Search criteria
3374 vulnerabilities
CVE-2026-10629 (GCVE-0-2026-10629)
Vulnerability from cvelistv5 – Published: 2026-06-02 14:35 – Updated: 2026-06-02 15:23
VLAI
Title
CVE-2026-10629
Summary
SIP signaling stack in Verizon IMS (unspecified version) implements SIP signaling without IPsec integrity protection (missing Security-Client/Security-Server headers and ESP traffic), which allows an on-path attacker to compromise confidentiality, integrity, and authenticity of VoLTE signaling via passive monitoring and active manipulation of unsecured SIP messages over the radio and core network.
Severity
No CVSS data available.
Assigner
References
2 references
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-02T15:23:02.208Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/615987"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VoLTE",
"vendor": "Verizon",
"versions": [
{
"status": "affected",
"version": "UNKNOWN"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SIP signaling stack in Verizon IMS (unspecified version) implements SIP signaling without IPsec integrity protection (missing Security-Client/Security-Server headers and ESP traffic), which allows an on-path attacker to compromise confidentiality, integrity, and authenticity of VoLTE signaling via passive monitoring and active manipulation of unsecured SIP messages over the radio and core network."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-346 Origin Validation Error",
"lang": "en"
}
]
},
{
"descriptions": [
{
"description": "CWE-523 Missing Transport Layer Protection",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T14:35:07.902Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.3gpp.org/DynReport/33203.htm"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-10629",
"x_generator": {
"engine": "VINCE 3.0.42",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-10629"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-10629",
"datePublished": "2026-06-02T14:35:07.902Z",
"dateReserved": "2026-06-02T14:31:31.922Z",
"dateUpdated": "2026-06-02T15:23:02.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7299 (GCVE-0-2026-7299)
Vulnerability from cvelistv5 – Published: 2026-06-02 14:07 – Updated: 2026-06-02 15:23
VLAI
Title
CVE-2026-7299
Summary
Appsmith’s SQL query editor’s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a malicious table or column names triggering arbitrary code execution in the sessions of other workspace members when they interact with the same datasource.
Severity
6.3 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
6 references
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-02T15:23:03.693Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/265691"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Appsmith",
"vendor": "Appsmith",
"versions": [
{
"lessThan": "2.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Appsmith\u2019s SQL query editor\u2019s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a malicious table or column names triggering arbitrary code execution in the sessions of other workspace members when they interact with the same datasource."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T14:07:52.626Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://github.com/appsmithorg/appsmith/security/advisories/GHSA-vvxf-f8q9-86gh"
},
{
"url": "https://github.com/appsmithorg/appsmith/pull/41666"
},
{
"url": "https://github.com/Stuub/Appsmith-1.98-Stored-XSS-Exploit"
},
{
"url": "https://github.com/appsmithorg/appsmith/releases/tag/v2.1"
},
{
"url": "https://github.com/appsmithorg/appsmith/commit/99d69180919981ed9bc5484050d809a5bec68acc"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-7299",
"x_generator": {
"engine": "VINCE 3.0.42",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-7299"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-7299",
"datePublished": "2026-06-02T14:07:52.626Z",
"dateReserved": "2026-04-28T11:32:21.296Z",
"dateUpdated": "2026-06-02T15:23:03.693Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10621 (GCVE-0-2026-10621)
Vulnerability from cvelistv5 – Published: 2026-06-02 14:03 – Updated: 2026-06-02 14:03
VLAI
Title
CVE-2026-10621
Summary
Path traversal in restore handler in Collibra Agent, allows an attacker to write arbitrary files via a crafted ZIP archive. Collibra Agent fails to properly validate and canonicalize file path during ZIP extraction, this can allow an attacker to write files outside the intended extraction directory.
Severity
No CVSS data available.
CWE
Assigner
References
2 references
Impacted products
7 products
| Vendor | Product | Version | |
|---|---|---|---|
| Collibra | Collibra Platform (SaaS) |
Affected:
2025.10 , < 2025.10.9
(custom)
|
|
| Collibra | Collibra Platform (SaaS) |
Affected:
2025.11 , < 2025.11.7
(custom)
|
|
| Collibra | Collibra Platform (SaaS) |
Affected:
2026.02 , < 2026.02.6
(custom)
|
|
| Collibra | Collibra Platform (SaaS) |
Affected:
2026.03 , < 2026.03.4
(custom)
|
|
| Collibra | Collibra Platform (SaaS) |
Affected:
2026.04 , < 2024.04.5
(custom)
|
|
| Collibra | Collibra Platform (on-prem) |
Affected:
2026.03 , < 2026.03.356
(custom)
|
|
| Collibra | Collibra Platform (on-prem) |
Affected:
2025.10 , < 2025.10.399
(custom)
|
{
"containers": {
"cna": {
"affected": [
{
"product": "Collibra Platform (SaaS)",
"vendor": "Collibra",
"versions": [
{
"lessThan": "2025.10.9",
"status": "affected",
"version": "2025.10",
"versionType": "custom"
}
]
},
{
"product": "Collibra Platform (SaaS)",
"vendor": "Collibra",
"versions": [
{
"lessThan": "2025.11.7",
"status": "affected",
"version": "2025.11",
"versionType": "custom"
}
]
},
{
"product": "Collibra Platform (SaaS)",
"vendor": "Collibra",
"versions": [
{
"lessThan": "2026.02.6",
"status": "affected",
"version": "2026.02",
"versionType": "custom"
}
]
},
{
"product": "Collibra Platform (SaaS)",
"vendor": "Collibra",
"versions": [
{
"lessThan": "2026.03.4",
"status": "affected",
"version": "2026.03",
"versionType": "custom"
}
]
},
{
"product": "Collibra Platform (SaaS)",
"vendor": "Collibra",
"versions": [
{
"lessThan": "2024.04.5",
"status": "affected",
"version": "2026.04",
"versionType": "custom"
}
]
},
{
"product": "Collibra Platform (on-prem)",
"vendor": "Collibra",
"versions": [
{
"lessThan": "2026.03.356",
"status": "affected",
"version": "2026.03",
"versionType": "custom"
}
]
},
{
"product": "Collibra Platform (on-prem)",
"vendor": "Collibra",
"versions": [
{
"lessThan": "2025.10.399",
"status": "affected",
"version": "2025.10",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Path traversal in restore handler in Collibra Agent, allows an attacker to write arbitrary files via a crafted ZIP archive. Collibra Agent fails to properly validate and canonicalize file path during ZIP extraction, this can allow an attacker to write files outside the intended extraction directory."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en"
}
]
},
{
"descriptions": [
{
"description": "CWE-73 External Control of File Name or Path",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T14:03:35.360Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.collibra.com/"
},
{
"url": "https://kb.cert.org/vuls/id/873170"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-10621",
"x_generator": {
"engine": "VINCE 3.0.42",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-10621"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-10621",
"datePublished": "2026-06-02T14:03:35.360Z",
"dateReserved": "2026-06-02T13:58:49.342Z",
"dateUpdated": "2026-06-02T14:03:35.360Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10622 (GCVE-0-2026-10622)
Vulnerability from cvelistv5 – Published: 2026-06-02 14:01 – Updated: 2026-06-02 14:01
VLAI
Title
CVE-2026-10622
Summary
Improper Authentication in REST API in Collibra Agent, allows a remote unauthenticated attacker to access privileged functionality via exposed '/rest/* endpoints.
