CWE-1395
Allowed-with-ReviewDependency on Vulnerable Third-Party Component
Abstraction: Class · Status: Incomplete
The product has a dependency on a third-party component that contains one or more known vulnerabilities.
110 vulnerabilities reference this CWE, most recent first.
CVE-2026-55789 (GCVE-0-2026-55789)
Vulnerability from cvelistv5 – Published: 2026-07-10 19:55 – Updated: 2026-07-13 18:16| URL | Tags |
|---|---|
| https://github.com/logto-io/logto/security/adviso… | x_refsource_CONFIRM |
| https://github.com/logto-io/logto/pull/9107 | x_refsource_MISC |
| https://github.com/logto-io/logto/commit/90970548… | x_refsource_MISC |
| https://github.com/logto-io/logto/releases/tag/v1.41.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55789",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T18:16:09.500167Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T18:16:18.449Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/logto-io/logto/security/advisories/GHSA-vfpw-vq44-4p63"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "logto",
"vendor": "logto-io",
"versions": [
{
"status": "affected",
"version": "\u003c 1.41.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto\u0027s self-hosted SAML application IdP built the signed SAML response and assertion by string-substituting user-controlled profile attributes such as name, email, and custom attribute-mapping values into element-text placeholders of a SAML XML template using samlify 2.10.0, which left those placeholders unescaped. An authenticated low-privilege user could place XML markup in a profile attribute so Logto signed a forged SAML attribute, such as an arbitrary role, allowing privilege escalation at relying Service Providers that authorize on SAML attributes. This issue is fixed in version 1.41.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-91",
"description": "CWE-91: XML Injection (aka Blind XPath Injection)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395: Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T19:55:37.360Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/logto-io/logto/security/advisories/GHSA-vfpw-vq44-4p63",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/logto-io/logto/security/advisories/GHSA-vfpw-vq44-4p63"
},
{
"name": "https://github.com/logto-io/logto/pull/9107",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/logto-io/logto/pull/9107"
},
{
"name": "https://github.com/logto-io/logto/commit/9097054860f0d638d90778d3dcde2ba050b844b6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/logto-io/logto/commit/9097054860f0d638d90778d3dcde2ba050b844b6"
},
{
"name": "https://github.com/logto-io/logto/releases/tag/v1.41.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/logto-io/logto/releases/tag/v1.41.0"
}
],
"source": {
"advisory": "GHSA-vfpw-vq44-4p63",
"discovery": "UNKNOWN"
},
"title": "Logto: SAML IdP injects user-controlled profile attributes raw into signed assertions, allowing privilege escalation at relying Service Providers"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55789",
"datePublished": "2026-07-10T19:55:37.360Z",
"dateReserved": "2026-06-17T14:40:28.380Z",
"dateUpdated": "2026-07-13T18:16:18.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47906 (GCVE-0-2026-47906)
Vulnerability from cvelistv5 – Published: 2026-06-09 19:24 – Updated: 2026-06-10 10:07- CWE-1395 - Dependency on Vulnerable Third-Party Component (CWE-1395)
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/dreamwe… | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Dreamweaver Desktop |
Affected:
0 , ≤ 21.7
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47906",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T03:59:34.846716Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T10:07:29.618Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Dreamweaver Desktop",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "21.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-06-09T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Dreamweaver Desktop versions 21.7 and earlier are affected by a Dependency on Vulnerable Third-Party Component vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 8.6,
"environmentalSeverity": "HIGH",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "HIGH",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "LOCAL",
"modifiedAvailabilityImpact": "HIGH",
"modifiedConfidentialityImpact": "HIGH",
"modifiedIntegrityImpact": "HIGH",
"modifiedPrivilegesRequired": "NONE",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "REQUIRED",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 8.6,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "Dependency on Vulnerable Third-Party Component (CWE-1395)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T19:24:06.715Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/dreamweaver/apsb26-62.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Dreamweaver Desktop | Dependency on Vulnerable Third-Party Component (CWE-1395)"
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2026-47906",
"datePublished": "2026-06-09T19:24:06.715Z",
"dateReserved": "2026-05-20T15:50:31.359Z",
"dateUpdated": "2026-06-10T10:07:29.618Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34654 (GCVE-0-2026-34654)
Vulnerability from cvelistv5 – Published: 2026-05-12 19:50 – Updated: 2026-05-13 00:22- CWE-1395 - Dependency on Vulnerable Third-Party Component (CWE-1395)
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/magento… | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Adobe Commerce |
Affected:
0 , ≤ 2.4.4-p17
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34654",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T00:22:34.470433Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T00:22:45.356Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Adobe Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.4-p17",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-05-12T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a Dependency on Vulnerable Third-Party Component vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 5.3,
