Common Weakness Enumeration

CWE-706

Allowed-with-Review

Use of Incorrectly-Resolved Name or Reference

Abstraction: Class · Status: Incomplete

The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.

149 vulnerabilities reference this CWE, most recent first.

GHSA-VW88-V4W8-CWV4

Vulnerability from github – Published: 2025-05-16 18:31 – Updated: 2026-04-01 18:35
VLAI
Details

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Estatik Mortgage Calculator Estatik allows PHP Local File Inclusion. This issue affects Mortgage Calculator Estatik: from n/a through 2.0.12.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-48136"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-706",
      "CWE-98"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-16T16:15:45Z",
    "severity": "HIGH"
  },
  "details": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in Estatik Mortgage Calculator Estatik allows PHP Local File Inclusion. This issue affects Mortgage Calculator Estatik: from n/a through 2.0.12.",
  "id": "GHSA-vw88-v4w8-cwv4",
  "modified": "2026-04-01T18:35:07Z",
  "published": "2025-05-16T18:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48136"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/estatik-mortgage-calculator/vulnerability/wordpress-mortgage-calculator-estatik-2-0-12-local-file-inclusion-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W32V-C4GG-XC8P

Vulnerability from github – Published: 2022-05-24 17:16 – Updated: 2022-05-24 17:16
VLAI
Details

An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. path.c mishandles equivalent filenames that exist because of NTFS Alternate Data Streams. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1352.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-12278"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-706"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-04-27T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. path.c mishandles equivalent filenames that exist because of NTFS Alternate Data Streams. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1352.",
  "id": "GHSA-w32v-c4gg-xc8p",
  "modified": "2022-05-24T17:16:36Z",
  "published": "2022-05-24T17:16:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/git/git/security/advisories/GHSA-5wph-8frv-58vj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12278"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libgit2/libgit2/commit/3f7851eadca36a99627ad78cbe56a40d3776ed01"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libgit2/libgit2/commit/e1832eb20a7089f6383cfce474f213157f5300cb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libgit2/libgit2/releases/tag/v0.28.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libgit2/libgit2/releases/tag/v0.99.0"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00031.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00034.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W727-595X-PC3R

Vulnerability from github – Published: 2026-05-14 20:17 – Updated: 2026-06-09 10:19
VLAI
Summary
pyLoad Has Incomplete Fix for CVE-2026-33509 -storage_folder Bypass via Session Directory in pyLoad
Details

Summary

The fix for CVE-2026-33509 prevents setting storage_folder inside PKGDIR or userdir, but does NOT protect the Flask session directory (/tmp/pyLoad/flask). An authenticated attacker can set storage_folder to the session directory and download session files of other users via /files/get/, leading to account takeover.

Details

The fix in src/pyload/core/api/__init__.py:

directories = [PKGDIR, userdir]
if any(directories[0].startswith(d) for d in directories[1:]):
    return  # blocked

But the Flask session directory is:

session_storage_path = os.path.join(api.get_cachedir(), "flask")
# = /tmp/pyLoad/flask  ← NOT blocked by fix

Attack Chain

  1. Attacker (admin) sets storage_folder = /tmp/pyLoad/flask
  2. Fix does NOT block this — /tmp/pyLoad/flask not inside PKGDIR or userdir
  3. Attacker requests GET /files/get/<victim_session_filename>
  4. send_from_directory('/tmp/pyLoad/flask', session_file) serves victim's session
  5. Attacker uses stolen session → Account Takeover

PoC

POC

import os

PKGDIR = "/usr/lib/python3/dist-packages/pyload"
userdir = os.path.expanduser("~/.pyload")
session_dir = "/tmp/pyLoad/flask"

correct_case = lambda x: x
directories = [
    correct_case(os.path.join(os.path.realpath(d), ""))
    for d in [session_dir, PKGDIR, userdir]
]
blocked = any(directories[0].startswith(d) for d in directories[1:])

print(f"Fix blocks session_dir: {blocked}")
# Output: Fix blocks session_dir: False  ← BYPASS CONFIRMED

Impact

Authenticated admin can steal sessions of other users → Account Takeover.