Severity
No CVSS data available.
Assigner
References
2 references
Impacted products
7 products
| Vendor | Product | Version | |
|---|---|---|---|
| Collibra | Collibra Platform (on-prem) |
Affected:
2026.03 , < 2026.03.356
(custom)
|
|
| Collibra | Collibra Platform (on-prem) |
Affected:
2025.10 , < 2025.10.399
(custom)
|
|
| Collibra | Collibra Platform (SaaS) |
Affected:
2026.04 , < 2026.04.5
(custom)
|
|
| Collibra | Collibra Platform (SaaS) |
Affected:
2026.03 , < 2026.03.4
(custom)
|
|
| Collibra | Collibra Platform (SaaS) |
Affected:
2026.02 , < 2026.02.6
(custom)
|
|
| Collibra | Collibra Platform (SaaS) |
Affected:
2025.11 , < 2025.11.7
(custom)
|
|
| Collibra | Collibra Platform (SaaS) |
Affected:
2025.10 , < 2025.10.9
(custom)
|
{
"containers": {
"cna": {
"affected": [
{
"product": "Collibra Platform (on-prem)",
"vendor": "Collibra",
"versions": [
{
"lessThan": "2026.03.356",
"status": "affected",
"version": "2026.03",
"versionType": "custom"
}
]
},
{
"product": "Collibra Platform (on-prem)",
"vendor": "Collibra",
"versions": [
{
"lessThan": "2025.10.399",
"status": "affected",
"version": "2025.10",
"versionType": "custom"
}
]
},
{
"product": "Collibra Platform (SaaS)",
"vendor": "Collibra",
"versions": [
{
"lessThan": "2026.04.5",
"status": "affected",
"version": "2026.04",
"versionType": "custom"
}
]
},
{
"product": "Collibra Platform (SaaS)",
"vendor": "Collibra",
"versions": [
{
"lessThan": "2026.03.4",
"status": "affected",
"version": "2026.03",
"versionType": "custom"
}
]
},
{
"product": "Collibra Platform (SaaS)",
"vendor": "Collibra",
"versions": [
{
"lessThan": "2026.02.6",
"status": "affected",
"version": "2026.02",
"versionType": "custom"
}
]
},
{
"product": "Collibra Platform (SaaS)",
"vendor": "Collibra",
"versions": [
{
"lessThan": "2025.11.7",
"status": "affected",
"version": "2025.11",
"versionType": "custom"
}
]
},
{
"product": "Collibra Platform (SaaS)",
"vendor": "Collibra",
"versions": [
{
"lessThan": "2025.10.9",
"status": "affected",
"version": "2025.10",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Authentication in REST API in Collibra Agent, allows a remote unauthenticated attacker to access privileged functionality via exposed \u0027/rest/* endpoints."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en"
}
]
},
{
"descriptions": [
{
"description": "CWE-287 Improper Authentication",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T14:01:06.148Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.collibra.com/"
},
{
"url": "https://kb.cert.org/vuls/id/873170"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-10622",
"x_generator": {
"engine": "VINCE 3.0.42",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-10622"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-10622",
"datePublished": "2026-06-02T14:01:06.148Z",
"dateReserved": "2026-06-02T13:59:47.508Z",
"dateUpdated": "2026-06-02T14:01:06.148Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8501 (GCVE-0-2026-8501)
Vulnerability from cvelistv5 – Published: 2026-06-01 16:25 – Updated: 2026-06-01 18:55
VLAI
Title
CVE-2026-8501
Summary
Improper access control in the PCTCore64.sys Windows kernel driver from PC Tools Internet Security allows user-mode processes to access the PCTCoreDriver WDM device interface and invoke privileged IOCTL handlers. A local attacker with the ability to access or load the affected driver can exploit this vulnerability to perform sensitive and privileged operations on the target system.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-782 - Exposed IOCTL with Insufficient Access Control
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Symantec | PC Tools Internet Security |
Affected:
*
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8501",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T18:20:00.476148Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-782",
"description": "CWE-782 Exposed IOCTL with Insufficient Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T18:20:05.862Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-06-01T18:55:01.689Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/158530"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PC Tools Internet Security",
"vendor": "Symantec",
"versions": [
{
"status": "affected",
"version": "*"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in the PCTCore64.sys Windows kernel driver from PC Tools Internet Security allows user-mode processes to access the PCTCoreDriver WDM device interface and invoke privileged IOCTL handlers. A local attacker with the ability to access or load the affected driver can exploit this vulnerability to perform sensitive and privileged operations on the target system."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-782: Exposed IOCTL with Insufficient Access Control",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:25:11.611Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules"
},
{
"url": "https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-definition-language"
},
{
"url": "https://kb.cert.org/vuls/id/158530"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-8501",
"x_generator": {
"engine": "VINCE 3.0.41",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-8501"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-8501",
"datePublished": "2026-06-01T16:25:11.611Z",
"dateReserved": "2026-05-13T20:56:16.307Z",
"dateUpdated": "2026-06-01T18:55:01.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-4991 (GCVE-0-2022-4991)
Vulnerability from cvelistv5 – Published: 2026-06-01 15:49 – Updated: 2026-06-02 15:47
VLAI
Title
Tychon is vulnerable to privilege escalation due to OPENSSLDIR location
Summary
Tychon includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory that may be controllable by an unprivileged user on Windows. Tychon contains a privileged service that uses this OpenSSL component. A user who can place a specially-crafted openssl.cnf file at an appropriate path may be able to achieve arbitrary code execution with SYSTEM privileges.
Severity
7.4 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-4991",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T15:46:50.993076Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T15:47:22.422Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Tychon",
"vendor": "Tychon",
"versions": [
{
"lessThan": "1.7.857.82",
"status": "affected",
"version": "*",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tychon includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory that may be controllable by an unprivileged user on Windows. Tychon contains a privileged service that uses this OpenSSL component. A user who can place a specially-crafted openssl.cnf file at an appropriate path may be able to achieve arbitrary code execution with SYSTEM privileges."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-284",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T15:49:12.319Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/730007"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Tychon is vulnerable to privilege escalation due to OPENSSLDIR location",
"x_generator": {
"engine": "VINCE 3.0.41",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2022-4991"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2022-4991",
"datePublished": "2026-06-01T15:49:12.319Z",
"dateReserved": "2026-06-01T15:45:57.665Z",
"dateUpdated": "2026-06-02T15:47:22.422Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9098 (GCVE-0-2026-9098)
Vulnerability from cvelistv5 – Published: 2026-05-28 16:31 – Updated: 2026-06-02 16:43
VLAI
Title
CVE-2026-9098
Summary
In Casdoor versions 2.362.0 and earlier, the SAML callback handler in controllers/auth.go accepts any well-formed SAMLResponse sent to /api/acs without verifying that it corresponds to an AuthnRequest previously issued by Casdoor. Additionally, if an administrator disables or deletes an IdP (Identity Provider) after a SAML flow has started, the handler still processes the response using the provider snapshot loaded at the start of the request. As a result, an attacker controlling a registered upstream IdP can send unsolicited SAML responses, or replay a legitimately captured response in a different session or after the original flow has ended. In both cases, Casdoor accepts the response and issues a session, enabling persistent unauthorized access.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/780781 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-9098",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T15:50:28.631307Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T16:43:43.567Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Casdoor",
"vendor": "Casdoor",
"versions": [
{
"lessThanOrEqual": "2.362.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Casdoor versions 2.362.0 and earlier, the SAML callback handler in controllers/auth.go accepts any well-formed SAMLResponse sent to /api/acs without verifying that it corresponds to an AuthnRequest previously issued by Casdoor. Additionally, if an administrator disables or deletes an IdP (Identity Provider) after a SAML flow has started, the handler still processes the response using the provider snapshot loaded at the start of the request. As a result, an attacker controlling a registered upstream IdP can send unsolicited SAML responses, or replay a legitimately captured response in a different session or after the original flow has ended. In both cases, Casdoor accepts the response and issues a session, enabling persistent unauthorized access."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-346 Origin Validation Error",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T16:31:42.767Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/780781"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-9098",
"x_generator": {
"engine": "VINCE 3.0.41",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-9098"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-9098",
"datePublished": "2026-05-28T16:31:42.767Z",
"dateReserved": "2026-05-20T15:05:20.584Z",
"dateUpdated": "2026-06-02T16:43:43.567Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9097 (GCVE-0-2026-9097)
Vulnerability from cvelistv5 – Published: 2026-05-28 16:29 – Updated: 2026-06-02 16:43
VLAI
Title
CVE-2026-9097
Summary
Casdoor versions 2.362.0 and earlier do not verify that a JWT used for token exchange is still active. The GetTokenExchangeToken() function in object/token_oauth.go validates the JWT signature and parses its claims, but never queries the Token table to verify whether the subject token has been revoked or invalidated. Because the revocation check is entirely absent, administrators are unable to terminate active sessions or revoke compromised tokens.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/780781 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-9097",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T15:49:45.590863Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T16:43:52.777Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Casdoor",
"vendor": "Casdoor",
"versions": [
{
"lessThanOrEqual": "2.362.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Casdoor versions 2.362.0 and earlier do not verify that a JWT used for token exchange is still active. The GetTokenExchangeToken() function in object/token_oauth.go validates the JWT signature and parses its claims, but never queries the Token table to verify whether the subject token has been revoked or invalidated. Because the revocation check is entirely absent, administrators are unable to terminate active sessions or revoke compromised tokens."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T16:29:06.752Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/780781"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-9097",
"x_generator": {
"engine": "VINCE 3.0.41",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-9097"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-9097",
"datePublished": "2026-05-28T16:29:06.752Z",
"dateReserved": "2026-05-20T15:05:12.699Z",
"dateUpdated": "2026-06-02T16:43:52.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9096 (GCVE-0-2026-9096)
Vulnerability from cvelistv5 – Published: 2026-05-28 16:27 – Updated: 2026-06-02 16:43
VLAI
Title
CVE-2026-9096
Summary
Casdoor versions 2.362.0 and earlier do not enforce SAML assertion time bounds. The gosaml2 library reports all time-validation results, including NotOnOrAfter and NotBefore, in the assertionInfo.WarningInfo field. However, ParseSamlResponse() never reads this field, meaning that time bounds are computed by the library but silently discarded before the user session is issued.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/780781 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-9096",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T15:49:11.329944Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T16:43:58.432Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Casdoor",
"vendor": "Casdoor",
"versions": [
{
"lessThanOrEqual": "2.362.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Casdoor versions 2.362.0 and earlier do not enforce SAML assertion time bounds. The gosaml2 library reports all time-validation results, including NotOnOrAfter and NotBefore, in the assertionInfo.WarningInfo field. However, ParseSamlResponse() never reads this field, meaning that time bounds are computed by the library but silently discarded before the user session is issued."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T16:27:15.206Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/780781"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-9096",
"x_generator": {
"engine": "VINCE 3.0.41",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-9096"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-9096",
"datePublished": "2026-05-28T16:27:15.206Z",
"dateReserved": "2026-05-20T15:05:04.383Z",
"dateUpdated": "2026-06-02T16:43:58.432Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9095 (GCVE-0-2026-9095)
Vulnerability from cvelistv5 – Published: 2026-05-28 16:25 – Updated: 2026-05-28 17:07
VLAI
Title
CVE-2026-9095
Summary
Casdoor versions 2.362.0 and earlier map SAML assertions to user sessions without replay protection. The ParseSamlResponse() function in object/saml_sp.go calls sp.RetrieveAssertionInfo() and immediately maps the result to a user session. There is no assertion ID cache, OneTimeUse condition enforcement, or replay detection anywhere in the SAML SP code path. As a result, an attacker can replay a previously captured SAML assertion to obtain an authenticated session for the assertion’s subject, including administrator accounts, without needing the user’s password or MFA credentials.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-294 Authentication Bypass by Capture-replay
- CWE-294 - Authentication Bypass by Capture-replay
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/780781 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-9095",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T17:07:35.384837Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294 Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T17:07:58.870Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Casdoor",
"vendor": "Casdoor",
"versions": [
{
"lessThanOrEqual": "2.362.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Casdoor versions 2.362.0 and earlier map SAML assertions to user sessions without replay protection. The ParseSamlResponse() function in object/saml_sp.go calls sp.RetrieveAssertionInfo() and immediately maps the result to a user session. There is no assertion ID cache, OneTimeUse condition enforcement, or replay detection anywhere in the SAML SP code path. As a result, an attacker can replay a previously captured SAML assertion to obtain an authenticated session for the assertion\u2019s subject, including administrator accounts, without needing the user\u2019s password or MFA credentials."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-294 Authentication Bypass by Capture-replay",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T16:25:17.364Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/780781"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-9095",
"x_generator": {
"engine": "VINCE 3.0.41",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-9095"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-9095",
"datePublished": "2026-05-28T16:25:17.364Z",
"dateReserved": "2026-05-20T15:04:41.651Z",
"dateUpdated": "2026-05-28T17:07:58.870Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9094 (GCVE-0-2026-9094)
Vulnerability from cvelistv5 – Published: 2026-05-28 16:25 – Updated: 2026-06-02 16:44
VLAI
Title
CVE-2026-9094
Summary
Casdoor versions 2.362.0 and earlier contain a vulnerability enabling cross-organization token exchange. The GetTokenExchangeToken function in object/token_oauth.go validates JWT signatures but does not verify that the token's user belongs to the same organization as the target application. This can result in privilege escalation across organizational boundaries.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/780781 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-9094",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T15:48:34.407679Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T16:44:07.685Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Casdoor",
"vendor": "Casdoor",
"versions": [
{
"lessThanOrEqual": "2.362.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Casdoor versions 2.362.0 and earlier contain a vulnerability enabling cross-organization token exchange. The GetTokenExchangeToken function in object/token_oauth.go validates JWT signatures but does not verify that the token\u0027s user belongs to the same organization as the target application. This can result in privilege escalation across organizational boundaries."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-284 Improper Access Control",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T16:25:09.055Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/780781"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-9094",
"x_generator": {
"engine": "VINCE 3.0.41",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-9094"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-9094",
"datePublished": "2026-05-28T16:25:09.055Z",
"dateReserved": "2026-05-20T15:04:30.259Z",
"dateUpdated": "2026-06-02T16:44:07.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9093 (GCVE-0-2026-9093)
Vulnerability from cvelistv5 – Published: 2026-05-28 16:21 – Updated: 2026-06-02 16:44
VLAI
Title
CVE-2026-9093
Summary
In Casdoor versions 2.362.0 and earlier, the SAML service provider implementation does not validate the AudienceRestriction element in SAML assertions. The buildSp function in object/saml_sp.go never sets AudienceURI on the gosaml2 SAMLServiceProvider struct and never inspects WarningInfo.NotInAudience. This allows assertions issued for other service providers to be accepted by Casdoor.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/780781 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-9093",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T15:47:55.475804Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T16:44:14.889Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Casdoor",
"vendor": "Casdoor",
"versions": [
{
"lessThanOrEqual": "2.362.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Casdoor versions 2.362.0 and earlier, the SAML service provider implementation does not validate the AudienceRestriction element in SAML assertions. The buildSp function in object/saml_sp.go never sets AudienceURI on the gosaml2 SAMLServiceProvider struct and never inspects WarningInfo.NotInAudience. This allows assertions issued for other service providers to be accepted by Casdoor."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-863 Incorrect Authorization",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T16:21:50.192Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/780781"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-9093",
"x_generator": {
"engine": "VINCE 3.0.41",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-9093"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-9093",
"datePublished": "2026-05-28T16:21:50.192Z",
"dateReserved": "2026-05-20T15:04:21.545Z",
"dateUpdated": "2026-06-02T16:44:14.889Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9092 (GCVE-0-2026-9092)
Vulnerability from cvelistv5 – Published: 2026-05-28 16:20 – Updated: 2026-06-01 16:56
VLAI
Title
CVE-2026-9092
Summary
Casdoor versions 2.362.0 and earlier contain a vulnerability involving unverified email binding that may enable account takeover. The getExistUserByBindingRule function matches users by email without checking the email_verified claim from upstream providers; the idp.UserInfo struct does not even include a EmailVerified field. An attacker can supply an unverified email claim from an upstream provider to take over accounts that use the same email address.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/780781 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-9092",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T16:56:52.782321Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:56:56.854Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Casdoor",
"vendor": "Casdoor",
"versions": [
{
"lessThanOrEqual": "2.362.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Casdoor versions 2.362.0 and earlier contain a vulnerability involving unverified email binding that may enable account takeover. The getExistUserByBindingRule function matches users by email without checking the email_verified claim from upstream providers; the idp.UserInfo struct does not even include a EmailVerified field. An attacker can supply an unverified email claim from an upstream provider to take over accounts that use the same email address."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-290 Authentication Bypass by Spoofing",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T16:20:45.547Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/780781"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-9092",
"x_generator": {
"engine": "VINCE 3.0.41",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-9092"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-9092",
"datePublished": "2026-05-28T16:20:45.547Z",
"dateReserved": "2026-05-20T15:04:14.204Z",
"dateUpdated": "2026-06-01T16:56:56.854Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9091 (GCVE-0-2026-9091)
Vulnerability from cvelistv5 – Published: 2026-05-28 16:19 – Updated: 2026-05-29 19:01
VLAI
Title
CVE-2026-9091
Summary
Casdoor versions 2.362.0 and earlier contain a logic flaw in the social‑login binding flow that allows users to bypass configured MFA requirements. The binding‑rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable. Any user authenticating via this path is logged in without MFA enforcement.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/780781 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-9091",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T19:01:45.674578Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T19:01:52.614Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Casdoor",
"vendor": "Casdoor",
"versions": [
{
"lessThanOrEqual": "2.362.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Casdoor versions 2.362.0 and earlier contain a logic flaw in the social\u2011login binding flow that allows users to bypass configured MFA requirements. The binding\u2011rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable. Any user authenticating via this path is logged in without MFA enforcement."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T16:19:39.239Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/780781"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-9091",
"x_generator": {
"engine": "VINCE 3.0.41",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-9091"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-9091",
"datePublished": "2026-05-28T16:19:39.239Z",
"dateReserved": "2026-05-20T15:04:03.933Z",
"dateUpdated": "2026-05-29T19:01:52.614Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9090 (GCVE-0-2026-9090)
Vulnerability from cvelistv5 – Published: 2026-05-28 16:17 – Updated: 2026-05-29 19:41
VLAI
Title
CVE-2026-9090
Summary
Casdoor versions 2.362.0 and earlier contain a vulnerability that allows an attacker to bypass authentication by supplying an arbitrary signing certificate. The buildSpCertificateStore function extracts the X.509 certificate directly from the incoming SAMLResponse instead of using the trusted pre-configured Identity Provider certificate, allowing an attacker to forge assertions signed with an attacker-controlled key.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/780781 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-9090",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T19:41:15.349183Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T19:41:34.129Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Casdoor",
"vendor": "Casdoor",
"versions": [
{
"lessThanOrEqual": "2.362.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Casdoor versions 2.362.0 and earlier contain a vulnerability that allows an attacker to bypass authentication by supplying an arbitrary signing certificate. The buildSpCertificateStore function extracts the X.509 certificate directly from the incoming SAMLResponse instead of using the trusted pre-configured Identity Provider certificate, allowing an attacker to forge assertions signed with an attacker-controlled key."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-347 Improper Verification of Cryptographic Signature",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T16:17:21.953Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/780781"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-9090",
"x_generator": {
"engine": "VINCE 3.0.41",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-9090"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-9090",
"datePublished": "2026-05-28T16:17:21.953Z",
"dateReserved": "2026-05-20T15:03:52.700Z",
"dateUpdated": "2026-05-29T19:41:34.129Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7304 (GCVE-0-2026-7304)
Vulnerability from cvelistv5 – Published: 2026-05-18 10:39 – Updated: 2026-05-18 14:04
VLAI
Title
CVE-2026-7304
Summary
SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, as Python objects loaded via dill.loads() will be deserialized without validation.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-7304",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T14:03:47.406419Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T14:04:23.864Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SGLang",
"vendor": "SGLang",
"versions": [
{
"status": "affected",
"version": "5.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, as Python objects loaded via dill.loads() will be deserialized without validation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T10:39:52.696Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://github.com/sgl-project/sglang/tree/main/python/sglang"
},
{
"url": "https://antiproof.ai/blog/three-rces-in-sglang/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-7304",
"x_generator": {
"engine": "VINCE 3.0.40",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-7304"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-7304",
"datePublished": "2026-05-18T10:39:52.696Z",
"dateReserved": "2026-04-28T11:45:05.762Z",
"dateUpdated": "2026-05-18T14:04:23.864Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7302 (GCVE-0-2026-7302)
Vulnerability from cvelistv5 – Published: 2026-05-18 10:39 – Updated: 2026-05-18 14:05
VLAI
Title
CVE-2026-7302
Summary
SGLangs multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arbitrary files anywhere the server process has write access, by including ../ sequences in the upload filename when sent to specific endpoints.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-35 - Path Traversal: '.../...//'
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-7302",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T14:05:10.011911Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-35",
"description": "CWE-35 Path Traversal: \u0027.../...//\u0027",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T14:05:33.942Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SGLang",
"vendor": "SGLang",
"versions": [
{
"status": "affected",
"version": "5.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SGLangs multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arbitrary files anywhere the server process has write access, by including ../ sequences in the upload filename when sent to specific endpoints."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-35: Path Traversal: \u0027.../...//\u0027",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T10:39:27.474Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://github.com/sgl-project/sglang/tree/main/python/sglang"
},
{
"url": "https://antiproof.ai/blog/three-rces-in-sglang/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-7302",
"x_generator": {
"engine": "VINCE 3.0.40",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-7302"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-7302",
"datePublished": "2026-05-18T10:39:27.474Z",
"dateReserved": "2026-04-28T11:44:06.203Z",
"dateUpdated": "2026-05-18T14:05:33.942Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7301 (GCVE-0-2026-7301)
Vulnerability from cvelistv5 – Published: 2026-05-18 10:38 – Updated: 2026-05-18 14:06
VLAI
Title
CVE-2026-7301
Summary
SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads() on incoming messages, enabling RCE when exposed to the internet.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-7301",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T14:06:17.378524Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T14:06:20.513Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SGLang",
"vendor": "SGLang",
"versions": [
{
"status": "affected",
"version": "5.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SGLangs multimodal generation runtime scheduler\u0027s ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads() on incoming messages, enabling RCE when exposed to the internet."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T10:38:56.493Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://github.com/sgl-project/sglang/tree/main/python/sglang"
},
{
"url": "https://antiproof.ai/blog/three-rces-in-sglang/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-7301",
"x_generator": {
"engine": "VINCE 3.0.40",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-7301"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-7301",
"datePublished": "2026-05-18T10:38:56.493Z",
"dateReserved": "2026-04-28T11:43:42.008Z",
"dateUpdated": "2026-05-18T14:06:20.513Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8496 (GCVE-0-2026-8496)
Vulnerability from cvelistv5 – Published: 2026-05-13 18:02 – Updated: 2026-05-13 18:56
VLAI
Title
A cross-site scripting (XSS) vulnerability in Alinto SOGo, version 5.12.7
Summary
A cross-site scripting (XSS) vulnerability exists in Alinto SOGo, version 5.12.7. A maliciously crafted ICS calendar invitation files allows arbitrary JavaScript execution within the authenticated SOGo webmail session. The issue occurs because SVG content embedded in the description field of an ICS file, with an onrepeat event handler, is insufficiently sanitized before being rendered in the webmail interface. A remote attacker can execute JavaScript in the victim's browser when the malicious calendar invite is viewed. Successful exploitation may allow mailbox access, email and contact theft, session hijacking, and other actions allowed by an authenticated user.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Alinto SOGo | SOGo |
Affected:
0 , < 5.12.8
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8496",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T18:55:59.267006Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T18:56:18.944Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SOGo",
"vendor": "Alinto SOGo",
"versions": [
{
"lessThan": "5.12.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A cross-site scripting (XSS) vulnerability exists in Alinto SOGo, version 5.12.7. A maliciously crafted ICS calendar invitation files allows arbitrary JavaScript execution within the authenticated SOGo webmail session. The issue occurs because SVG content embedded in the description field of an ICS file, with an onrepeat event handler, is insufficiently sanitized before being rendered in the webmail interface. A remote attacker can execute JavaScript in the victim\u0027s browser when the malicious calendar invite is viewed. Successful exploitation may allow mailbox access, email and contact theft, session hijacking, and other actions allowed by an authenticated user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
},
{
"descriptions": [
{
"description": "CWE-116 Improper Encoding or Escaping of Output",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T18:02:54.459Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://github.com/Alinto/sogo/commit/67ce01ec2a1a7854d8e9f615dd65afb949043e86"
},
{
"url": "https://github.com/Alinto/sogo/releases/tag/SOGo-5.12.8"
},
{
"url": "https://www.sogo.nu/news/2026/sogo-v5128-released.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "A cross-site scripting (XSS) vulnerability in Alinto SOGo, version 5.12.7",
"x_generator": {
"engine": "VINCE 3.0.40",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-8496"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-8496",
"datePublished": "2026-05-13T18:02:54.459Z",
"dateReserved": "2026-05-13T17:31:27.218Z",
"dateUpdated": "2026-05-13T18:56:18.944Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5172 (GCVE-0-2026-5172)
Vulnerability from cvelistv5 – Published: 2026-05-11 16:48 – Updated: 2026-05-20 14:10
VLAI
Title
CVE-2026-5172
Summary
A buffer overflow in dnsmasq’s extract_addresses() function allows an attacker to trigger a heap out-of-bounds read and crash by exploiting a malformed DNS response, enabling extract_name() to advance the pointer past the record’s end.
Severity
7.3 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5172",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T12:47:52.137124Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T12:48:16.998Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dnsmasq",
"vendor": "dnsmasq",
"versions": [
{
"lessThan": "2.92rel2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A buffer overflow in dnsmasq\u2019s extract_addresses() function allows an attacker to trigger a heap out-of-bounds read and crash by exploiting a malformed DNS response, enabling extract_name() to advance the pointer past the record\u2019s end."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-787: Out-of-bounds Write",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T14:10:25.587Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/471747"
},
{
"url": "https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html"
},
{
"url": "https://thekelleys.org.uk/dnsmasq/CVE/"
},
{
"url": "https://github.com/NixOS/nixpkgs/pull/519082"
},
{
"url": "https://github.com/NixOS/nixpkgs/pull/519093"
},
{
"url": "https://github.com/pi-hole/FTL/releases/tag/v6.6.2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-5172",
"x_generator": {
"engine": "VINCE 3.0.41",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5172"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-5172",
"datePublished": "2026-05-11T16:48:46.219Z",
"dateReserved": "2026-03-30T15:54:52.205Z",
"dateUpdated": "2026-05-20T14:10:25.587Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4893 (GCVE-0-2026-4893)
Vulnerability from cvelistv5 – Published: 2026-05-11 16:48 – Updated: 2026-05-20 14:09
VLAI
Title
CVE-2026-4893
Summary
An information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks via a crafted DNS packet with RFC 7871 client subnet information.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-4893",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T18:28:57.486938Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:29:00.767Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dnsmasq",
"vendor": "dnsmasq",
"versions": [
{
"lessThan": "2.92rel2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks via a crafted DNS packet with RFC 7871 client subnet information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-287: Improper Authentication",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T14:09:53.804Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/471747"
},
{
"url": "https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html"
},
{
"url": "https://thekelleys.org.uk/dnsmasq/CVE/"
},
{
"url": "https://github.com/NixOS/nixpkgs/pull/519093"
},
{
"url": "https://github.com/NixOS/nixpkgs/pull/519082"
},
{
"url": "https://github.com/pi-hole/FTL/releases/tag/v6.6.2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-4893",
"x_generator": {
"engine": "VINCE 3.0.41",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-4893"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-4893",
"datePublished": "2026-05-11T16:48:15.106Z",
"dateReserved": "2026-03-26T13:12:03.722Z",
"dateUpdated": "2026-05-20T14:09:53.804Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4892 (GCVE-0-2026-4892)
Vulnerability from cvelistv5 – Published: 2026-05-11 16:47 – Updated: 2026-05-20 14:09
VLAI
Title
CVE-2026-4892
Summary
A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root privileges via a crafted DHCPv6 packet.