"environmentalSeverity": "MEDIUM",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "NONE",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "LOW",
"modifiedConfidentialityImpact": "NONE",
"modifiedIntegrityImpact": "NONE",
"modifiedPrivilegesRequired": "NONE",
"modifiedScope": "UNCHANGED",
"modifiedUserInteraction": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "UNCHANGED",
"temporalScore": 5.3,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "Dependency on Vulnerable Third-Party Component (CWE-1395)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T19:50:24.491Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb26-49.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Commerce | Dependency on Vulnerable Third-Party Component (CWE-1395)"
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2026-34654",
"datePublished": "2026-05-12T19:50:24.491Z",
"dateReserved": "2026-03-30T17:30:36.493Z",
"dateUpdated": "2026-05-13T00:22:45.356Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34652 (GCVE-0-2026-34652)
Vulnerability from cvelistv5 – Published: 2026-05-12 19:50 – Updated: 2026-05-13 00:23- CWE-1395 - Dependency on Vulnerable Third-Party Component (CWE-1395)
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/magento… | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Adobe Commerce |
Affected:
0 , ≤ 2.4.4-p17
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34652",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T00:23:20.338410Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T00:23:29.848Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Adobe Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.4-p17",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-05-12T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a Dependency on Vulnerable Third-Party Component vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "NONE",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "HIGH",
"modifiedConfidentialityImpact": "NONE",
"modifiedIntegrityImpact": "NONE",
"modifiedPrivilegesRequired": "NONE",
"modifiedScope": "UNCHANGED",
"modifiedUserInteraction": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "Dependency on Vulnerable Third-Party Component (CWE-1395)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T19:50:29.129Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb26-49.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Commerce | Dependency on Vulnerable Third-Party Component (CWE-1395)"
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2026-34652",
"datePublished": "2026-05-12T19:50:29.129Z",
"dateReserved": "2026-03-30T17:30:36.493Z",
"dateUpdated": "2026-05-13T00:23:29.848Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23654 (GCVE-0-2026-23654)
Vulnerability from cvelistv5 – Published: 2026-03-10 17:05 – Updated: 2026-06-19 18:18- CWE-1395 - Dependency on Vulnerable Third-Party Component
| URL | Tags |
|---|---|
| https://msrc.microsoft.com/update-guide/vulnerabi… | vendor-advisorypatch |
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft | GitHub Repo: Zero Shot scFoundation |
Affected:
1.0.0 , < 0.1.1
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23654",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T19:54:23.780093Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T19:54:35.402Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "GitHub Repo: Zero Shot scFoundation",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "0.1.1",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:gihub_repo_zero_shot_scFoundation:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.1.1",
"versionStartIncluding": "1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2026-03-10T14:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Dependency on vulnerable third-party component in GitHub Repo: zero-shot-scfoundation allows an unauthorized attacker to execute code over a network."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395: Dependency on Vulnerable Third-Party Component",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T18:18:03.220Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "GitHub: Zero Shot SCFoundation Remote Code Execution Vulnerability",
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23654"
}
],
"title": "GitHub: Zero Shot SCFoundation Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2026-23654",
"datePublished": "2026-03-10T17:05:15.215Z",
"dateReserved": "2026-01-14T16:59:33.462Z",
"dateUpdated": "2026-06-19T18:18:03.220Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8993 (GCVE-0-2026-8993)
Vulnerability from cvelistv5 – Published: 2026-06-02 11:13 – Updated: 2026-06-02 14:43| Vendor | Product | Version | |
|---|---|---|---|
| Ditec a.s. | D.Launcher 2 |
Affected:
0 , < 2.0.7
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8993",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T11:54:50.637774Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T14:43:00.775Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "D.Launcher 2",
"vendor": "Ditec a.s.",
"versions": [
{
"lessThan": "2.0.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Martin Orem from Binary House"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "D.Launcher 2 component of Slovak eID client ecosystem contains Improper URL Handler Processing vulnerability. Application registers multiple custom URL handlers that could be exploited to initiate full NTLM autentication or SMB connection to attacker infrastructure and to conduct SSRF (Server Side Request Forgery) attacks. User interaction is required as potential victim needs to open a specially crafted URL."
}
],
"value": "D.Launcher 2 component of Slovak eID client ecosystem contains Improper URL Handler Processing vulnerability. Application registers multiple custom URL handlers that could be exploited to initiate full NTLM autentication or SMB connection to attacker infrastructure and to conduct SSRF (Server Side Request Forgery) attacks. User interaction is required as potential victim needs to open a specially crafted URL."
}
],
"impacts": [
{
"capecId": "CAPEC-272",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-272 Protocol Manipulation"
}
]
},
{
"capecId": "CAPEC-137",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-137 Parameter Injection"
}
]
},
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153 Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395: Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T11:13:40.342Z",
"orgId": "bc375322-d3d7-4481-b261-e29662236cfd",
"shortName": "SK-CERT"
},
"references": [
{
"url": "https://www.slovensko.sk/sk/oznamy/detail/_zranitelnost-aplikacie-d-launc"
},
{
"url": "https://ditec.sk/static/kep/apps/release-notes/en"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper URL Handler Processing in D.Launcher 2 enables NTLM Credential Disclosure and SSRF attacks",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "bc375322-d3d7-4481-b261-e29662236cfd",
"assignerShortName": "SK-CERT",
"cveId": "CVE-2026-8993",
"datePublished": "2026-06-02T11:13:40.342Z",
"dateReserved": "2026-05-19T13:26:18.762Z",
"dateUpdated": "2026-06-02T14:43:00.775Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4176 (GCVE-0-2026-4176)
Vulnerability from cvelistv5 – Published: 2026-03-29 20:50 – Updated: 2026-03-30 15:35- CWE-1395 - Dependency on Vulnerable Third-Party Component
| URL | Tags |
|---|---|
| https://www.cve.org/CVERecord?id=CVE-2026-3381 | vendor-advisoryrelatedvdb-entry |
| https://lists.security.metacpan.org/cve-announce/… | vendor-advisory |
| https://github.com/Perl/perl5/commit/c75ae9cc1642… | patch |
| https://metacpan.org/release/PMQS/Compress-Raw-Zl… | release-notes |
| https://metacpan.org/release/SHAY/perl-5.40.4/changes | release-notes |
| https://metacpan.org/release/SHAY/perl-5.42.2/changes | release-notes |
| http://www.openwall.com/lists/oss-security/2026/03/30/2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-03-30T04:56:37.564Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/30/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-4176",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-30T15:34:29.395269Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T15:35:08.162Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "perl",
"product": "perl",
"repo": "https://github.com/Perl/perl5",
"vendor": "SHAY",
"versions": [
{
"lessThan": "5.40.4-RC1",
"status": "affected",
"version": "5.9.4",
"versionType": "custom"
},
{
"lessThan": "5.42.2-RC1",
"status": "affected",
"version": "5.41.0",
"versionType": "custom"
},
{
"lessThan": "5.43.9",
"status": "affected",
"version": "5.43.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Bernhard Schmalhofer"
}
],
"descriptions": [
{
"lang": "en",
"value": "Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib.\n\nCompress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable to CVE-2026-3381 due to a vendored version of zlib which has several vulnerabilities, including CVE-2026-27171. The bundled Compress::Raw::Zlib was updated to version 2.221 in Perl blead commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-29T20:50:51.058Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"vendor-advisory",
"related",
"vdb-entry"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-3381"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.security.metacpan.org/cve-announce/msg/37638919/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/Perl/perl5/commit/c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/PMQS/Compress-Raw-Zlib-2.221/source/Changes"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/SHAY/perl-5.40.4/changes"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/SHAY/perl-5.42.2/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to Perl stable release 5.40.4 or 5.42.2 or later, which include Compress::Raw::Zlib 2.222."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-02-27T00:00:00.000Z",
"value": "Compress::Raw::Zlib 2.221 committed to Perl blead."
},
{
"lang": "en",
"time": "2026-03-07T00:00:00.000Z",
"value": "CVE-2026-3381 published for Compress::Raw::Zlib."
},
{
"lang": "en",
"time": "2026-03-14T00:00:00.000Z",
"value": "CVE-2026-4176 reserved."
},
{
"lang": "en",
"time": "2026-03-29T00:00:00.000Z",
"value": "Perl 5.40.4 and 5.42.2 released."
