10-01T00:00:00.000Z",
        "dateUpdated": "2024-08-04T15:56:04.061Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-11081 (GCVE-0-2020-11081)

    Vulnerability from cvelistv5 – Published: 2020-07-10 18:45 – Updated: 2024-08-04 11:21
    VLAI
    Title
    osquery susceptible to DLL search order hijacking of zlib1.dll
    Summary
    osquery before version 4.4.0 enables a privilege escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables local escalation. This is fixed in version 4.4.0.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    osquery osquery Affected: < 4.4.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T11:21:14.829Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/osquery/osquery/security/advisories/GHSA-2xwp-8fv7-c5pm"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/osquery/osquery/issues/6426"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/osquery/osquery/pull/6433"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/osquery/osquery/commit/4d4957f12a6aa0becc9d01d9f97061e1e3d809c5"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/osquery/osquery/releases/tag/4.4.0"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "osquery",
              "vendor": "osquery",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.4.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "osquery before version 4.4.0 enables a privilege escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables local escalation. This is fixed in version 4.4.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-114",
                  "description": "CWE-114: Process Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-09-17T16:52:34.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/osquery/osquery/security/advisories/GHSA-2xwp-8fv7-c5pm"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/osquery/osquery/issues/6426"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/osquery/osquery/pull/6433"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/osquery/osquery/commit/4d4957f12a6aa0becc9d01d9f97061e1e3d809c5"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/osquery/osquery/releases/tag/4.4.0"
            }
          ],
          "source": {
            "advisory": "GHSA-2xwp-8fv7-c5pm",
            "discovery": "UNKNOWN"
          },
          "title": "osquery susceptible to DLL search order hijacking of zlib1.dll",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security-advisories@github.com",
              "ID": "CVE-2020-11081",
              "STATE": "PUBLIC",
              "TITLE": "osquery susceptible to DLL search order hijacking of zlib1.dll"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "osquery",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c 4.4.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "osquery"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "osquery before version 4.4.0 enables a privilege escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables local escalation. This is fixed in version 4.4.0."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-114: Process Control"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/osquery/osquery/security/advisories/GHSA-2xwp-8fv7-c5pm",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/osquery/osquery/security/advisories/GHSA-2xwp-8fv7-c5pm"
                },
                {
                  "name": "https://github.com/osquery/osquery/issues/6426",
                  "refsource": "MISC",
                  "url": "https://github.com/osquery/osquery/issues/6426"
                },
                {
                  "name": "https://github.com/osquery/osquery/pull/6433",
                  "refsource": "MISC",
                  "url": "https://github.com/osquery/osquery/pull/6433"
                },
                {
                  "name": "https://github.com/osquery/osquery/commit/4d4957f12a6aa0becc9d01d9f97061e1e3d809c5",
                  "refsource": "MISC",
                  "url": "https://github.com/osquery/osquery/commit/4d4957f12a6aa0becc9d01d9f97061e1e3d809c5"
                },
                {
                  "name": "https://github.com/osquery/osquery/releases/tag/4.4.0",
                  "refsource": "MISC",
                  "url": "https://github.com/osquery/osquery/releases/tag/4.4.0"
                }
              ]
            },
            "source": {
              "advisory": "GHSA-2xwp-8fv7-c5pm",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2020-11081",
        "datePublished": "2020-07-10T18:45:16.000Z",
        "dateReserved": "2020-03-30T00:00:00.000Z",
        "dateUpdated": "2024-08-04T11:21:14.829Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }