Common Weakness Enumeration

CWE-670

Allowed-with-Review

Always-Incorrect Control Flow Implementation

Abstraction: Class · Status: Draft

The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

203 vulnerabilities reference this CWE, most recent first.

GHSA-G2R2-6V8V-5QGM

Vulnerability from github – Published: 2026-04-22 00:31 – Updated: 2026-04-22 00:31
VLAI
Details

KDE Kleopatra before 26.08.0 on Windows allows local users to obtain the privileges of a Kleopatra user, because there is an error in the mechanism (KUniqueService) for ensuring that only one instance is running.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-41527"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-670"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-21T22:16:20Z",
    "severity": "MODERATE"
  },
  "details": "KDE Kleopatra before 26.08.0 on Windows allows local users to obtain the privileges of a Kleopatra user, because there is an error in the mechanism (KUniqueService) for ensuring that only one instance is running.",
  "id": "GHSA-g2r2-6v8v-5qgm",
  "modified": "2026-04-22T00:31:40Z",
  "published": "2026-04-22T00:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41527"
    },
    {
      "type": "WEB",
      "url": "https://commits.kde.org/kleopatra/73471abb92d99c56354adb582bfaec2764c22b79"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KDE/kleopatra/releases"
    },
    {
      "type": "WEB",
      "url": "https://kde.org/info/security/advisory-20260408-1.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G2XH-C426-V8MF

Vulnerability from github – Published: 2023-09-04 16:39 – Updated: 2025-06-18 17:43
VLAI
Summary
Vyper: reversed order of side effects for some operations
Details

Impact

For the following (probably non-exhaustive) list of expressions, the compiler evaluates the arguments from right to left instead of left to right.

- unsafe_add
- unsafe_sub
- unsafe_mul
- unsafe_div
- pow_mod256
- |, &, ^ (bitwise operators)
- bitwise_or (deprecated)
- bitwise_and (deprecated)
- bitwise_xor (deprecated)
- raw_call
- <, >, <=, >=, ==, !=
- in, not in (when lhs and rhs are enums)

This behaviour becomes a problem when the evaluation of one of the arguments produces side effects that other arguments depend on. The following expressions can produce side-effect:

  • state modifying external call
  • state modifying internal call
  • raw_call
  • pop() when used on a Dynamic Array stored in the storage
  • create_minimal_proxy_to
  • create_copy_of
  • create_from_blueprint

For example:

f:uint256

@internal
def side_effect() -> uint256:
    self.f = 12
    return 1

@external
def foo() -> uint256:
    return unsafe_add(self.f,self.side_effect()) # returns 13 instead of 1
a:DynArray[uint256, 12]
@external
def bar() -> bool:
    self.a = [1,2,3]
    return len(self.a) == self.a.pop() # return false instead of true

Patches

not yet patched, will address in a future release. tracking in https://github.com/vyperlang/vyper/issues/3604.

Workarounds

When using expressions from the list above, make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.

References

Are there any links users can visit to find out more?

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vyper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-40015"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-670"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-04T16:39:00Z",
    "nvd_published_at": "2023-09-04T18:15:07Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nFor the following (probably non-exhaustive) list of expressions, the compiler evaluates the arguments from right to left instead of left to right.\n\n```\n- unsafe_add\n- unsafe_sub\n- unsafe_mul\n- unsafe_div\n- pow_mod256\n- |, \u0026, ^ (bitwise operators)\n- bitwise_or (deprecated)\n- bitwise_and (deprecated)\n- bitwise_xor (deprecated)\n- raw_call\n- \u003c, \u003e, \u003c=, \u003e=, ==, !=\n- in, not in (when lhs and rhs are enums)\n```\n\nThis behaviour becomes a problem when the evaluation of one of the arguments produces side effects that other arguments depend on. The following expressions can produce side-effect:\n\n- state modifying external call \n- state modifying internal call\n- `raw_call`\n- `pop()` when used on a Dynamic Array stored in the storage\n- `create_minimal_proxy_to`\n- `create_copy_of`\n- `create_from_blueprint`\n\nFor example:\n\n```Vyper\nf:uint256\n\n@internal\ndef side_effect() -\u003e uint256:\n    self.f = 12\n    return 1\n\n@external\ndef foo() -\u003e uint256:\n    return unsafe_add(self.f,self.side_effect()) # returns 13 instead of 1\n```\n\n```Vyper\na:DynArray[uint256, 12]\n@external\ndef bar() -\u003e bool:\n    self.a = [1,2,3]\n    return len(self.a) == self.a.pop() # return false instead of true\n```\n\n### Patches\nnot yet patched, will address in a future release. tracking in https://github.com/vyperlang/vyper/issues/3604.\n\n### Workarounds\n\nWhen using expressions from the list above, make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.\n\n### References\n_Are there any links users can visit to find out more?_",
  "id": "GHSA-g2xh-c426-v8mf",
  "modified": "2025-06-18T17:43:48Z",
  "published": "2023-09-04T16:39:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-g2xh-c426-v8mf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40015"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/issues/3604"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/issues/4019"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/pull/4157"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-167.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vyperlang/vyper"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Vyper: reversed order of side effects for some operations"
}

