Common Weakness Enumeration

CWE-420

Allowed

Unprotected Alternate Channel

Abstraction: Base · Status: Draft

The product protects a primary channel, but it does not use the same level of protection for an alternate channel.

71 vulnerabilities reference this CWE, most recent first.

GHSA-95PQ-HR8P-F5G7

Vulnerability from github – Published: 2026-06-22 19:58 – Updated: 2026-06-22 19:58
VLAI
Summary
ComfyUI-Manager has an Unprotected Alternate Channel (CWE-420)
Details

Impact

An Unprotected Alternate Channel (CWE-420) vulnerability was discovered in ComfyUI-Manager versions prior to 3.38.

Vulnerability Details

In affected versions, ComfyUI-Manager stored its configuration in the user/default/ComfyUI-Manager/ directory, which was accessible via ComfyUI's web APIs without proper access control. This unprotected alternate channel allowed remote attackers to read and manipulate configuration files and critical data through the web interface.

Potential Attack Scenarios

An attacker exploiting this vulnerability could: - Modify security settings: Lower the security level from "strong" to "weak" to enable more dangerous operations - Tamper with custom node sources: Add malicious custom node repositories - Manipulate snapshot data: Corrupt or alter system snapshots - Change manager behavior: Alter various manager configuration settings

Affected Configurations

Configuration Risk Level
Systems running with --listen 0.0.0.0 (externally exposed) HIGH
Systems behind reverse proxy without proper access control MEDIUM
Local-only installations (default, localhost only) NOT AFFECTED

Patches

This issue has been patched in ComfyUI-Manager version 3.38.

Requirements

Component Minimum Version Notes
ComfyUI v0.3.76+ Required for System User Protection API
ComfyUI-Manager v3.38+ Contains the security fix

What the Patch Does

  1. Path Migration: Configuration files moved from unprotected user/default/ComfyUI-Manager/ to protected user/__manager/
  2. Protected Directory: The new __manager/ directory leverages ComfyUI's System User Protection API, which blocks external web API access
  3. Security Level Enforcement: Settings below "normal" are automatically raised to "normal" during migration
  4. Legacy Backup: Old data is backed up to .legacy-manager-backup/ with startup reminders until manually deleted
  5. Fallback Protection: If ComfyUI < v0.3.76, Manager forces "strong" security mode, blocking new installations until ComfyUI is updated

Patch Details


Workarounds

If immediate upgrade is not possible, apply the following mitigations:

Mitigation Effectiveness Effort
Remove --listen 0.0.0.0 flag (use localhost only) HIGH Low
Implement firewall rules to block external access to ComfyUI ports HIGH Medium
Use reverse proxy with authentication (e.g., nginx + basic auth) HIGH Medium
Restrict network access to trusted IPs only MEDIUM Low

Note: These are temporary mitigations. Upgrading to v3.38+ is strongly recommended.


Resources


Credit

This vulnerability was reported by Ricter Zheng (ricterzheng / 郑杜涛) from Tencent Xuanwu Lab ricterzheng@tencent.com