Suggested Fix

blocked_dirs = [PKGDIR, userdir, api.get_cachedir()]
directories = [
    os.path.join(os.path.realpath(d), "")
    for d in [value] + blocked_dirs
]
if any(directories[0].startswith(d) for d in directories[1:]):
    return
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pyload-ng"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.5.0b3.dev99"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45306"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-706"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T20:17:27Z",
    "nvd_published_at": "2026-05-28T18:16:34Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\nThe fix for CVE-2026-33509 prevents setting `storage_folder` inside `PKGDIR` or `userdir`, but does NOT protect the Flask session directory (`/tmp/pyLoad/flask`). An authenticated attacker can set `storage_folder` to the session directory and download session files of other users via `/files/get/`, leading to account takeover.\n\n## Details\n\nThe fix in `src/pyload/core/api/__init__.py`:\n\n```python\ndirectories = [PKGDIR, userdir]\nif any(directories[0].startswith(d) for d in directories[1:]):\n    return  # blocked\n```\n\nBut the Flask session directory is:\n```python\nsession_storage_path = os.path.join(api.get_cachedir(), \"flask\")\n# = /tmp/pyLoad/flask  \u2190 NOT blocked by fix\n```\n\n## Attack Chain\n\n1. Attacker (admin) sets `storage_folder = /tmp/pyLoad/flask`\n2. Fix does NOT block this \u2014 `/tmp/pyLoad/flask` not inside `PKGDIR` or `userdir`\n3. Attacker requests `GET /files/get/\u003cvictim_session_filename\u003e`\n4. `send_from_directory(\u0027/tmp/pyLoad/flask\u0027, session_file)` serves victim\u0027s session\n5. Attacker uses stolen session \u2192 **Account Takeover**\n\n## PoC\n\n\u003cimg width=\"592\" height=\"408\" alt=\"POC\" src=\"https://github.com/user-attachments/assets/936b9f56-325b-437d-9edd-e0d5bb995187\" /\u003e\n\n```python\nimport os\n\nPKGDIR = \"/usr/lib/python3/dist-packages/pyload\"\nuserdir = os.path.expanduser(\"~/.pyload\")\nsession_dir = \"/tmp/pyLoad/flask\"\n\ncorrect_case = lambda x: x\ndirectories = [\n    correct_case(os.path.join(os.path.realpath(d), \"\"))\n    for d in [session_dir, PKGDIR, userdir]\n]\nblocked = any(directories[0].startswith(d) for d in directories[1:])\n\nprint(f\"Fix blocks session_dir: {blocked}\")\n# Output: Fix blocks session_dir: False  \u2190 BYPASS CONFIRMED\n```\n\n## Impact\nAuthenticated admin can steal sessions of other users \u2192 Account Takeover.\n\n## Suggested Fix\n```python\nblocked_dirs = [PKGDIR, userdir, api.get_cachedir()]\ndirectories = [\n    os.path.join(os.path.realpath(d), \"\")\n    for d in [value] + blocked_dirs\n]\nif any(directories[0].startswith(d) for d in directories[1:]):\n    return\n```",
  "id": "GHSA-w727-595x-pc3r",
  "modified": "2026-06-09T10:19:36Z",
  "published": "2026-05-14T20:17:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pyload/pyload/security/advisories/GHSA-w727-595x-pc3r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45306"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-r7mc-x6x7-cqxx"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pyload/pyload"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "pyLoad Has Incomplete Fix for CVE-2026-33509 -storage_folder Bypass via Session Directory in pyLoad"
}

GHSA-W87R-VG9Q-CRQM

Vulnerability from github – Published: 2025-11-20 18:31 – Updated: 2025-11-21 18:01
VLAI
Summary
zx Uses Incorrectly-Resolved Name or Reference
Details