GHSA-G8VQ-GJGW-GFC8

Vulnerability from github – Published: 2026-07-01 00:34 – Updated: 2026-07-01 00:34
VLAI
Details

Capgo before 12.128.2 allows multiple public channels for the same app and platform to coexist simultaneously, while unnamed /updates requests without defaultChannel implicitly resolve to a single hidden winner channel. An authorized app or channel manager can create ambiguous default update state and silently influence which bundle unnamed clients receive, breaking release routing integrity and predictability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-56328"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-670"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-30T23:17:30Z",
    "severity": "HIGH"
  },
  "details": "Capgo before 12.128.2 allows multiple public channels for the same app and platform to coexist simultaneously, while unnamed /updates requests without defaultChannel implicitly resolve to a single hidden winner channel. An authorized app or channel manager can create ambiguous default update state and silently influence which bundle unnamed clients receive, breaking release routing integrity and predictability.",
  "id": "GHSA-g8vq-gjgw-gfc8",
  "modified": "2026-07-01T00:34:13Z",
  "published": "2026-07-01T00:34:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Cap-go/capgo/security/advisories/GHSA-3cmp-pm5x-8464"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56328"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/capgo-integrity-issue-in-release-routing-via-multiple-public-channels"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-GH9R-QCPC-Q754

Vulnerability from github – Published: 2026-06-20 18:31 – Updated: 2026-06-20 18:31
VLAI
Details

Cap-go before 12.128.12 contains a broken cursor pagination vulnerability in the /private/devices endpoint on the Cloudflare/workerd path that allows authenticated attackers to cause duplicate-page loops and make later rows unreachable. Attackers with app.read_devices access can exploit non-advancing cursor filters to trigger infinite pagination loops, prevent dataset traversal, and cause repeated processing in device-management workflows.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-56307"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-670"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-20T16:17:05Z",
    "severity": "MODERATE"
  },
  "details": "Cap-go before 12.128.12 contains a broken cursor pagination vulnerability in the /private/devices endpoint on the Cloudflare/workerd path that allows authenticated attackers to cause duplicate-page loops and make later rows unreachable. Attackers with app.read_devices access can exploit non-advancing cursor filters to trigger infinite pagination loops, prevent dataset traversal, and cause repeated processing in device-management workflows.",
  "id": "GHSA-gh9r-qcpc-q754",
  "modified": "2026-06-20T18:31:29Z",
  "published": "2026-06-20T18:31:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Cap-go/capgo/security/advisories/GHSA-8p6w-x7jg-v4xq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56307"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/cap-go-broken-cursor-pagination-in-private-devices-endpoint"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-GM67-5X5W-8F7X

Vulnerability from github – Published: 2024-12-04 15:31 – Updated: 2024-12-11 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

pmdomain: imx93-blk-ctrl: correct remove path

The check condition should be 'i < bc->onecell_data.num_domains', not 'bc->onecell_data.num_domains' which will make the look never finish and cause kernel panic.

Also disable runtime to address "imx93-blk-ctrl 4ac10000.system-controller: Unbalanced pm_runtime_enable!"