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "comfyui-manager"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.38"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-67303"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-420"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-22T19:58:24Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\nAn **Unprotected Alternate Channel (CWE-420)** vulnerability was discovered in ComfyUI-Manager versions prior to 3.38.\n\n#### Vulnerability Details\n\nIn affected versions, ComfyUI-Manager stored its configuration in the `user/default/ComfyUI-Manager/` directory, which was accessible via ComfyUI\u0027s web APIs without proper access control. This unprotected alternate channel allowed remote attackers to read and manipulate configuration files and critical data through the web interface.\n\n#### Potential Attack Scenarios\n\nAn attacker exploiting this vulnerability could:\n- **Modify security settings**: Lower the security level from \"strong\" to \"weak\" to enable more dangerous operations\n- **Tamper with custom node sources**: Add malicious custom node repositories\n- **Manipulate snapshot data**: Corrupt or alter system snapshots\n- **Change manager behavior**: Alter various manager configuration settings\n\n#### Affected Configurations\n\n| Configuration | Risk Level |\n|---------------|------------|\n| Systems running with `--listen 0.0.0.0` (externally exposed) | **HIGH** |\n| Systems behind reverse proxy without proper access control | **MEDIUM** |\n| Local-only installations (default, localhost only) | **NOT AFFECTED** |\n\n---\n\n### Patches\n\nThis issue has been patched in **ComfyUI-Manager version 3.38**.\n\n#### Requirements\n\n| Component | Minimum Version | Notes |\n|-----------|-----------------|-------|\n| ComfyUI | v0.3.76+ | Required for System User Protection API |\n| ComfyUI-Manager | v3.38+ | Contains the security fix |\n\n#### What the Patch Does\n\n1. **Path Migration**: Configuration files moved from unprotected `user/default/ComfyUI-Manager/` to protected `user/__manager/`\n2. **Protected Directory**: The new `__manager/` directory leverages ComfyUI\u0027s System User Protection API, which blocks external web API access\n3. **Security Level Enforcement**: Settings below \"normal\" are automatically raised to \"normal\" during migration\n4. **Legacy Backup**: Old data is backed up to `.legacy-manager-backup/` with startup reminders until manually deleted\n5. **Fallback Protection**: If ComfyUI \u003c v0.3.76, Manager forces \"strong\" security mode, blocking new installations until ComfyUI is updated\n\n#### Patch Details\n\n- **Commit**: `aaed1dc`\n- **Pull Request**: [ComfyUI-Manager/#2338](https://github.com/Comfy-Org/ComfyUI-Manager/pull/2338) [ComfyUI/#10966](https://github.com/Comfy-Org/ComfyUI/pull/10966)\n- **Changes**: +780 lines, \u221261 lines across 13 files\n\n---\n\n### Workarounds\n\nIf immediate upgrade is not possible, apply the following mitigations:\n\n| Mitigation | Effectiveness | Effort |\n|------------|---------------|--------|\n| Remove `--listen 0.0.0.0` flag (use localhost only) | **HIGH** | Low |\n| Implement firewall rules to block external access to ComfyUI ports | **HIGH** | Medium |\n| Use reverse proxy with authentication (e.g., nginx + basic auth) | **HIGH** | Medium |\n| Restrict network access to trusted IPs only | **MEDIUM** | Low |\n\n**Note**: These are temporary mitigations. Upgrading to v3.38+ is strongly recommended.\n\n---\n\n### Resources\n\n- [NVD - CVE-2025-67303](https://nvd.nist.gov/vuln/detail/CVE-2025-67303)\n- [ComfyUI-Manager v3.38 Security Migration Guide](https://github.com/Comfy-Org/ComfyUI-Manager/blob/main/docs/en/v3.38-userdata-security-migration.md)\n- [Patch Pull Request ComfyUI-Manager/#2338](https://github.com/Comfy-Org/ComfyUI-Manager/pull/2338)\n - [Patch Pull Request ComfyUI/#10966](https://github.com/Comfy-Org/ComfyUI/pull/10966)\n\n---\n\n### Credit\n\nThis vulnerability was reported by **Ricter Zheng (ricterzheng / \u90d1\u675c\u6d9b)** from **Tencent Xuanwu Lab** \u003cricterzheng@tencent.com\u003e",
  "id": "GHSA-95pq-hr8p-f5g7",
  "modified": "2026-06-22T19:58:24Z",
  "published": "2026-06-22T19:58:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Comfy-Org/ComfyUI-Manager/security/advisories/GHSA-95pq-hr8p-f5g7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67303"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Comfy-Org/ComfyUI-Manager/pull/2338/commits/e44c5cef58fb4973670b86433b9d24d077b44a26"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Comfy-Org/ComfyUI-Manager"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Comfy-Org/ComfyUI-Manager/blob/main/docs/en/v3.38-userdata-security-migration.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ComfyUI-Manager has an Unprotected Alternate Channel (CWE-420)"
}

GHSA-9FJJ-JVXF-738C

Vulnerability from github – Published: 2026-04-02 18:31 – Updated: 2026-04-02 18:31
VLAI
Details

OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-35388"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-420"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-02T17:16:27Z",
    "severity": "LOW"
  },
  "details": "OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.",
  "id": "GHSA-9fjj-jvxf-738c",
  "modified": "2026-04-02T18:31:38Z",
  "published": "2026-04-02T18:31:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35388"
    },
    {
      "type": "WEB",
      "url": "https://marc.info/?l=openssh-unix-dev\u0026m=177513443901484\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "https://www.openssh.org/releasenotes.html#10.3p1"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2026/04/02/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CWX6-FW99-MWH9

Vulnerability from github – Published: 2024-07-02 21:32 – Updated: 2026-04-08 18:33
VLAI
Details

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthenticated bypass to user registration in versions up to, and including, 4.2.6.8.1. This is due to missing checks in the 'check_validate_fields' function in the checkout. This makes it possible for unauthenticated attackers to register as the default role on the site, even if registration is disabled.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6099"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-420"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-02T11:15:10Z",
    "severity": "MODERATE"
  },
  "details": "The LearnPress \u2013 WordPress LMS Plugin plugin for WordPress is vulnerable to unauthenticated bypass to user registration in versions up to, and including, 4.2.6.8.1. This is due to missing checks in the \u0027check_validate_fields\u0027 function in the checkout. This makes it possible for unauthenticated attackers to register as the default role on the site, even if registration is disabled.",
  "id": "GHSA-cwx6-fw99-mwh9",
  "modified": "2026-04-08T18:33:31Z",
  "published": "2024-07-02T21:32:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6099"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.2.6.8.1/inc/class-lp-checkout.php#L124"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3109339"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7ee714c7-4c9b-4627-9ba9-f83aeca6a0a5?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F6MF-XJGG-34J8

Vulnerability from github – Published: 2026-01-27 12:31 – Updated: 2026-01-27 12:31
VLAI
Details

A local low privileged attacker can bypass the authentication of the Device Manager user interface, allowing them to perform privileged operations and gain administrator access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-41727"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-420"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-27T12:15:57Z",
    "severity": "HIGH"
  },
  "details": "A local low privileged attacker can bypass the authentication of the Device Manager user interface, allowing them to perform privileged operations and gain administrator access.",
  "id": "GHSA-f6mf-xjgg-34j8",
  "modified": "2026-01-27T12:31:18Z",
  "published": "2026-01-27T12:31:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41727"
    },
    {
      "type": "WEB",
      "url": "https://certvde.com/de/advisories/VDE-2025-092"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GWVV-QC8G-GMWC

Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2026-04-08 21:32
VLAI
Details

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to bypass to user registration in versions up to, and including, 4.2.6.5. This is due to missing checks in the 'create_account' function in the checkout. This makes it possible for unauthenticated attackers to register as the default role on the site, even if registration is disabled.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-4444"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-420",
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T15:43:46Z",
    "severity": "MODERATE"
  },
  "details": "The LearnPress \u2013 WordPress LMS Plugin plugin for WordPress is vulnerable to bypass to user registration in versions up to, and including, 4.2.6.5. This is due to missing checks in the \u0027create_account\u0027 function in the checkout. This makes it possible for unauthenticated attackers to register as the default role on the site, even if registration is disabled.",
  "id": "GHSA-gwvv-qc8g-gmwc",
  "modified": "2026-04-08T21:32:36Z",
  "published": "2024-05-14T18:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4444"
    },
    {
      "type": "WEB",
      "url": "https://inky-knuckle-2c2.notion.site/Improper-Authentication-in-checkout-leads-privilege-escalation-of-unauthenticated-to-create-accoun-09da24a043884219a891dd1a0fc01af6"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.2.6.5/inc/class-lp-checkout.php#L79"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3082204"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c9e1410f-10c9-4654-8b61-cfcdde696da7?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H2C5-5PM8-G4X6

Vulnerability from github – Published: 2025-10-29 18:30 – Updated: 2026-01-08 21:30
VLAI
Details

An issue discovered in Dyson App v6.1.23041-23595 allows unauthenticated attackers to control other users' Dyson IoT devices remotely via MQTT.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-56558"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-420"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-29T17:15:35Z",
    "severity": "HIGH"
  },
  "details": "An issue discovered in Dyson App v6.1.23041-23595 allows unauthenticated attackers to control other users\u0027 Dyson IoT devices remotely via MQTT.",
  "id": "GHSA-h2c5-5pm8-g4x6",
  "modified": "2026-01-08T21:30:28Z",
  "published": "2025-10-29T18:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-56558"
    },
    {
      "type": "WEB",
      "url": "https://archive.org/details/dyson-acpolicy-bug-report"
    },
    {
      "type": "WEB",
      "url": "https://support.dyson.com.au/supporthome/Air-Treatment/Purifier/pure-hot-cool-link/385276-01/troubleshooting/machine-is-not-heating"
    },
    {
      "type": "WEB",
      "url": "https://www.dyson.co.uk/support/reporting-data-security-issues"
    },
    {
      "type": "WEB",
      "url": "https://www.dyson.com/air-treatment/air-purifier-heaters/pure-hot-cool-hp04"
    },
    {
      "type": "WEB",
      "url": "http://dyson.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H935-VXWX-XH2M

Vulnerability from github – Published: 2025-09-08 15:37 – Updated: 2025-11-14 15:30
VLAI
Details

The Microsoft vulnerable driver block list is implemented as Windows Defender Application Control (WDAC) policy. On systems that do not have hypervisor-protected code integrity (HVCI) enabled, entries that specify only the to-be-signed (TBS) part of the code signer certificate are properly blocked, but entries that specify the signing certificate’s TBS hash along with a 'FileAttribRef' qualifier (such as file name or version) will not be blocked. This vulnerability affects any Windows system that does not have HVCI enabled or supported (HVCI is available in Windows 10, Windows 11, and Windows Server 2016 and later). NOTE: The vendor states that the driver blocklist is intended for use with HVCI, while systems without HVCI should use App Control, and any custom blocklist entries require a granular approach for proper enforcement.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-59033"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-420",
      "CWE-693"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-08T15:15:37Z",
    "severity": "CRITICAL"
  },
  "details": "The Microsoft vulnerable driver block list is implemented as Windows Defender Application Control (WDAC) policy. On systems that do not have hypervisor-protected code integrity (HVCI) enabled, entries that specify only the to-be-signed (TBS) part of the code signer certificate are properly blocked, but entries that specify the signing certificate\u00e2\u20ac\u2122s TBS hash along with a \u0027FileAttribRef\u0027 qualifier (such as file name or version) will not be blocked. This vulnerability affects any Windows system that does not have HVCI enabled or supported (HVCI is available in Windows 10, Windows 11, and Windows Server 2016 and later). NOTE: The vendor states that the driver blocklist is intended for use with HVCI, while systems without HVCI should use App Control, and any custom blocklist entries require a granular approach for proper enforcement.",
  "id": "GHSA-h935-vxwx-xh2m",
  "modified": "2025-11-14T15:30:36Z",
  "published": "2025-09-08T15:37:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59033"
    },
    {
      "type": "WEB",
      "url": "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules"
    },
    {
      "type": "WEB",
      "url": "https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity"
    },
    {
      "type": "WEB",
      "url": "https://x.com/JonnyJohnson_/status/1895103112924307727"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MX9Q-6X2G-XJ7C

Vulnerability from github – Published: 2025-12-18 21:31 – Updated: 2026-01-15 21:31
VLAI
Details

BullWall Ransomware Containment contains excluded file paths, such as '$recycle.bin' that are not monitored. An attacker with file write permissions could bypass detection by renaming a directory. Versions 4.6.0.0, 4.6.0.6, 4.6.0.7, and 4.6.1.4 were confirmed to be affected; other versions before and after may also be affected.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-62001"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-420"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-18T21:15:53Z",
    "severity": "HIGH"
  },
  "details": "BullWall Ransomware Containment contains excluded file paths, such as \u0027$recycle.bin\u0027 that are not monitored. An attacker with file write permissions could bypass detection by renaming a directory. Versions 4.6.0.0, 4.6.0.6, 4.6.0.7, and 4.6.1.4 were confirmed to be affected; other versions before and after may also be affected.",
  "id": "GHSA-mx9q-6x2g-xj7c",
  "modified": "2026-01-15T21:31:42Z",
  "published": "2025-12-18T21:31:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62001"
    },
    {
      "type": "WEB",
      "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/VA-25-352-01.json"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-62001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-Q3RV-P5XV-CFPQ

Vulnerability from github – Published: 2026-02-09 09:30 – Updated: 2026-02-09 09:30
VLAI
Details

Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-25916"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-420"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-09T09:16:34Z",
    "severity": "MODERATE"
  },
  "details": "Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when \"Block remote images\" is used, does not block SVG feImage.",
  "id": "GHSA-q3rv-p5xv-cfpq",
  "modified": "2026-02-09T09:30:22Z",
  "published": "2026-02-09T09:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25916"
    },
    {
      "type": "WEB",
      "url": "https://github.com/roundcube/roundcubemail/commit/26d7677"
    },
    {
      "type": "WEB",
      "url": "https://news.ycombinator.com/item?id=46937012"
    },
    {
      "type": "WEB",
      "url": "https://nullcathedral.com/posts/2026-02-08-roundcube-svg-feimage-remote-image-bypass"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R9JV-CV83-M4V4

Vulnerability from github – Published: 2025-06-23 15:31 – Updated: 2025-06-23 15:31
VLAI
Details

xdg-open in xdg-utils through 1.2.1 can send requests containing SameSite=Strict cookies, which can facilitate CSRF. NOTE: this is disputed because integrations of xdg-open typically do not provide information about whether the xdg-open command and arguments were manually entered by a user, or whether they were the result of a navigation from content in an untrusted origin.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-52968"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-420"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-23T15:15:29Z",
    "severity": "LOW"
  },
  "details": "xdg-open in xdg-utils through 1.2.1 can send requests containing SameSite=Strict cookies, which can facilitate CSRF. NOTE: this is disputed because integrations of xdg-open typically do not provide information about whether the xdg-open command and arguments were manually entered by a user, or whether they were the result of a navigation from content in an untrusted origin.",
  "id": "GHSA-r9jv-cv83-m4v4",
  "modified": "2025-06-23T15:31:43Z",
  "published": "2025-06-23T15:31:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52968"
    },
    {
      "type": "WEB",
      "url": "https://cgit.freedesktop.org/xdg/xdg-utils/tag/?h=v1.2.1"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2025/06/23/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Identify all alternate channels and use the same protection mechanisms that are used for the primary channels.

No CAPEC attack patterns related to this CWE.