Common Weakness Enumeration

CWE-15

External Control of System or Configuration Setting

One or more system settings or configuration elements can be externally controlled by a user.

CVE-2025-64726 (GCVE-0-2025-64726)

Vulnerability from cvelistv5 – Published: 2025-11-13 19:55 – Updated: 2025-11-13 20:18
VLAI
Title
External Control of System or Configuration Setting and Uncontrolled Search Path Element in sfw
Summary
Socket Firewall is an HTTP/HTTPS proxy server that intercepts package manager requests and enforces security policies by blocking dangerous packages. Socket Firewall binary versions (separate from installers) prior to 0.15.5 are vulnerable to arbitrary code execution when run in untrusted project directories. The vulnerability allows an attacker to execute arbitrary code by placing a malicious `.sfw.config` file in a project directory. When a developer runs Socket Firewall commands (e.g., `sfw npm install`) in that directory, the tool loads the `.sfw.config` file and populates environment variables directly into the Node.js process. An attacker can exploit this by setting `NODE_OPTIONS` with a `--require` directive to execute malicious JavaScript code before Socket Firewall's security controls are initialized, effectively bypassing the tool's malicious package detection. The attack vector is indirect and requires a developer to install dependencies for an untrusted project and execute a command within the context of the untrusted project. The vulnerability has been patched in Socket Firewall version 0.15.5. Users should upgrade to version 0.15.5 or later. The fix isolates configuration file values from subprocess environments. Look at `sfw --version` for version information. If users rely on the recommended installation mechanism (e.g. global installation via `npm install -g sfw`) then no workaround is necessary. This wrapper package automatically ensures that users are running the latest version of Socket Firewall. Users who have manually installed the binary and cannot immediately upgrade should avoid running Socket Firewall in untrusted project directories. Before running Socket Firewall in any new project, inspect `.sfw.config` and `.env.local` files for suspicious `NODE_OPTIONS` or other environment variable definitions that reference local files.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-15 - External Control of System or Configuration Setting
  • CWE-427 - Uncontrolled Search Path Element
Assigner
References
Impacted products
Vendor Product Version
SocketDev firewall-release Affected: < 0.15.5
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-64726",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-13T20:14:35.678135Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-13T20:18:33.987Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "firewall-release",
          "vendor": "SocketDev",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.15.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Socket Firewall is an HTTP/HTTPS proxy server that intercepts package manager requests and enforces security policies by blocking dangerous packages. Socket Firewall binary versions (separate from installers) prior to 0.15.5 are vulnerable to arbitrary code execution when run in untrusted project directories. The vulnerability allows an attacker to execute arbitrary code by placing a malicious `.sfw.config` file in a project directory. When a developer runs Socket Firewall commands (e.g., `sfw npm install`) in that directory, the tool loads the `.sfw.config` file and populates environment variables directly into the Node.js process. An attacker can exploit this by setting `NODE_OPTIONS` with a `--require` directive to execute malicious JavaScript code before Socket Firewall\u0027s security controls are initialized, effectively bypassing the tool\u0027s malicious package detection. The attack vector is indirect and requires a developer to install dependencies for an untrusted project and execute a command within the context of the untrusted project. The vulnerability has been patched in Socket Firewall version 0.15.5. Users should upgrade to version 0.15.5 or later. The fix isolates configuration file values from subprocess environments. Look at `sfw --version` for version information. If users rely on the recommended installation mechanism (e.g. global installation via `npm install -g sfw`) then no workaround is necessary. This wrapper package automatically ensures that users are running the latest version of Socket Firewall. Users who have manually installed the binary and cannot immediately upgrade should avoid running Socket Firewall in untrusted project directories. Before running Socket Firewall in any new project, inspect `.sfw.config` and `.env.local` files for suspicious `NODE_OPTIONS` or other environment variable definitions that reference local files."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-15",
              "description": "CWE-15: External Control of System or Configuration Setting",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-427",
              "description": "CWE-427: Uncontrolled Search Path Element",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-13T19:55:57.970Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/SocketDev/firewall-release/security/advisories/GHSA-6c5p-vqrh-h6fp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/SocketDev/firewall-release/security/advisories/GHSA-6c5p-vqrh-h6fp"
        },
        {
          "name": "https://bsky.app/profile/evilpacket.net/post/3m4iylwxtns2t",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bsky.app/profile/evilpacket.net/post/3m4iylwxtns2t"
        }
      ],
      "source": {
        "advisory": "GHSA-6c5p-vqrh-h6fp",
        "discovery": "UNKNOWN"
      },
      "title": "External Control of System or Configuration Setting and Uncontrolled Search Path Element in sfw"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-64726",
    "datePublished": "2025-11-13T19:55:57.970Z",
    "dateReserved": "2025-11-10T14:07:42.923Z",
    "dateUpdated": "2025-11-13T20:18:33.987Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-8283 (GCVE-0-2025-8283)

Vulnerability from cvelistv5 – Published: 2025-07-28 18:16 – Updated: 2026-06-30 07:37
VLAI
Title
Netavark: podman: netavark may resolve hostnames to unexpected hosts
Summary
A vulnerability was found in the netavark package, a network stack for containers used with Podman. Due to dns.podman search domain being removed, netavark may return external servers if a valid A/AAAA record is sent as a response. When creating a container with a given name, this name will be used as the hostname for the container itself, as the podman's search domain is not added anymore the container is using the host's resolv.conf, and the DNS resolver will try to look into the search domains contained on it. If one of the domains contain a name with the same hostname as the running container, the connection will forward to unexpected external servers.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-15 - External Control of System or Configuration Setting
Assigner
Impacted products
Vendor Product Version
Affected: 0 , < 1.15.1 (semver)
Red Hat Red Hat Enterprise Linux 10     cpe:/o:redhat:enterprise_linux:10
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 9     cpe:/o:redhat:enterprise_linux:9
Create a notification for this product.
Red Hat Red Hat OpenShift Container Platform 4     cpe:/a:redhat:openshift:4
Create a notification for this product.
Date Public
2025-07-28 00:00
Credits
Red Hat would like to thank Johannes Kasberger for reporting this issue.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-8283",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-28T18:28:59.475895Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-28T18:29:12.662Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/containers/netavark",
          "defaultStatus": "unaffected",
          "packageName": "netavark",
          "versions": [
            {
              "lessThan": "1.15.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "affected",
          "packageName": "netavark",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "affected",
          "packageName": "container-tools:rhel8/containers-common",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "affected",
          "packageName": "container-tools:rhel8/netavark",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "affected",
          "packageName": "netavark",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift:4"
          ],
          "defaultStatus": "affected",
          "packageName": "rhcos",
          "product": "Red Hat OpenShift Container Platform 4",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Johannes Kasberger for reporting this issue."
        }
      ],
      "datePublic": "2025-07-28T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in the netavark package, a network stack for containers used with Podman. Due to dns.podman search domain being removed, netavark may return external servers if a valid A/AAAA record is sent as a response. When creating a container with a given name, this name will be used as the hostname for the container itself, as the podman\u0027s search domain is not added anymore the container is using the host\u0027s resolv.conf, and the DNS resolver will try to look into the search domains contained on it. If one of the domains contain a name with the same hostname as the running container, the connection will forward to unexpected external servers."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Low"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-15",
              "description": "External Control of System or Configuration Setting",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-30T07:37:21.398Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2025-8283"
        },
        {
          "name": "RHBZ#2383941",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2383941"
        },
        {
          "url": "https://github.com/advisories/GHSA-rpcf-rmh6-42xr"
        },
        {
          "url": "https://github.com/containers/netavark/releases/tag/v1.15.1"
        },
        {
          "url": "https://github.com/containers/podman/issues/2619"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-07-28T14:15:36.417Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2025-07-28T00:00:00.000Z",
          "value": "Made public."
        }
      ],
      "title": "Netavark: podman: netavark may resolve hostnames to unexpected hosts",
      "workarounds": [
        {
          "lang": "en",
          "value": "As a proactive mitigation, configure containers to have hostnames formatted as \u003cname\u003e.dns.podman. This specific naming convention will prevent aardvark-dns from forwarding these queries to external search domains, thereby reducing potential exposure or unexpected network behavior associated with such queries."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-15: External Control of System or Configuration Setting"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2025-8283",
    "datePublished": "2025-07-28T18:16:07.853Z",
    "dateReserved": "2025-07-28T14:16:27.236Z",
    "dateUpdated": "2026-06-30T07:37:21.398Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-0232 (GCVE-0-2026-0232)

Vulnerability from cvelistv5 – Published: 2026-04-13 07:22 – Updated: 2026-04-13 13:27
VLAI
Title
Cortex XDR Agent: Local Administrator can disable the agent on Windows
Summary
A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows allows a local Windows administrator to disable the agent. This issue may be leveraged by malware to perform malicious activity without detection.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-15 - External Control of System or Configuration Setting
Assigner
References
Impacted products
Vendor Product Version
Palo Alto Networks Cortex XDR Agent Unaffected: 9.1.0 , < 5.10.14 (custom)
Unaffected: 9.0 (custom)
Unaffected: 8.9 (custom)
Unaffected: 8.7-CE (custom)
Create a notification for this product.
Palo Alto Networks Cortex XDR Agent Affected: 9.0 , < 9.0.1 (custom)
Affected: 8.9 , < 8.9.1 (custom)
Affected: 8.7-CE , < 8.7.101-CE (custom)
Affected: 8.3-CE , < 8.3-CE-CU-2120 (custom)
Affected: 7.9-CE , < 7.9-CE-CU-2120 (custom)
    cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:9.0.0:*:*:*:*:Windows:*:*
    cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:8.9.0:*:*:*:*:Windows:*:*
    cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:8.7-CE:*:*:*:*:Windows:*:*
Create a notification for this product.
Date Public
2026-04-08 16:00
Credits
WhatThe0xDoin
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-0232",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-13T13:14:26.660757Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-13T13:27:43.511Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Cortex XDR Agent",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "changes": [
                {
                  "at": "5.10.14",
                  "status": "unaffected"
                }
              ],
              "lessThan": "5.10.14",
              "status": "unaffected",
              "version": "9.1.0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "9.0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "8.9",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "8.7-CE",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:9.0.0:*:*:*:*:Windows:*:*",
            "cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:8.9.0:*:*:*:*:Windows:*:*",
            "cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:8.7-CE:*:*:*:*:Windows:*:*"
          ],
          "defaultStatus": "unaffected",
          "platforms": [
            "Windows"
          ],
          "product": "Cortex XDR Agent",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "changes": [
                {
                  "at": "9.0.1",
                  "status": "unaffected"
                }
              ],
              "lessThan": "9.0.1",
              "status": "affected",
              "version": "9.0",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "8.9.1",
                  "status": "unaffected"
                }
              ],
              "lessThan": "8.9.1",
              "status": "affected",
              "version": "8.9",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "8.7.101-CE",
                  "status": "unaffected"
                }
              ],
              "lessThan": "8.7.101-CE",
              "status": "affected",
              "version": "8.7-CE",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "8.3-CE",
                  "status": "unaffected"
                }
              ],
              "lessThan": "8.3-CE-CU-2120",
              "status": "affected",
              "version": "8.3-CE",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "7.9-CE",
                  "status": "unaffected"
                }
              ],
              "lessThan": "7.9-CE-CU-2120",
              "status": "affected",
              "version": "7.9-CE",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:*:*:*:*:*:Windows:*:*",
                  "versionEndExcluding": "9.0.1",
                  "versionStartIncluding": "9.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:*:*:*:*:*:Windows:*:*",
                  "versionEndExcluding": "8.9.1",
                  "versionStartIncluding": "8.9.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:*:*:*:*:*:Windows:*:*",
                  "versionEndExcluding": "8.7.101-ce",
                  "versionStartIncluding": "8.7.101",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "WhatThe0xDoin"
        }
      ],
      "datePublic": "2026-04-08T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows allows a local Windows administrator to disable the agent.\u0026nbsp;This issue may be leveraged by malware to perform malicious activity without detection."
            }
          ],
          "value": "A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows allows a local Windows administrator to disable the agent.\u00a0This issue may be leveraged by malware to perform malicious activity without detection."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
            }
          ],
          "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-578",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-578 Disable Security Software"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "USER",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 4,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "UNREPORTED",
            "privilegesRequired": "HIGH",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "DIFFUSE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:Y/R:U/V:D/RE:M/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "MODERATE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-15",
              "description": "CWE-15: External Control of System or Configuration Setting",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-13T07:22:48.325Z",
        "orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
        "shortName": "palo_alto"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.paloaltonetworks.com/CVE-2026-0232"
        }
      ],
      "solutions": [
        {
          "lang": "eng",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eTo fully remediate this vulnerability, customers must ensure their Content Update is at version 2120 or higher. This update provides the necessary protection across all supported versions of Cortex XDR.\u003c/p\u003e\u003cp\u003eWhile the Content Update provides the primary fix, the following software releases include complementary architectural enhancements to further harden the environment:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCortex XDR 9.1.0 (or later)\u003c/li\u003e\u003cli\u003eCortex XDR 9.0.1 (or later)\u003c/li\u003e\u003cli\u003eCortex XDR 8.9.1 (or later)\u003c/li\u003e\u003cli\u003eCortex XDR 8.7.101-CE (or later)\u003c/li\u003e\u003c/ul\u003eNote for 8.3-CE and 7.9-CE: These versions are fully protected by applying Content Update 2120. No additional software upgrade is required for these versions to mitigate this specific vulnerability."
            }
          ],
          "value": "To fully remediate this vulnerability, customers must ensure their Content Update is at version 2120 or higher. This update provides the necessary protection across all supported versions of Cortex XDR.\n\nWhile the Content Update provides the primary fix, the following software releases include complementary architectural enhancements to further harden the environment:\n\n * Cortex XDR 9.1.0 (or later)\n * Cortex XDR 9.0.1 (or later)\n * Cortex XDR 8.9.1 (or later)\n * Cortex XDR 8.7.101-CE (or later)\n\nNote for 8.3-CE and 7.9-CE: These versions are fully protected by applying Content Update 2120. No additional software upgrade is required for these versions to mitigate this specific vulnerability."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-04-08T16:00:00.000Z",
          "value": "Initial publication."
        }
      ],
      "title": "Cortex XDR Agent: Local Administrator can disable the agent on Windows",
      "workarounds": [
        {
          "lang": "eng",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "No known workarounds exist for this issue."
            }
          ],
          "value": "No known workarounds exist for this issue."
        }
      ],
      "x_affectedList": [
        "Cortex XDR Agent 9.0.0",
        "Cortex XDR Agent 8.9.0",
        "Cortex XDR Agent 8.7-CE"
      ],
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
    "assignerShortName": "palo_alto",
    "cveId": "CVE-2026-0232",
    "datePublished": "2026-04-13T07:22:48.325Z",
    "dateReserved": "2025-11-03T20:43:53.493Z",
    "dateUpdated": "2026-04-13T13:27:43.511Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-0418 (GCVE-0-2026-0418)

Vulnerability from cvelistv5 – Published: 2026-06-09 15:50 – Updated: 2026-06-10 15:56
VLAI
Title
Certain NETGEAR devices allow administrators to tamper with system
Summary
Insufficient configuration management in the listed devices allows authenticated administrators connected to the local network to tamper with the system.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-15 - External control of system or configuration setting
Assigner
References
URL Tags
https://www.netgear.com/support/product/cbr750/ productpatch
https://www.netgear.com/support/product/rax15/ productpatch
https://www.netgear.com/support/product/ex6120/ productpatch
https://www.netgear.com/support/product/rax200/ productpatch
https://www.netgear.com/support/product/rax38v2/ productpatch
https://www.netgear.com/support/product/rax75/ productpatch
https://www.netgear.com/support/product/mr60/ productpatch
https://www.netgear.com/support/product/rax80/ productpatch
https://www.netgear.com/support/product/rbr840/ productpatch
https://www.netgear.com/support/product/rbr750/ productpatch
https://www.netgear.com/support/product/rbs750/ productpatch
https://www.netgear.com/support/product/ex6130/ productpatch
https://www.netgear.com/support/product/rbr850/ productpatch
https://www.netgear.com/support/product/rbs840/ productpatch
https://www.netgear.com/support/product/rbs850/ productpatch
https://www.netgear.com/support/product/ms60/ productpatch
https://www.netgear.com/support/product/rs700/ productpatch
https://www.netgear.com/support/product/mr70/ productpatch
https://www.netgear.com/support/product/mr80/ productpatch
https://www.netgear.com/support/product/ms70/ productpatch
https://www.netgear.com/support/product/rax35v2/ productpatch
https://www.netgear.com/support/product/rax20/ productpatch
https://www.netgear.com/support/product/ms80/ productpatch
https://www.netgear.com/support/product/rax40v2/ productpatch
https://www.netgear.com/support/product/rax42/ productpatch
https://www.netgear.com/support/product/rax43/ productpatch
https://www.netgear.com/support/product/rax50/ productpatch
https://www.netgear.com/support/product/raxe500/ productpatch
https://www.netgear.com/support/product/rax48/ productpatch
https://www.netgear.com/support/product/rax50s/ productpatch
https://www.netgear.com/support/product/rbse960/ productpatch
https://www.netgear.com/support/product/raxe450/ productpatch
https://www.netgear.com/support/product/rax45/ productpatch
https://www.netgear.com/support/product/rbre960/ productpatch
https://www.netgear.com/support/product/xr1000/ productpatch
https://kb.netgear.com/000070811/June-2026-NETGEA… vendor-advisory
Impacted products
Vendor Product Version
NETGEAR CBR750 Affected: 0 , < v4.6.14.4 (custom)
Create a notification for this product.
NETGEAR EX6120 Affected: 0 , ≤ 1.0.0.72 (custom)
Create a notification for this product.
NETGEAR EX6130 Affected: 0 , ≤ 1.0.0.54 (custom)
Create a notification for this product.
NETGEAR MR60 Affected: 0 , < V1.1.7.128 (custom)
Create a notification for this product.
NETGEAR MR70 Affected: 0 , < V1.0.3.28 (custom)
Create a notification for this product.
NETGEAR MR80 Affected: 0 , < V1.1.7.6 (custom)
Create a notification for this product.
NETGEAR MS60 Affected: 0 , < V1.1.7.128 (custom)
Create a notification for this product.
NETGEAR MS70 Affected: 0 , < V1.0.3.28 (custom)
Create a notification for this product.
NETGEAR MS80 Affected: 0 , < V1.1.7.6 (custom)
Create a notification for this product.
NETGEAR RAX15 Affected: 0 , ≤ 1.0.18.144 (custom)
Create a notification for this product.
NETGEAR RAX20 Affected: 0 , ≤ 1.0.18.144 (custom)
Create a notification for this product.
NETGEAR RAX200 Affected: 0 , ≤ 1.0.11.148 (custom)
Create a notification for this product.
NETGEAR RAX35v2 Affected: 0 , < V1.0.11.112 (custom)
Create a notification for this product.
NETGEAR RAX38v2 Affected: 0 , < V1.0.11.112 (custom)
Create a notification for this product.
NETGEAR RAX40v2 Affected: 0 , < V1.0.11.112 (custom)
Create a notification for this product.
NETGEAR RAX42 Affected: 0 , < V1.0.11.112 (custom)
Create a notification for this product.
NETGEAR RAX43 Affected: 0 , < V1.0.11.112 (custom)
Create a notification for this product.
NETGEAR RAX45 Affected: 0 , < V1.0.11.112 (custom)
Create a notification for this product.
NETGEAR RAX48 Affected: 0 , < V1.0.11.112 (custom)
Create a notification for this product.
NETGEAR RAX50 Affected: 0 , < V1.0.11.112 (custom)
Create a notification for this product.
NETGEAR RAX50S Affected: 0 , < V1.0.11.112 (custom)
Create a notification for this product.
NETGEAR RAX75 Affected: 0 , ≤ 1.0.11.148 (custom)
Create a notification for this product.
NETGEAR RAX80 Affected: 0 , ≤ 1.0.11.148 (custom)
Create a notification for this product.
NETGEAR RAXE450 Affected: 0 , < V1.0.10.86 (custom)
Create a notification for this product.
NETGEAR RAXE500 Affected: 0 , < V1.0.10.86 (custom)
Create a notification for this product.
NETGEAR RBR750 Affected: 0 , < V4.6.14.3 (custom)
Create a notification for this product.
NETGEAR RBR840 Affected: 0 , < V4.6.14.3 (custom)
Create a notification for this product.
NETGEAR RBR850 Affected: 0 , < V4.6.14.3 (custom)
Create a notification for this product.
NETGEAR RBRE960 Affected: 0 , < V6.3.7.5 (custom)
Create a notification for this product.
NETGEAR RBS750 Affected: 0 , < V4.6.14.3 (custom)
Create a notification for this product.
NETGEAR RBS840 Affected: 0 , < V4.6.14.3 (custom)
Create a notification for this product.
NETGEAR RBS850 Affected: 0 , < V4.6.14.3 (custom)
Create a notification for this product.
NETGEAR RBSE960 Affected: 0 , < V6.3.7.5 (custom)
Create a notification for this product.
NETGEAR RS700 Affected: 0 , < V1.0.7.66 (custom)
Create a notification for this product.
NETGEAR XR1000 Affected: 0 , < v1.0.0.68 (custom)
Create a notification for this product.
Date Public
2026-06-09 00:00
Credits
byte_blaster
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-0418",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-09T17:08:11.783284Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-09T17:09:21.456Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "CBR750",
          "vendor": "NETGEAR",
          "versions": [
            {
              "lessThan": "v4.6.14.4",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "EX6120",
          "vendor": "NETGEAR",
          "versions": [
            {
              "lessThanOrEqual": "1.0.0.72",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "EX6130",
          "vendor": "NETGEAR",
          "versions": [
            {
              "lessThanOrEqual": "1.0.0.54",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MR60",
          "vendor": "NETGEAR",
          "versions": [
            {
              "lessThan": "V1.1.7.128",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MR70",
          "vendor": "NETGEAR",
          "versions": [
            {
              "lessThan": "V1.0.3.28",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MR80",
          "vendor": "NETGEAR",
          "versions": [
            {
              "lessThan": "V1.1.7.6",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS60",
          "vendor": "NETGEAR",
          "versions": [
            {
              "lessThan": "V1.1.7.128",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS70",
          "vendor": "NETGEAR",
          "versions": [
            {
              "lessThan": "V1.0.3.28",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS80",
          "vendor": "NETGEAR",
          "versions": [
            {
              "lessThan": "V1.1.7.6",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "RAX15",
          "vendor": "NETGEAR",
          "versions": [
            {
              "lessThanOrEqual": "1.0.18.144",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "RAX20",
          "vendor": "NETGEAR",
          "versions": [
            {
              "lessThanOrEqual": "1.0.18.144",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "RAX200",
          "vendor": "NETGEAR",
          "versions": [
            {
              "lessThanOrEqual": "1.0.11.148",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "RAX35v2",
          "vendor": "NETGEAR",
          "versions": [
            {
              "lessThan": "V1.0.11.112",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "RAX38v2",
          "vendor": "NETGEAR",
          "versions": [
            {
              "lessThan": "V1.0.11.112",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "RAX40v2",
          "vendor": "NETGEAR",
          "versions": [
            {
              "lessThan": "V1.0.11.112",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "RAX42",
          "vendor": "NETGEAR",
          "versions": [
            {
              "lessThan": "V1.0.11.112",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "RAX43",
          "vendor": "NETGEAR",
          "versions": [
            {
              "lessThan": "V1.0.11.112",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "RAX45",
          "vendor": "NETGEAR",
          "versions": [
            {
              "lessThan": "V1.0.11.112",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "RAX48",
          "vendor": "NETGEAR",
          "versions": [
            {
              "lessThan": "V1.0.11.112",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "RAX50",
          "vendor": "NETGEAR",
          "versions": [
            {
              "lessThan": "V1.0.11.112",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "RAX50S",
          "vendor": "NETGEAR",
          "versions": [
            {
              "lessThan": "V1.0.11.112",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "RAX75",
          "vendor": "NETGEAR",
          "versions": [
            {
              "lessThanOrEqual": "1.0.11.148",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "RAX80",
          "vendor": "NETGEAR",
          "versions": [
            {
              "lessThanOrEqual": "1.0.11.148",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "RAXE450",
          "vendor": "NETGEAR",
          "versions": [
            {
              "lessThan": "V1.0.10.86",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "RAXE500",
          "vendor": "NETGEAR",
          "versions": [
            {
              "lessThan": "V1.0.10.86",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "RBR750",
          "vendor": "NETGEAR",
          "versions": [
            {
              "lessThan": "V4.6.14.3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "RBR840",
          "vendor": "NETGEAR",
          "versions": [
            {
              "lessThan": "V4.6.14.3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "RBR850",
          "vendor": "NETGEAR",
          "versions": [
            {
              "lessThan": "V4.6.14.3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "RBRE960",
          "vendor": "NETGEAR",
          "versions": [
            {
              "lessThan": "V6.3.7.5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "RBS750",
          "vendor": "NETGEAR",
          "versions": [
            {
              "lessThan": "V4.6.14.3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "RBS840",
          "vendor": "NETGEAR",
          "versions": [
            {
              "lessThan": "V4.6.14.3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "RBS850",
          "vendor": "NETGEAR",
          "versions": [
            {
              "lessThan": "V4.6.14.3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "RBSE960",
          "vendor": "NETGEAR",
          "versions": [
            {
              "lessThan": "V6.3.7.5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "RS700",
          "vendor": "NETGEAR",
          "versions": [
            {
              "lessThan": "V1.0.7.66",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "XR1000",
          "vendor": "NETGEAR",
          "versions": [
            {
              "lessThan": "v1.0.0.68",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "byte_blaster"
        }
      ],
      "datePublic": "2026-06-09T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003e\u003cspan\u003e\u003cspan\u003eInsufficient configuration management in the listed devices\u0026nbsp;\u003c/span\u003e\u003c/span\u003e\u003cspan\u003eallows authenticated administrators connected to the local network\n\u003c/span\u003e\u003cspan\u003eto tamper with the system.\u003c/span\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"
            }
          ],
          "value": "Insufficient configuration management in the listed devices\u00a0allows authenticated administrators connected to the local network\nto tamper with the system."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-184",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-184 Software Integrity Attack"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "USER",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "ADJACENT",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "UNREPORTED",
            "privilegesRequired": "HIGH",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "DIFFUSE",
            "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/R:U/V:D/RE:L/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "LOW"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-15",
              "description": "CWE-15 External control of system or configuration setting",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T15:56:54.459Z",
        "orgId": "a2826606-91e7-4eb6-899e-8484bd4575d5",
        "shortName": "NETGEAR"
      },
      "references": [
        {
          "tags": [
            "product",
            "patch"
          ],
          "url": "https://www.netgear.com/support/product/cbr750/"
        },
        {
          "tags": [
            "product",
            "patch"
          ],
          "url": "https://www.netgear.com/support/product/rax15/"
        },
        {
          "tags": [
            "product",
            "patch"
          ],
          "url": "https://www.netgear.com/support/product/ex6120/"
        },
        {
          "tags": [
            "product",
            "patch"
          ],
          "url": "https://www.netgear.com/support/product/rax200/"
        },
        {
          "tags": [
            "product",
            "patch"
          ],
          "url": "https://www.netgear.com/support/product/rax38v2/"
        },
        {
          "tags": [
            "product",
            "patch"
          ],
          "url": "https://www.netgear.com/support/product/rax75/"
        },
        {
          "tags": [
            "product",
            "patch"
          ],
          "url": "https://www.netgear.com/support/product/mr60/"
        },
        {
          "tags": [
            "product",
            "patch"
          ],
          "url": "https://www.netgear.com/support/product/rax80/"
        },
        {
          "tags": [
            "product",
            "patch"
          ],
          "url": "https://www.netgear.com/support/product/rbr840/"
        },
        {
          "tags": [
            "product",
            "patch"
          ],
          "url": "https://www.netgear.com/support/product/rbr750/"
        },
        {
          "tags": [
            "product",
            "patch"
          ],
          "url": "https://www.netgear.com/support/product/rbs750/"
        },
        {
          "tags": [
            "product",
            "patch"
          ],
          "url": "https://www.netgear.com/support/product/ex6130/"
        },
        {
          "tags": [
            "product",
            "patch"
          ],
          "url": "https://www.netgear.com/support/product/rbr850/"
        },
        {
          "tags": [
            "product",
            "patch"
          ],
          "url": "https://www.netgear.com/support/product/rbs840/"
        },
        {
          "tags": [
            "product",
            "patch"
          ],
          "url": "https://www.netgear.com/support/product/rbs850/"
        },
        {
          "tags": [
            "product",
            "patch"
          ],
          "url": "https://www.netgear.com/support/product/ms60/"
        },
        {
          "tags": [
            "product",
            "patch"
          ],
          "url": "https://www.netgear.com/support/product/rs700/"
        },
        {
          "tags": [
            "product",
            "patch"
          ],
          "url": "https://www.netgear.com/support/product/mr70/"
        },
        {
          "tags": [
            "product",
            "patch"
          ],
          "url": "https://www.netgear.com/support/product/mr80/"
        },
        {
          "tags": [
            "product",
            "patch"
          ],
          "url": "https://www.netgear.com/support/product/ms70/"
        },
        {
          "tags": [
            "product",
            "patch"
          ],
          "url": "https://www.netgear.com/support/product/rax35v2/"
        },
        {
          "tags": [
            "product",
            "patch"
          ],
          "url": "https://www.netgear.com/support/product/rax20/"
        },
        {
          "tags": [
            "product",
            "patch"
          ],
          "url": "https://www.netgear.com/support/product/ms80/"
        },
        {
          "tags": [
            "product",
            "patch"
          ],
          "url": "https://www.netgear.com/support/product/rax40v2/"
        },
        {
          "tags": [
            "product",
            "patch"
          ],
          "url": "https://www.netgear.com/support/product/rax42/"
        },
        {
          "tags": [
            "product",
            "patch"
          ],
          "url": "https://www.netgear.com/support/product/rax43/"
        },
        {
          "tags": [
            "product",
            "patch"
          ],
          "url": "https://www.netgear.com/support/product/rax50/"
        },
        {
          "tags": [
            "product",
            "patch"
          ],
          "url": "https://www.netgear.com/support/product/raxe500/"
        },
        {
          "tags": [
            "product",
            "patch"
          ],
          "url": "https://www.netgear.com/support/product/rax48/"
        },
        {
          "tags": [
            "product",
            "patch"
          ],
          "url": "https://www.netgear.com/support/product/rax50s/"
        },
        {
          "tags": [
            "product",
            "patch"
          ],
          "url": "https://www.netgear.com/support/product/rbse960/"
        },
        {
          "tags": [
            "product",
            "patch"
          ],
          "url": "https://www.netgear.com/support/product/raxe450/"
        },
        {
          "tags": [
            "product",
            "patch"
          ],
          "url": "https://www.netgear.com/support/product/rax45/"
        },
        {
          "tags": [
            "product",
            "patch"
          ],
          "url": "https://www.netgear.com/support/product/rbre960/"
        },
        {
          "tags": [
            "product",
            "patch"
          ],
          "url": "https://www.netgear.com/support/product/xr1000/"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://kb.netgear.com/000070811/June-2026-NETGEAR-Security-Advisory"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eDevices with automatic updates enabled may already have this patch applied. If not, please check the firmware version and update it to the latest. Fixed in:\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eProduct\u003c/th\u003e\u003cth\u003eFixed Version\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eCBR750\u003c/b\u003e Orbi WiFi 6 DOCSIS 3.1 Mesh WiFi Cable Modem Router\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.netgear.com/support/product/cbr750/\"\u003ev4.6.14.4\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eEX6120 (EoS)\u003c/b\u003e AC1200 Dual Band WiFi Range Extender\u003c/td\u003e\u003ctd\u003eEOS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eEX6130 (EoS)\u0026nbsp;\u003c/b\u003eAC1200 WiFi Range Extender\u003c/td\u003e\u003ctd\u003eEOS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eMR60\u003c/b\u003e Nighthawk Mesh WiFi 6 Router\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.netgear.com/support/product/mr60/\"\u003eV1.1.7.128\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eMR70\u003c/b\u003e Nighthawk Mesh WiFi 6 Router\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.netgear.com/support/product/mr70/\"\u003eV1.0.3.28\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eMR80\u003c/b\u003e Nighthawk Tri-band Mesh WiFi 6 Router\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.netgear.com/support/product/mr80/\"\u003eV1.1.7.6\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eMS60\u003c/b\u003e Nighthawk Mesh WiFi 6 Add-on Satellite\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.netgear.com/support/product/ms60/\"\u003eV1.1.7.128\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eMS70\u003c/b\u003e Nighthawk Mesh WiFi 6 Add-on Satellite\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.netgear.com/support/product/ms70/\"\u003eV1.0.3.28\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eMS80\u003c/b\u003e Nighthawk Tri-band Mesh WiFi 6 Add-on Satellite\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.netgear.com/support/product/ms80/\"\u003eV1.1.7.6\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eRAX15(EoS)\u003c/b\u003e 4-Stream AX1800 WiFi 6 Router\u003c/td\u003e\u003ctd\u003eEOS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eRAX20 (EoS)\u003c/b\u003e 4-Stream AX1800 WiFi 6 Router\u003c/td\u003e\u003ctd\u003eEOS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eRAX200 (EoS)\u003c/b\u003e Nighthawk Tri-Band AX12 12-Stream WiFi Router\u003c/td\u003e\u003ctd\u003eEOS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eRAX35v2\u003c/b\u003e Nighthawk AX4 4-Stream AX3000 WiFi 6 Router\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.netgear.com/support/product/rax35v2/\"\u003eV1.0.11.112\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eRAX38v2\u003c/b\u003e Nighthawk AX4 4-Stream AX3000 WiFi Router\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.netgear.com/support/product/rax38v2/\"\u003eV1.0.11.112\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eRAX40v2\u003c/b\u003e Nighthawk AX4 4-Stream WiFi Router\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.netgear.com/support/product/rax40v2/\"\u003eV1.0.11.112\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eRAX42 (EoS)\u003c/b\u003e Nighthawk AX5 5-Stream AX4200 WiFi Router\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.netgear.com/support/product/rax42/\"\u003eV1.0.11.112\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eRAX43 (EoS)\u003c/b\u003e Nighthawk AX5 5-Stream AX4200 WiFi Router\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.netgear.com/support/product/rax43/\"\u003eV1.0.11.112\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eRAX45 (EoS)\u003c/b\u003e Nighthawk AX6 6-Stream AX4300 WiFi Router\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.netgear.com/support/product/rax45/\"\u003eV1.0.11.112\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eRAX48\u003c/b\u003e Nighthawk AX6 6-Stream AX5200 WiFi 6 Router\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.netgear.com/support/product/rax48/\"\u003eV1.0.11.112\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eRAX50\u003c/b\u003e Nighthawk AX6 6-Stream AX5400 WiFi 6 Router\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.netgear.com/support/product/rax50/\"\u003eV1.0.11.112\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eRAX50S\u003c/b\u003e Nighthawk AX6 6-Stream AX5400 WiFi 6 Router\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.netgear.com/support/product/rax50s/\"\u003eV1.0.11.112\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eRAX75 (EoS)\u003c/b\u003e Nighthawk AX8 8-Stream AX5700 WiFi 6 Router\u003c/td\u003e\u003ctd\u003eEOS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eRAX80 (EoS)\u003c/b\u003e Nighthawk AX8 8-Stream WiFi Router\u003c/td\u003e\u003ctd\u003eEOS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eRAXE450\u003c/b\u003e Nighthawk AXE10000 Tri-Band WiFi 6E Router\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.netgear.com/support/product/raxe450/\"\u003eV1.0.10.86\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eRAXE500\u003c/b\u003e Nighthawk AX12 12-Stream AXE11000 Tri-Band WiFi 6E Router\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.netgear.com/support/product/raxe500/\"\u003eV1.0.10.86\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eRBR750\u003c/b\u003e Orbi WiFi 6 Router AX4200\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.netgear.com/support/product/rbr750/\"\u003eV4.6.14.3\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eRBR840 (EoS)\u003c/b\u003e Orbi WiFi 6 System AX5700\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.netgear.com/support/product/rbr840/\"\u003eV4.6.14.3\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eRBR850\u003c/b\u003e Orbi WiFi 6 Router AX6000\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.netgear.com/support/product/rbr850/\"\u003eV4.6.14.3\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eRBRE960\u003c/b\u003e Orbi Quad-band Mesh WiFi 6E Router\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.netgear.com/support/product/rbre960/\"\u003eV6.3.7.5\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eRBS750\u003c/b\u003e Orbi WiFi 6 Add-on Satellite AX4200\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.netgear.com/support/product/rbs750/\"\u003eV4.6.14.3\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eRBS840 (EoS)\u003c/b\u003e Orbi WiFi 6 Add-on Satellite AX5700\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.netgear.com/support/product/rbs840/\"\u003eV4.6.14.3\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eRBS850\u003c/b\u003e Orbi WiFi 6 Satellite AX6000\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.netgear.com/support/product/rbs850/\"\u003eV4.6.14.3\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eRBSE960\u003c/b\u003e Orbi Quad-band Mesh WiFi 6E Add-on Satellite\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.netgear.com/support/product/rbse960/\"\u003eV6.3.7.5\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eRS700\u003c/b\u003e Nighthawk BE19000 WiFi 7 Tri-Band Router\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.netgear.com/support/product/rs700/\"\u003eV1.0.7.66\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eXR1000\u003c/b\u003e Nighthawk WiFi 6 Pro Gaming Router\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.netgear.com/support/product/xr1000/\"\u003ev1.0.0.68\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eModels marked (EoS) have reached End-of-Support phase, and no security updates are planned. NETGEAR strongly recommends that you retire these devices and upgrade to a newer NETGEAR device for continued security support.\u003c/p\u003e"
            }
          ],