When zx is invoked with --prefer-local=, the CLI creates a symlink named ./node_modules pointing to /node_modules. Due to a logic error in src/cli.ts (linkNodeModules / cleanup), the function returns the target path instead of the alias (symlink path). The later cleanup routine removes what it received, which deletes the target directory itself. Result: zx can delete an external /node_modules outside the current working directory.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "zx"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.8.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-13437"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-706"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-21T18:01:32Z",
    "nvd_published_at": "2025-11-20T17:15:49Z",
    "severity": "MODERATE"
  },
  "details": "When zx is invoked with --prefer-local=\u003cpath\u003e, the CLI creates a symlink named ./node_modules pointing to \u003cpath\u003e/node_modules. Due to a logic error in src/cli.ts (linkNodeModules / cleanup), the function returns the target path instead of the alias (symlink path). The later cleanup routine removes what it received, which deletes the target directory itself. Result: zx can delete an external \u003cpath\u003e/node_modules outside the current working directory.",
  "id": "GHSA-w87r-vg9q-crqm",
  "modified": "2025-11-21T18:01:32Z",
  "published": "2025-11-20T18:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13437"
    },
    {
      "type": "WEB",
      "url": "https://github.com/google/zx/issues/1348"
    },
    {
      "type": "WEB",
      "url": "https://github.com/google/zx/pull/1349"
    },
    {
      "type": "WEB",
      "url": "https://github.com/google/zx/pull/1355"
    },
    {
      "type": "WEB",
      "url": "https://github.com/google/zx/commit/9ef6d3c9962c4ba01e3fb8075855570c192b4681"
    },
    {
      "type": "WEB",
      "url": "https://github.com/google/zx/commit/a4d1bc2467f305f1c91d62506e215f307dc1fbeb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/google/zx"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "zx Uses Incorrectly-Resolved Name or Reference"
}

GHSA-WV46-V6XC-2QHF

Vulnerability from github – Published: 2026-03-26 19:08 – Updated: 2026-04-10 19:46
VLAI
Summary
OpenClaw: Synology Chat reply delivery could be rebound through username-based user resolution.
Details

Summary

Synology Chat reply delivery could rebind to a mutable username match instead of the stable numeric user_id recorded by the webhook event.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected: < 2026.3.22
  • Fixed: >= 2026.3.22
  • Latest released tag checked: v2026.3.23-2 (630f1479c44f78484dfa21bb407cbe6f171dac87)
  • Latest published npm version checked: 2026.3.23-2

Fix Commit(s)

  • 7ade3553b74ee3f461c4acd216653d5ba411f455

Release Status

The fix shipped in v2026.3.22 and remains present in v2026.3.23 and v2026.3.23-2.

Code-Level Confirmation

  • extensions/synology-chat/src/webhook-handler.ts now keeps replies bound to the stable webhook user identifier unless an explicit dangerous opt-in is enabled.
  • extensions/synology-chat/src/config-schema.ts contains the explicit dangerous opt-in seam instead of silent username rebinding.

OpenClaw thanks @nexrin for reporting.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35670"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-706",
      "CWE-807"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-26T19:08:16Z",
    "nvd_published_at": "2026-04-10T17:17:09Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\nSynology Chat reply delivery could rebind to a mutable username match instead of the stable numeric user_id recorded by the webhook event.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: \u003c 2026.3.22\n- Fixed: \u003e= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `7ade3553b74ee3f461c4acd216653d5ba411f455`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- extensions/synology-chat/src/webhook-handler.ts now keeps replies bound to the stable webhook user identifier unless an explicit dangerous opt-in is enabled.\n- extensions/synology-chat/src/config-schema.ts contains the explicit dangerous opt-in seam instead of silent username rebinding.\n\nOpenClaw thanks @nexrin for reporting.",
  "id": "GHSA-wv46-v6xc-2qhf",
  "modified": "2026-04-10T19:46:22Z",
  "published": "2026-03-26T19:08:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-wv46-v6xc-2qhf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35670"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/7ade3553b74ee3f461c4acd216653d5ba411f455"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-webhook-reply-rebinding-via-username-resolution-in-synology-chat"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Synology Chat reply delivery could be rebound through username-based user resolution."
}

GHSA-WVR7-843J-3M9F

Vulnerability from github – Published: 2024-06-07 06:30 – Updated: 2024-06-07 06:30
VLAI
Details

The Qi Addons For Elementor plugin for WordPress is vulnerable to Remote File Inclusion in all versions up to, and including, 1.7.2 via the 'behavior' attributes found in the qi_addons_for_elementor_blog_list shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include remote files on the server, resulting in code execution. Please note that this requires an attacker to create a non-existent directory or target an instance where file_exists won't return false with a non-existent directory in the path, in order to successfully exploit.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-4887"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-706",
      "CWE-98"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-07T04:15:31Z",
    "severity": "HIGH"
  },
  "details": "The Qi Addons For Elementor plugin for WordPress is vulnerable to Remote File Inclusion in all versions up to, and including, 1.7.2 via the \u0027behavior\u0027 attributes found in the qi_addons_for_elementor_blog_list shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include remote files on the server, resulting in code execution. Please note that this requires an attacker to create a non-existent directory or target an instance where file_exists won\u0027t return false with a non-existent directory in the path, in order to successfully exploit.",
  "id": "GHSA-wvr7-843j-3m9f",
  "modified": "2024-06-07T06:30:29Z",
  "published": "2024-06-07T06:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4887"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3096634/qi-addons-for-elementor/trunk/inc/admin/helpers/helper.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/284daad9-d31e-4d29-ac15-ba293ba9640d?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WWRX-W7C9-RF87

Vulnerability from github – Published: 2025-12-02 21:07 – Updated: 2025-12-09 19:51
VLAI
Summary
Singluarity ineffectively applies selinux / apparmor LSM process labels
Details

Impact

Native Mode (default)

Singularity's default native runtime allows users to apply restrictions to container processes using the apparmor or selinux Linux Security Modules (LSMs), via the --security selinux:<label> or --security apparmor:<profile> flags.

LSM labels are written to process or thread attrs/exec under /proc. If a user relies on LSM restrictions to prevent malicious operations then, under certain circumstances, an attacker can redirect the LSM label write operation so that it is ineffective. This requires:

  • The attacker to cause the user to run a malicious container image that redirects the mount of /proc to the destination of a shared mount, either known to be configured on the target system, or that will be specified by the user when running the container.
  • Control of the content of the shared mount, for example through another malicious container which also binds it, or as a user with relevant permissions on the host system it is bound from.

Note that Singularity does not attempt to prevent damaging operations, or container escape, from containers that are started as the host root user. When a non-root user starts a container any LSM writes to /proc are performed as that user. For these reasons, the denial-of-service and container escape attacks detailed in runc CVE-2025-52881 are not relevant. Processes running in non-root containers are subject to the standard permissions for the non-root account used, and cannot escalate privilege, even when intended container-specific LSM labels are not correctly applied.

In addition, a bug in the detection of selinux support in Singularity's default setuid flow means that --security selinux:<label> flags may not be applied, even in the absence of an attack - but in this case a warning message is emitted, indicating that selinux is unavailable. This warning may be may be overlooked, mis-interpreted, or not seen when singularity is run from a script or other tool. Failure to apply requested restrictions should result in a fatal error, rather than a warning message.

OCI-Mode

Singularity's OCI-mode is unaffected as it does not currently support applying LSM restrictions via the --security flag.

Patches

Ineffective write of selinux process labels is addressed via an update to the containers/selinux dependency in https://github.com/sylabs/singularity/pull/3850. This update brings in the upstream fix for CVE-2025-52881 in this dependency.

Ineffective write of apparmor process labels is addressed in commit 5af3e79.

Failure to detect apparmor / selinux support, when --security flags are provided, is made an error rather than a warning in commit 2788296.

Workarounds

There are no known workarounds, other than to define system-wide apparmor / selinux policy for Singularity itself. This would apply to all containers, not just those run with the --security flags. Additionally, restrictions that are reasonable to apply to container processes may impact the functionality of Singularity.

References

Related vulnerabilities in runc:

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/sylabs/singularity/v4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2.0-rc.1"
            },
            {
              "fixed": "4.3.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/sylabs/singularity/v4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-64750"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-61",
      "CWE-706"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-02T21:07:02Z",
    "nvd_published_at": "2025-12-02T18:15:48Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\n_**Native Mode (default)**_\n\nSingularity\u0027s default native runtime allows users to apply restrictions to container processes using the apparmor or selinux Linux Security Modules (LSMs), via the `--security selinux:\u003clabel\u003e` or `--security apparmor:\u003cprofile\u003e` flags.\n\nLSM labels are written to process or thread `attrs/exec` under `/proc`. If a user relies on LSM restrictions to prevent malicious operations then, under certain circumstances, an attacker can redirect the LSM label write operation so that it is ineffective. This requires:\n\n* The attacker to cause the user to run a malicious container image that redirects the mount of `/proc` to the destination of a shared mount, either known to be configured on the target system, or that will be specified by the user when running the container.\n* Control of the content of the shared mount, for example through another malicious container which also binds it, or as a user with relevant permissions on the host system it is bound from.\n\nNote that Singularity does not attempt to prevent damaging operations, or container escape, from containers that are started as the host root user. When a non-root user starts a container any LSM writes to /proc are performed as that user. For these reasons, the denial-of-service and container escape attacks detailed in [runc CVE-2025-52881](https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm) are not relevant. Processes running in non-root containers are subject to the standard permissions for the non-root account used, and cannot escalate privilege, even when intended container-specific LSM labels are not correctly applied.\n\nIn addition, a bug in the detection of selinux support in Singularity\u0027s default setuid flow means that `--security selinux:\u003clabel\u003e` flags may not be applied, even in the absence of an attack  - but in this case a warning message is emitted, indicating that selinux is unavailable. This warning may be may be overlooked, mis-interpreted, or not seen when singularity is run from a script or other tool. Failure to apply requested restrictions should result in a fatal error, rather than a warning message.\n\n_**OCI-Mode**_\n\nSingularity\u0027s OCI-mode is unaffected as it does not currently support applying LSM restrictions via the `--security` flag.\n\n### Patches\n\nIneffective write of selinux process labels is addressed via an update to the containers/selinux dependency in https://github.com/sylabs/singularity/pull/3850. This update brings in the upstream fix for CVE-2025-52881 in this dependency.\n\nIneffective write of apparmor process labels is addressed in commit 5af3e79.\n\nFailure to detect apparmor / selinux support, when `--security` flags are provided, is made an error rather than a warning in commit 2788296.\n\n### Workarounds\n\nThere are no known workarounds, other than to define system-wide apparmor / selinux policy for Singularity itself. This would apply to all containers, not just those run with the `--security` flags. Additionally, restrictions that are reasonable to apply to container processes may impact the functionality of Singularity.\n\n### References\n\nRelated vulnerabilities in runc:\n\n* [runc CVE-2025-52881](https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm)\n* [runc CVE-2019-19921](https://github.com/advisories/GHSA-fh74-hm69-rqjw)",
  "id": "GHSA-wwrx-w7c9-rf87",
  "modified": "2025-12-09T19:51:27Z",
  "published": "2025-12-02T21:07:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sylabs/singularity/security/advisories/GHSA-wwrx-w7c9-rf87"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64750"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sylabs/singularity/pull/3850"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sylabs/singularity/commit/27882963879a7af1699fd6511c3f5f1371d80f33"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sylabs/singularity/commit/5af3e790c40593591dfc26d0692e4d4b21c29ba0"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-fh74-hm69-rqjw"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sylabs/singularity"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-4177"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Singluarity ineffectively applies selinux / apparmor LSM process labels"
}

GHSA-WXCX-GG9C-FWP2

Vulnerability from github – Published: 2024-07-18 22:03 – Updated: 2024-08-07 16:01
VLAI
Summary
TorchServe vulnerable to bypass of allowed_urls configuration
Details

Impact

TorchServe's check on allowed_urls configuration can be by-passed if the URL contains characters such as ".." but it does not prevent the model from being downloaded into the model store. Once a file is downloaded, it can be referenced without providing a URL the second time, which effectively bypasses the allowed_urls security check. Customers using PyTorch inference Deep Learning Containers (DLC) through Amazon SageMaker and EKS are not affected.

Patches

This issue in TorchServe has been fixed by validating the URL without characters such as ".." before downloading: #3082.

TorchServe release 0.11.0 includes the fix to address this vulnerability.

References

Thank Kroll Cyber Risk for for responsibly disclosing this issue.

If you have any questions or comments about this advisory, we ask that you contact AWS Security via our vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "torchserve"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-35198"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-706"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-18T22:03:30Z",
    "nvd_published_at": "2024-07-19T02:15:14Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nTorchServe\u0027s check on allowed_urls configuration can be by-passed if the URL contains characters such as \"..\" but it does not prevent the model from being downloaded into the model store. Once a file is downloaded, it can be referenced without providing a URL the second time, which effectively bypasses the allowed_urls security check. Customers using PyTorch inference Deep Learning Containers (DLC) through Amazon SageMaker and EKS are not affected.\n\n### Patches\nThis issue in TorchServe has been fixed by validating the URL without characters such as \"..\" before downloading: [#3082](https://github.com/pytorch/serve/pull/3082).\n\nTorchServe release 0.11.0 includes the fix to address this vulnerability.\n\n### References\n* [#3082](https://github.com/pytorch/serve/pull/3082)\n* [TorchServe release v0.11.0](https://github.com/pytorch/serve/releases/tag/v0.11.0)\n\nThank Kroll Cyber Risk for for responsibly disclosing this issue.\n\nIf you have any questions or comments about this advisory, we ask that you contact AWS Security via our [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.",
  "id": "GHSA-wxcx-gg9c-fwp2",
  "modified": "2024-08-07T16:01:12Z",
  "published": "2024-07-18T22:03:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pytorch/serve/security/advisories/GHSA-wxcx-gg9c-fwp2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35198"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pytorch/serve/pull/3082"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pytorch/serve/commit/cdba0fd449c2fd23dcf37c54c0784035541d5114"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pytorch/serve"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pytorch/serve/releases/tag/v0.11.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "TorchServe vulnerable to bypass of allowed_urls configuration"
}