}
],
"title": "Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib",
"workarounds": [
{
"lang": "en",
"value": "Install Compress::Raw::Zlib 2.220 or later into your @INC include path, so it takes precedence over the vulnerable core module shipped with Perl.\n\nSome OS distributions patch their perl package to build Compress::Raw::Zlib against the system zlib rather than the vendored copy. Users of these distributions may not be affected if their system zlib has been updated to 1.3.2 or later, or includes backported patches for the relevant vulnerabilities."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-4176",
"datePublished": "2026-03-29T20:50:51.058Z",
"dateReserved": "2026-03-14T16:17:19.077Z",
"dateUpdated": "2026-03-30T15:35:08.162Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3381 (GCVE-0-2026-3381)
Vulnerability from cvelistv5 – Published: 2026-03-05 01:28 – Updated: 2026-03-11 15:00- CWE-1395 - Dependency on Vulnerable Third-Party Component
| URL | Tags |
|---|---|
| https://metacpan.org/release/PMQS/Compress-Raw-Zl… | release-notes |
| https://www.zlib.net/ | |
| https://github.com/madler/zlib | |
| https://github.com/madler/zlib/releases/tag/v1.3.2 | release-notes |
| https://7asecurity.com/blog/2026/02/zlib-7asecuri… | technical-description |
| https://www.cve.org/CVERecord?id=CVE-2026-27171 | vendor-advisoryrelatedvdb-entry |
| https://github.com/pmqs/Compress-Raw-Zlib/issues/41 | issue-tracking |
| Vendor | Product | Version | |
|---|---|---|---|
| PMQS | Compress::Raw::Zlib |
Affected:
0 , ≤ 2.219
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-3381",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-05T16:31:41.264640Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T15:00:11.466Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Compress-Raw-Zlib",
"product": "Compress::Raw::Zlib",
"repo": "https://github.com/pmqs/Compress-Raw-Zlib",
"vendor": "PMQS",
"versions": [
{
"lessThanOrEqual": "2.219",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Compress::Raw::Zlib versions through 2.219 for Perl use potentially insecure versions of zlib.\n\nCompress::Raw::Zlib includes a copy of the zlib library. Compress::Raw::Zlib version 2.220 includes zlib 1.3.2, which addresses findings fron the 7ASecurity audit of zlib. The includes fixs for CVE-2026-27171."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T15:44:59.956Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/PMQS/Compress-Raw-Zlib-2.221/source/Changes"
},
{
"url": "https://www.zlib.net/"
},
{
"url": "https://github.com/madler/zlib"
},
{
"tags": [
"release-notes"
],
"url": "https://github.com/madler/zlib/releases/tag/v1.3.2"
},
{
"tags": [
"technical-description"
],
"url": "https://7asecurity.com/blog/2026/02/zlib-7asecurity-audit/"
},
{
"tags": [
"vendor-advisory",
"related",
"vdb-entry"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27171"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/pmqs/Compress-Raw-Zlib/issues/41"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to Compress::Raw::Zlib 2.220 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-02-17T00:00:00.000Z",
"value": "zlib 1.3.2 released."
},
{
"lang": "en",
"time": "2026-02-27T00:00:00.000Z",
"value": "Compress::Raw::Zlib 2.220 released."