Severity
8.4 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-4892",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T18:26:34.490142Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:26:37.898Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dnsmasq",
"vendor": "dnsmasq",
"versions": [
{
"lessThan": "2.92rel2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root privileges via a crafted DHCPv6 packet."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T14:09:29.062Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html"
},
{
"url": "https://www.kb.cert.org/vuls/id/471747"
},
{
"url": "https://thekelleys.org.uk/dnsmasq/CVE/"
},
{
"url": "https://github.com/NixOS/nixpkgs/pull/519082"
},
{
"url": "https://github.com/NixOS/nixpkgs/pull/519093"
},
{
"url": "https://github.com/pi-hole/FTL/releases/tag/v6.6.2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-4892",
"x_generator": {
"engine": "VINCE 3.0.41",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-4892"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-4892",
"datePublished": "2026-05-11T16:47:58.846Z",
"dateReserved": "2026-03-26T13:09:48.958Z",
"dateUpdated": "2026-05-20T14:09:29.062Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4891 (GCVE-0-2026-4891)
Vulnerability from cvelistv5 – Published: 2026-05-11 16:47 – Updated: 2026-05-20 14:08
VLAI
Title
CVE-2026-4891
Summary
A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-4891",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T18:27:33.459839Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:27:36.545Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dnsmasq",
"vendor": "dnsmasq",
"versions": [
{
"lessThan": "2.92rel2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-125: Out-of-bounds Read",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T14:08:50.799Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html"
},
{
"url": "https://www.kb.cert.org/vuls/id/471747"
},
{
"url": "https://thekelleys.org.uk/dnsmasq/CVE/"
},
{
"url": "https://github.com/NixOS/nixpkgs/pull/519082"
},
{
"url": "https://github.com/NixOS/nixpkgs/pull/519093"
},
{
"url": "https://github.com/pi-hole/FTL/releases/tag/v6.6.2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-4891",
"x_generator": {
"engine": "VINCE 3.0.41",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-4891"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-4891",
"datePublished": "2026-05-11T16:47:33.202Z",
"dateReserved": "2026-03-26T13:07:05.406Z",
"dateUpdated": "2026-05-20T14:08:50.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4890 (GCVE-0-2026-4890)
Vulnerability from cvelistv5 – Published: 2026-05-11 16:47 – Updated: 2026-05-20 14:08
VLAI
Title
CVE-2026-4890
Summary
A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-835 - Loop with Unreachable Termination
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-4890",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T18:28:07.653867Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:28:11.342Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dnsmasq",
"vendor": "dnsmasq",
"versions": [
{
"lessThan": "2.92rel2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-835: Loop with Unreachable Termination",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T14:08:25.686Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/471747"
},
{
"url": "https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html"
},
{
"url": "https://thekelleys.org.uk/dnsmasq/CVE/"
},
{
"url": "https://github.com/NixOS/nixpkgs/pull/519093"
},
{
"url": "https://github.com/NixOS/nixpkgs/pull/519082"
},
{
"url": "https://github.com/pi-hole/FTL/releases/tag/v6.6.2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-4890",
"x_generator": {
"engine": "VINCE 3.0.41",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-4890"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-4890",
"datePublished": "2026-05-11T16:47:16.419Z",
"dateReserved": "2026-03-26T13:05:10.729Z",
"dateUpdated": "2026-05-20T14:08:25.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2291 (GCVE-0-2026-2291)
Vulnerability from cvelistv5 – Published: 2026-05-11 16:47 – Updated: 2026-05-20 14:07
VLAI
Title
CVE-2026-2291
Summary
dnsmasqs extract_name() function can be abused to cause a heap buffer overflow, allowing an attacker to inject false DNS cache entries, which could result in DNS lookups to redirect to an attacker-controlled IP address, or to cause a DoS.
Severity
7.3 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-190 - Integer Overflow or Wraparound
Assigner
References
7 references
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-2291",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T12:38:54.623336Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T12:45:01.944Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dnsmasq",
"vendor": "dnsmasq",
"versions": [
{
"lessThan": "2.92rel2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "dnsmasqs extract_name() function can be abused to cause a heap buffer overflow, allowing an attacker to inject false DNS cache entries, which could result in DNS lookups to redirect to an attacker-controlled IP address, or to cause a DoS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-190: Integer Overflow or Wraparound",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T14:07:50.273Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.suse.com/security/cve/CVE-2026-2291.html"
},
{
"url": "https://www.kb.cert.org/vuls/id/471747"
},
{
"url": "https://thekelleys.org.uk/dnsmasq/CVE/"
},
{
"url": "https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html"
},
{
"url": "https://github.com/NixOS/nixpkgs/pull/519082"
},
{
"url": "https://github.com/NixOS/nixpkgs/pull/519093"
},
{
"url": "https://github.com/pi-hole/FTL/releases/tag/v6.6.2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-2291",
"x_generator": {
"engine": "VINCE 3.0.41",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-2291"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-2291",
"datePublished": "2026-05-11T16:47:01.981Z",
"dateReserved": "2026-02-10T15:41:17.169Z",
"dateUpdated": "2026-05-20T14:07:50.273Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3609 (GCVE-0-2026-3609)
Vulnerability from cvelistv5 – Published: 2026-05-11 16:25 – Updated: 2026-05-13 12:35
VLAI
Title
XIGNCODE3 xhunter1.sys kernel driver contains a Privilege Escalation Vulnerability
Summary
Wellbia's XIGNCODE3 xhunter1.sys kernel driver Privilege Escalation Vulnerability provides access to IRP_MJ_REITS command interface, which allows any user process to request a PROCESS_ALL_ACCESS.