GHSA-X74X-R4Q4-C3RW

Vulnerability from github – Published: 2026-01-29 06:30 – Updated: 2026-03-09 15:30
VLAI
Details

SmarterTools SmarterMail versions prior to build 9518 contain an unauthenticated path coercion vulnerability in the background-of-the-day preview endpoint. The application base64-decodes attacker-supplied input and uses it as a filesystem path without validation. On Windows systems, this allows UNC paths to be resolved, causing the SmarterMail service to initiate outbound SMB authentication attempts to attacker-controlled hosts. This can be abused for credential coercion, NTLM relay attacks, and unauthorized network authentication.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-25067"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-706"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-29T05:16:13Z",
    "severity": "MODERATE"
  },
  "details": "SmarterTools SmarterMail versions prior to build 9518  contain\u00a0an unauthenticated path coercion vulnerability in the background-of-the-day preview endpoint. The application base64-decodes attacker-supplied input and uses it as a filesystem path without validation. On Windows systems, this allows UNC paths to be resolved, causing the SmarterMail service to initiate outbound SMB authentication attempts to attacker-controlled hosts. This can be abused for credential coercion, NTLM relay attacks, and unauthorized network authentication.",
  "id": "GHSA-x74x-r4q4-c3rw",
  "modified": "2026-03-09T15:30:32Z",
  "published": "2026-01-29T06:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25067"
    },
    {
      "type": "WEB",
      "url": "https://www.smartertools.com/smartermail/release-notes/current"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/smartertools-smartermail-unauthenticated-background-of-the-day-path-coercion"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

No mitigation information available for this CWE.

CAPEC-159: Redirect Access to Libraries

An adversary exploits a weakness in the way an application searches for external libraries to manipulate the execution flow to point to an adversary supplied library or code base. This pattern of attack allows the adversary to compromise the application or server via the execution of unauthorized code. An application typically makes calls to functions that are a part of libraries external to the application. These libraries may be part of the operating system or they may be third party libraries. If an adversary can redirect an application's attempts to access these libraries to other libraries that the adversary supplies, the adversary will be able to force the targeted application to execute arbitrary code. This is especially dangerous if the targeted application has enhanced privileges. Access can be redirected through a number of techniques, including the use of symbolic links, search path modification, and relative path manipulation.

CAPEC-177: Create files with the same name as files protected with a higher classification

An attacker exploits file location algorithms in an operating system or application by creating a file with the same name as a protected or privileged file. The attacker could manipulate the system if the attacker-created file is trusted by the operating system or an application component that attempts to load the original file. Applications often load or include external files, such as libraries or configuration files. These files should be protected against malicious manipulation. However, if the application only uses the name of the file when locating it, an attacker may be able to create a file with the same name and place it in a directory that the application will search before the directory with the legitimate file is searched. Because the attackers' file is discovered first, it would be used by the target application. This attack can be extremely destructive if the referenced file is executable and/or is granted special privileges based solely on having a particular name.

CAPEC-48: Passing Local Filenames to Functions That Expect a URL

This attack relies on client side code to access local files and resources instead of URLs. When the client browser is expecting a URL string, but instead receives a request for a local file, that execution is likely to occur in the browser process space with the browser's authority to local files. The attacker can send the results of this request to the local files out to a site that they control. This attack may be used to steal sensitive authentication data (either local or remote), or to gain system profile information to launch further attacks.

CAPEC-641: DLL Side-Loading

An adversary places a malicious version of a Dynamic-Link Library (DLL) in the Windows Side-by-Side (WinSxS) directory to trick the operating system into loading this malicious DLL instead of a legitimate DLL. Programs specify the location of the DLLs to load via the use of WinSxS manifests or DLL redirection and if they aren't used then Windows searches in a predefined set of directories to locate the file. If the applications improperly specify a required DLL or WinSxS manifests aren't explicit about the characteristics of the DLL to be loaded, they can be vulnerable to side-loading.