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-53134"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-670"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-04T15:15:13Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: imx93-blk-ctrl: correct remove path\n\nThe check condition should be \u0027i \u003c bc-\u003eonecell_data.num_domains\u0027, not\n\u0027bc-\u003eonecell_data.num_domains\u0027 which will make the look never finish\nand cause kernel panic.\n\nAlso disable runtime to address\n\"imx93-blk-ctrl 4ac10000.system-controller: Unbalanced pm_runtime_enable!\"",
  "id": "GHSA-gm67-5x5w-8f7x",
  "modified": "2024-12-11T18:30:39Z",
  "published": "2024-12-04T15:31:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53134"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/201fb9e164a1e4c5937de2cf58bcb0327c08664f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8fc228ab5d38a026eae7183a5f74a4fac43d9b6a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f7c7c5aa556378a2c8da72c1f7f238b6648f95fb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GPCC-MW99-4PG6

Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-05-13 01:19
VLAI
Details

In WAVM through 2018-07-26, a crafted file sent to the WebAssembly Virtual Machine may cause a denial of service (application crash) or possibly have unspecified other impact because Errors::unreachable() is reached.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-16766"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-670"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-09-10T04:29:00Z",
    "severity": "HIGH"
  },
  "details": "In WAVM through 2018-07-26, a crafted file sent to the WebAssembly Virtual Machine may cause a denial of service (application crash) or possibly have unspecified other impact because Errors::unreachable() is reached.",
  "id": "GHSA-gpcc-mw99-4pg6",
  "modified": "2022-05-13T01:19:17Z",
  "published": "2022-05-13T01:19:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16766"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AndrewScheidecker/WAVM/issues/96"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GXH7-WV9Q-FWFR

Vulnerability from github – Published: 2023-09-06 18:42 – Updated: 2023-09-06 18:42
VLAI
Summary
Electron's Content-Secrity-Policy disabling eval not applied consistently in renderers with sandbox disabled
Details

Impact

A Content-Security-Policy that disables eval, specifically setting a script-src directive and not providing unsafe-eval in that directive, is not respected in renderers that have sandbox and contextIsolation disabled. i.e. sandbox: false and contextIsolation: false in the webPreferences object.

This resulted in incorrectly allowing usage of methods like eval() and new Function, which can result in an expanded attack surface.

Patches

This issue only ever affected the 22 and 23 major versions of Electron and has been fixed in the latest versions of those release lines. Specifically, these versions contain the fixes:

  • 22.0.1
  • 23.0.0-alpha.2

We recommend all apps upgrade to the latest stable version of Electron, especially if they use sandbox: false or contextIsolation: false.

Workarounds

If upgrading isn't possible, this issue can be addressed without upgrading by enabling at least one of sandbox: true or contextIsolation: true on all renderers.

const mainWindow = new BrowserWindow({
  webPreferences: {
    sandbox: true,
  }
});

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

Credit

Thanks to user @andreasdj for reporting this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "electron"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "22.0.0-beta.1"
            },
            {
              "fixed": "22.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "electron"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "23.0.0-alpha.1"
            },
            {
              "fixed": "23.0.0-alpha.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-23623"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-670"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-06T18:42:17Z",
    "nvd_published_at": "2023-09-06T21:15:08Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nA Content-Security-Policy that disables eval, specifically setting a `script-src` directive and _not_ providing `unsafe-eval` in that directive, is not respected in renderers that have sandbox and contextIsolation disabled.  i.e. `sandbox: false` and `contextIsolation: false` in the `webPreferences` object.\n\nThis resulted in incorrectly allowing usage of methods like `eval()` and `new Function`, which can result in an expanded attack surface.\n\n### Patches\nThis issue only ever affected the 22 and 23 major versions of Electron and has been fixed in the latest versions of those release lines. Specifically, these versions contain the fixes:\n\n- 22.0.1\n- 23.0.0-alpha.2\n\nWe recommend all apps upgrade to the latest stable version of Electron, especially if they use `sandbox: false` or `contextIsolation: false`.\n\n### Workarounds\nIf upgrading isn\u0027t possible, this issue can be addressed without upgrading by enabling at least one of `sandbox: true` or `contextIsolation: true` on all renderers.\n\n```js\nconst mainWindow = new BrowserWindow({\n  webPreferences: {\n    sandbox: true,\n  }\n});\n```\n\n### For more information\nIf you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org).\n\n### Credit\nThanks to user @andreasdj for reporting this issue.",
  "id": "GHSA-gxh7-wv9q-fwfr",
  "modified": "2023-09-06T18:42:17Z",
  "published": "2023-09-06T18:42:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/electron/electron/security/advisories/GHSA-gxh7-wv9q-fwfr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23623"
    },
    {
      "type": "WEB",
      "url": "https://github.com/electron/electron/pull/36667"
    },
    {
      "type": "WEB",
      "url": "https://github.com/electron/electron/pull/36668"
    },
    {
      "type": "WEB",
      "url": "https://github.com/electron/electron/commit/9e7fbc7021d8d716c43782249a552e55289c35db"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/electron/electron"
    },
    {
      "type": "WEB",
      "url": "https://github.com/electron/electron/releases/tag/v22.0.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Electron\u0027s Content-Secrity-Policy disabling eval not applied consistently in renderers with sandbox disabled"
}