Cross reference to KVE 2023-5589 (https://krcert.or.kr)
Severity
5.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Wellbia | XIGNCODE3 Anti-Cheat |
Affected:
10.0.10011.16384
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-3609",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T12:35:38.266419Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T12:35:57.998Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://blacksnufkin.github.io/posts/AntiCheat-LPE-CVE-2026-3609/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "XIGNCODE3 Anti-Cheat",
"vendor": "Wellbia",
"versions": [
{
"status": "affected",
"version": "10.0.10011.16384"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Wellbia\u0027s XIGNCODE3 xhunter1.sys kernel driver Privilege Escalation Vulnerability provides access to IRP_MJ_REITS command interface, which allows any user process to request a PROCESS_ALL_ACCESS.\r\nCross reference to KVE 2023-5589 (https://krcert.or.kr)"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-269 Improper Privilege Management",
"lang": "en"
}
]
},
{
"descriptions": [
{
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en"
}
]
},
{
"descriptions": [
{
"description": "CWE-284 Improper Access Control",
"lang": "en"
}
]
},
{
"descriptions": [
{
"description": "CWE-266 Incorrect Privilege Assignment",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T16:25:24.769Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://crcert.or.kr"
},
{
"url": "https://blacksnufkin.github.io/posts/AntiCheat-LPE-CVE-2026-3609/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XIGNCODE3 xhunter1.sys kernel driver contains a Privilege Escalation Vulnerability",
"x_generator": {
"engine": "VINCE 3.0.39",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-3609"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-3609",
"datePublished": "2026-05-11T16:25:24.769Z",
"dateReserved": "2026-03-05T17:54:52.283Z",
"dateUpdated": "2026-05-13T12:35:57.998Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6815 (GCVE-0-2026-6815)
Vulnerability from cvelistv5 – Published: 2026-05-11 15:20 – Updated: 2026-05-13 12:33
VLAI
Title
CVE-2026-6815
Summary
An arbitrary file write vulnerability exists in Casdoor's Local File System storage provider. Due to insufficient path sanitization, an authenticated attacker with administrative privileges can perform a Path Traversal attack to create or overwrite arbitrary files anywhere on the host filesystem, bypassing the application's intended storage sandbox.
Severity
5.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
2 references
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-11T16:53:24.656Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/937808"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-6815",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T12:32:45.925471Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T12:33:15.243Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Casdoor",
"vendor": "Casdoor",
"versions": [
{
"lessThanOrEqual": "v2.328.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An arbitrary file write vulnerability exists in Casdoor\u0027s Local File System storage provider. Due to insufficient path sanitization, an authenticated attacker with administrative privileges can perform a Path Traversal attack to create or overwrite arbitrary files anywhere on the host filesystem, bypassing the application\u0027s intended storage sandbox."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T15:20:25.606Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/937808"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-6815",
"x_generator": {
"engine": "VINCE 3.0.39",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-6815"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-6815",
"datePublished": "2026-05-11T15:20:25.606Z",
"dateReserved": "2026-04-21T18:50:35.842Z",
"dateUpdated": "2026-05-13T12:33:15.243Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8142 (GCVE-0-2026-8142)
Vulnerability from cvelistv5 – Published: 2026-05-07 19:54 – Updated: 2026-05-08 13:55
VLAI
Title
CVE-2026-8142
Summary
VINCE versions 3.0.38 and earlier do not properly verify the From address authenticity due to encoding confusion and use the from address for automated actions such as Ticket creation or Ticket updates.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Assigner
References
2 references
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8142",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T13:54:55.991111Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T13:55:16.520Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "VINCE",
"vendor": "CERT/CC",
"versions": [
{
"lessThanOrEqual": "3.0.38",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thanks to Guillem Lefait guillem@datamq.com for reporting the issue"
}
],
"descriptions": [
{
"lang": "en",
"value": "VINCE versions 3.0.38 and earlier do not properly verify the From address authenticity due to encoding confusion and use the from address for automated actions such as Ticket creation or Ticket updates."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T19:54:49.275Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vince"
},
{
"url": "https://github.com/CERTCC/VINCE"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "CVE-2026-8142",
"x_generator": {
"engine": "VINCE 3.0.39",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-8142"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-8142",
"datePublished": "2026-05-07T19:54:49.275Z",
"dateReserved": "2026-05-07T19:50:29.029Z",
"dateUpdated": "2026-05-08T13:55:16.520Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7246 (GCVE-0-2026-7246)
Vulnerability from cvelistv5 – Published: 2026-04-30 13:16 – Updated: 2026-05-07 16:41
VLAI
Title
Pallets Click contains a command injection via Unsanitized Filename "click.edit()"
Summary
Pallets Click, versions 8.3.2 and below, contain a command injection vulnerability in the click.edit() function, allowing attackers to pass arbitrary OS commands from an unprivileged account.
Severity
7.2 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Pallets Click | Click |
Affected:
0 , < 8.3.3
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-7246",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-30T13:39:25.058670Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T13:40:48.226Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/tsigouris007/security-advisories/security/advisories/GHSA-47fr-3ffg-hgmw"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Click",
"vendor": "Pallets Click",
"versions": [
{
"lessThan": "8.3.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pallets Click, versions 8.3.2 and below, contain a command injection vulnerability in the click.edit() function, allowing attackers to pass arbitrary OS commands from an unprivileged account."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T16:41:32.372Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://github.com/pallets/click/releases/tag/8.3.3"
},
{
"url": "https://github.com/tsigouris007/security-advisories/security/advisories/GHSA-47fr-3ffg-hgmw"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Pallets Click contains a command injection via Unsanitized Filename \"click.edit()\"",
"x_generator": {
"engine": "VINCE 3.0.39",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-7246"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-7246",
"datePublished": "2026-04-30T13:16:44.050Z",
"dateReserved": "2026-04-27T17:37:48.878Z",
"dateUpdated": "2026-05-07T16:41:32.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6356 (GCVE-0-2026-6356)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:18 – Updated: 2026-04-22 14:42
VLAI
Title
CVE-2026-6356
Summary
A vulnerability in the web application allows standard users to escalate their privileges to those of a super administrator through parameter manipulation, enabling them to access and modify sensitive information.
Severity
9.6 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1220 - Insufficient Granularity of Access Control
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-6356",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T14:40:46.719179Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1220",
"description": "CWE-1220 Insufficient Granularity of Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T14:42:10.888Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Penguinsecq/CVE-2026-6356/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Augmentt",
"vendor": "Augmentt",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the web application allows standard users to escalate their privileges to those of a super administrator through parameter manipulation, enabling them to access and modify sensitive information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-1220: Insufficient Granularity of Access Control",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T13:18:18.360Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://github.com/Penguinsecq/CVE-2026-6356/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-6356",
"x_generator": {
"engine": "VINCE 3.0.36",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-6356"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-6356",
"datePublished": "2026-04-22T13:18:18.360Z",
"dateReserved": "2026-04-15T13:51:11.794Z",
"dateUpdated": "2026-04-22T14:42:10.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}