}
],
"title": "Compress::Raw::Zlib versions through 2.219 for Perl use potentially insecure versions of zlib",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-3381",
"datePublished": "2026-03-05T01:28:48.062Z",
"dateReserved": "2026-02-28T09:24:49.085Z",
"dateUpdated": "2026-03-11T15:00:11.466Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3257 (GCVE-0-2026-3257)
Vulnerability from cvelistv5 – Published: 2026-03-05 01:35 – Updated: 2026-03-05 16:34- CWE-1395 - Dependency on Vulnerable Third-Party Component
| URL | Tags |
|---|---|
| https://metacpan.org/release/TOKUHIROM/UnQLite-0.… | release-notes |
| https://www.cve.org/CVERecord?id=CVE-2025-3791 | vendor-advisoryrelatedvdb-entry |
| https://unqlite.symisc.net/ |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-3257",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-05T16:33:50.730722Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T16:34:39.834Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "UnQLite",
"product": "UnQLite",
"programFiles": [
"unqlite/unqlite.c"
],
"repo": "https://github.com/tokuhirom/UnQLite",
"vendor": "TOKUHIROM",
"versions": [
{
"lessThanOrEqual": "0.06",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "UnQLite versions through 0.06 for Perl uses a potentially insecure version of the UnQLite library.\n\nUnQLite for Perl embeds the UnQLite library. Version 0.06 and earlier of the Perl module uses a version of the library from 2014 that may be vulnerable to a heap-based overflow."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T01:35:12.789Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/TOKUHIROM/UnQLite-0.07/source/Changes"
},
{
"tags": [
"vendor-advisory",
"related",
"vdb-entry"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2025-3791"
},
{
"url": "https://unqlite.symisc.net/"
}
],
"solutions": [
{
"lang": "en",
"value": "UnQLite for Perl has been deprecated since version 0.06. Migrate to a different solution."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "UnQLite versions through 0.06 for Perl uses a potentially insecure version of the UnQLite library",
"workarounds": [
{
"lang": "en",
"value": "Upgrade to UnQLite for Perl version 0.07 or later."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-3257",
"datePublished": "2026-03-05T01:35:12.789Z",
"dateReserved": "2026-02-26T12:04:48.010Z",
"dateUpdated": "2026-03-05T16:34:39.834Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0943 (GCVE-0-2026-0943)
Vulnerability from cvelistv5 – Published: 2026-01-19 02:46 – Updated: 2026-01-20 15:25- CWE-1395 - Dependency on Vulnerable Third-Party Component
| URL | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=2429296 | issue-tracking |
| https://www.cve.org/CVERecord?id=CVE-2026-22693 | |
| https://metacpan.org/release/JV/HarfBuzz-Shaper-0… | release-notes |
| Vendor | Product | Version | |
|---|---|---|---|
| JV | HarfBuzz::Shaper |
Affected:
0 , < 0.032
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-0943",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T15:23:35.724880Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:25:23.530Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "HarfBuzz-Shaper",
"product": "HarfBuzz::Shaper",
"programFiles": [
"hb_src.tar.gz"
],
"repo": "https://github.com/sciurius/perl-HarfBuzz-Shaper",
"vendor": "JV",
"versions": [
{
"lessThan": "0.032",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eHarfBuzz::Shaper versions before 0.032 for Perl contains a bundled library with a null pointer dereference vulnerability.\u0026nbsp;\u003c/p\u003eVersions before 0.032 contain HarfBuzz 8.4.0 or earlier bundled as hb_src.tar.gz in the source tarball, which is affected by CVE-2026-22693."
}
],
"value": "HarfBuzz::Shaper versions before 0.032 for Perl contains a bundled library with a null pointer dereference vulnerability.\u00a0\n\nVersions before 0.032 contain HarfBuzz 8.4.0 or earlier bundled as hb_src.tar.gz in the source tarball, which is affected by CVE-2026-22693."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T02:54:06.255Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2429296"
},
{
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22693"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/JV/HarfBuzz-Shaper-0.032/changes"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Users should update to version 0.032 or later, where the bundled HarfBuzz library was updated to version 12.3.0."
}
],
"value": "Users should update to version 0.032 or later, where the bundled HarfBuzz library was updated to version 12.3.0."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HarfBuzz::Shaper versions before 0.032 for Perl contains a bundled library with a null pointer dereference vulnerability",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-0943",
"datePublished": "2026-01-19T02:46:52.012Z",
"dateReserved": "2026-01-14T15:30:04.686Z",
"dateUpdated": "2026-01-20T15:25:23.530Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
In some industries such as healthcare [REF-1320] [REF-1322] or technologies such as the cloud [REF-1321], it might be unclear about who is responsible for applying patches for third-party vulnerabilities: the vendor, the operator/customer, or a separate service. Clarifying roles and responsibilities can be important to minimize confusion or unnecessary delay when third-party vulnerabilities are disclosed.
Mitigation
Require a Bill of Materials for all components and sub-components of the product. For software, require a Software Bill of Materials (SBOM) [REF-1247] [REF-1311].
Mitigation
Maintain a Bill of Materials for all components and sub-components of the product. For software, maintain a Software Bill of Materials (SBOM). According to [REF-1247], "An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships."
Mitigation
Actively monitor when a third-party component vendor announces vulnerability patches; fix the third-party component as soon as possible; and make it easy for operators/customers to obtain and apply the patch.
Mitigation
Continuously monitor changes in each of the product's components, especially when the changes indicate new vulnerabilities, end-of-life (EOL) plans, etc.
No CAPEC attack patterns related to this CWE.