GHSA-H4F3-5VVH-XJGJ

Vulnerability from github – Published: 2025-06-11 03:31 – Updated: 2025-06-18 03:30
VLAI
Details

KDE Konsole before 25.04.2 allows remote code execution in a certain scenario. It supports loading URLs from the scheme handlers such as a ssh:// or telnet:// or rlogin:// URL. This can be executed regardless of whether the ssh, telnet, or rlogin binary is available. In this mode, there is a code path where if that binary is not available, Konsole falls back to using /bin/bash for the given arguments (i.e., the URL) provided. This allows an attacker to execute arbitrary code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-49091"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-670"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-11T01:15:20Z",
    "severity": "HIGH"
  },
  "details": "KDE Konsole before 25.04.2 allows remote code execution in a certain scenario. It supports loading URLs from the scheme handlers such as a ssh:// or telnet:// or rlogin:// URL. This can be executed regardless of whether the ssh, telnet, or rlogin binary is available. In this mode, there is a code path where if that binary is not available, Konsole falls back to using /bin/bash for the given arguments (i.e., the URL) provided. This allows an attacker to execute arbitrary code.",
  "id": "GHSA-h4f3-5vvh-xjgj",
  "modified": "2025-06-18T03:30:55Z",
  "published": "2025-06-11T03:31:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49091"
    },
    {
      "type": "WEB",
      "url": "https://invent.kde.org/utilities/konsole/-/commit/09d20dea109050b4c02fb73095f327b5642a2b75"
    },
    {
      "type": "WEB",
      "url": "https://invent.kde.org/utilities/konsole/-/tags"
    },
    {
      "type": "WEB",
      "url": "https://kde.org/info/security/advisory-20250609-1.txt"
    },
    {
      "type": "WEB",
      "url": "https://konsole.kde.org/changelog.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00019.html"
    },
    {
      "type": "WEB",
      "url": "https://proofnet.de/publikationen/konsole_rce.html"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2025/06/10/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H75F-8F3X-9M8C

Vulnerability from github – Published: 2026-05-20 18:31 – Updated: 2026-05-20 18:31
VLAI
Details

A vulnerability in the Border Gateway Protocol (BGP) enforce-first-as feature of Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated, remote attacker to trigger BGP peer flaps, resulting in a denial of service (DoS) condition.

This vulnerability is due to incorrect parsing of a transitive BGP attribute. An attacker could exploit this vulnerability by sending a crafted BGP update through an established BGP peer session. If the update propagates to an affected device, it could cause the device to drop the BGP session and flap with the BGP peer that is forwarding this update, resulting in a DoS condition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-20171"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-670"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-20T17:16:19Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the Border Gateway Protocol (BGP)\u0026nbsp;enforce-first-as feature of\u0026nbsp;Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated, remote attacker to trigger BGP peer flaps, resulting in a denial of service (DoS) condition.\n\nThis vulnerability is due to incorrect parsing of a transitive BGP attribute. An attacker could exploit this vulnerability by sending a crafted BGP update through an established BGP peer session. If the update propagates to an affected device, it could cause the device to drop the BGP session and flap with the BGP peer that is forwarding this update, resulting in a DoS condition.",
  "id": "GHSA-h75f-8f3x-9m8c",
  "modified": "2026-05-20T18:31:35Z",
  "published": "2026-05-20T18:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20171"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bgp-iefab-3hb2pwtx"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H792-V28V-PPGR

Vulnerability from github – Published: 2026-06-29 21:32 – Updated: 2026-06-30 15:30
VLAI
Details

Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat's rewrite valve meant that if the first condition in an OR chain matched, subsequent non-OR conditions were skipped.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected.

Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-53404"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-670"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-29T21:16:44Z",
    "severity": "HIGH"
  },
  "details": "Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat\u0027s rewrite valve meant that if the first condition in an OR chain matched, subsequent non-OR conditions were skipped.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected.\n\nUsers are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.",
  "id": "GHSA-h792-v28v-ppgr",
  "modified": "2026-06-30T15:30:43Z",
  "published": "2026-06-29T21:32:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53404"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/rdhpghgfskrdmw9hqzjgjrtw538smpmz"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/06/29/21"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.