          "value": "Devices with automatic updates enabled may already have this patch applied. If not, please check the firmware version and update it to the latest. Fixed in:\n\nProductFixed VersionCBR750 Orbi WiFi 6 DOCSIS 3.1 Mesh WiFi Cable Modem Router v4.6.14.4 https://www.netgear.com/support/product/cbr750/ EX6120 (EoS) AC1200 Dual Band WiFi Range ExtenderEOSEX6130 (EoS)\u00a0AC1200 WiFi Range ExtenderEOSMR60 Nighthawk Mesh WiFi 6 Router V1.1.7.128 https://www.netgear.com/support/product/mr60/ MR70 Nighthawk Mesh WiFi 6 Router V1.0.3.28 https://www.netgear.com/support/product/mr70/ MR80 Nighthawk Tri-band Mesh WiFi 6 Router V1.1.7.6 https://www.netgear.com/support/product/mr80/ MS60 Nighthawk Mesh WiFi 6 Add-on Satellite V1.1.7.128 https://www.netgear.com/support/product/ms60/ MS70 Nighthawk Mesh WiFi 6 Add-on Satellite V1.0.3.28 https://www.netgear.com/support/product/ms70/ MS80 Nighthawk Tri-band Mesh WiFi 6 Add-on Satellite V1.1.7.6 https://www.netgear.com/support/product/ms80/ RAX15(EoS) 4-Stream AX1800 WiFi 6 RouterEOSRAX20 (EoS) 4-Stream AX1800 WiFi 6 RouterEOSRAX200 (EoS) Nighthawk Tri-Band AX12 12-Stream WiFi RouterEOSRAX35v2 Nighthawk AX4 4-Stream AX3000 WiFi 6 Router V1.0.11.112 https://www.netgear.com/support/product/rax35v2/ RAX38v2 Nighthawk AX4 4-Stream AX3000 WiFi Router V1.0.11.112 https://www.netgear.com/support/product/rax38v2/ RAX40v2 Nighthawk AX4 4-Stream WiFi Router V1.0.11.112 https://www.netgear.com/support/product/rax40v2/ RAX42 (EoS) Nighthawk AX5 5-Stream AX4200 WiFi Router V1.0.11.112 https://www.netgear.com/support/product/rax42/ RAX43 (EoS) Nighthawk AX5 5-Stream AX4200 WiFi Router V1.0.11.112 https://www.netgear.com/support/product/rax43/ RAX45 (EoS) Nighthawk AX6 6-Stream AX4300 WiFi Router V1.0.11.112 https://www.netgear.com/support/product/rax45/ RAX48 Nighthawk AX6 6-Stream AX5200 WiFi 6 Router V1.0.11.112 https://www.netgear.com/support/product/rax48/ RAX50 Nighthawk AX6 6-Stream AX5400 WiFi 6 Router V1.0.11.112 https://www.netgear.com/support/product/rax50/ RAX50S Nighthawk AX6 6-Stream AX5400 WiFi 6 Router V1.0.11.112 https://www.netgear.com/support/product/rax50s/ RAX75 (EoS) Nighthawk AX8 8-Stream AX5700 WiFi 6 RouterEOSRAX80 (EoS) Nighthawk AX8 8-Stream WiFi RouterEOSRAXE450 Nighthawk AXE10000 Tri-Band WiFi 6E Router V1.0.10.86 https://www.netgear.com/support/product/raxe450/ RAXE500 Nighthawk AX12 12-Stream AXE11000 Tri-Band WiFi 6E Router V1.0.10.86 https://www.netgear.com/support/product/raxe500/ RBR750 Orbi WiFi 6 Router AX4200 V4.6.14.3 https://www.netgear.com/support/product/rbr750/ RBR840 (EoS) Orbi WiFi 6 System AX5700 V4.6.14.3 https://www.netgear.com/support/product/rbr840/ RBR850 Orbi WiFi 6 Router AX6000 V4.6.14.3 https://www.netgear.com/support/product/rbr850/ RBRE960 Orbi Quad-band Mesh WiFi 6E Router V6.3.7.5 https://www.netgear.com/support/product/rbre960/ RBS750 Orbi WiFi 6 Add-on Satellite AX4200 V4.6.14.3 https://www.netgear.com/support/product/rbs750/ RBS840 (EoS) Orbi WiFi 6 Add-on Satellite AX5700 V4.6.14.3 https://www.netgear.com/support/product/rbs840/ RBS850 Orbi WiFi 6 Satellite AX6000 V4.6.14.3 https://www.netgear.com/support/product/rbs850/ RBSE960 Orbi Quad-band Mesh WiFi 6E Add-on Satellite V6.3.7.5 https://www.netgear.com/support/product/rbse960/ RS700 Nighthawk BE19000 WiFi 7 Tri-Band Router V1.0.7.66 https://www.netgear.com/support/product/rs700/ XR1000 Nighthawk WiFi 6 Pro Gaming Router v1.0.0.68 https://www.netgear.com/support/product/xr1000/ \n\nModels marked (EoS) have reached End-of-Support phase, and no security updates are planned. NETGEAR strongly recommends that you retire these devices and upgrade to a newer NETGEAR device for continued security support."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Certain NETGEAR devices allow administrators to tamper with system",
      "x_generator": {
        "engine": "Vulnogram 1.0.3"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a2826606-91e7-4eb6-899e-8484bd4575d5",
    "assignerShortName": "NETGEAR",
    "cveId": "CVE-2026-0418",
    "datePublished": "2026-06-09T15:50:50.069Z",
    "dateReserved": "2025-12-03T04:16:25.029Z",
    "dateUpdated": "2026-06-10T15:56:54.459Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-0495 (GCVE-0-2026-0495)

Vulnerability from cvelistv5 – Published: 2026-01-13 01:13 – Updated: 2026-01-13 15:15
VLAI
Title
Multiple vulnerabilities in SAP Fiori App (Intercompany Balance Reconciliation)
Summary
SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to send uploaded files to arbitrary emails which could enable effective phishing campaigns. This has low impact on confidentiality, integrity and availability of the application.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-15 - External Control of System or Configuration Setting
Assigner
sap
Impacted products
Vendor Product Version
SAP_SE SAP Fiori App (Intercompany Balance Reconciliation) Affected: UIAPFI70 500
Affected: 600
Affected: 700
Affected: 800
Affected: 900
Affected: 901
Affected: 902
Affected: S4CORE 102
Affected: 103
Affected: 104
Affected: 105
Affected: 106
Affected: 107
Affected: 108
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-0495",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-13T15:15:35.824019Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-13T15:15:41.236Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SAP Fiori App (Intercompany Balance Reconciliation)",
          "vendor": "SAP_SE",
          "versions": [
            {
              "status": "affected",
              "version": "UIAPFI70 500"
            },
            {
              "status": "affected",
              "version": "600"
            },
            {
              "status": "affected",
              "version": "700"
            },
            {
              "status": "affected",
              "version": "800"
            },
            {
              "status": "affected",
              "version": "900"
            },
            {
              "status": "affected",
              "version": "901"
            },
            {
              "status": "affected",
              "version": "902"
            },
            {
              "status": "affected",
              "version": "S4CORE 102"
            },
            {
              "status": "affected",
              "version": "103"
            },
            {
              "status": "affected",
              "version": "104"
            },
            {
              "status": "affected",
              "version": "105"
            },
            {
              "status": "affected",
              "version": "106"
            },
            {
              "status": "affected",
              "version": "107"
            },
            {
              "status": "affected",
              "version": "108"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eSAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges  to send uploaded files to arbitrary emails which could enable effective phishing campaigns. This has low impact on confidentiality, integrity and availability of the application.\u003c/p\u003e"
            }
          ],
          "value": "SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges  to send uploaded files to arbitrary emails which could enable effective phishing campaigns. This has low impact on confidentiality, integrity and availability of the application."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-15",
              "description": "CWE-15: External Control of System or Configuration Setting",
              "lang": "eng",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-13T01:13:20.999Z",
        "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "shortName": "sap"
      },
      "references": [
        {
          "url": "https://me.sap.com/notes/3565506"
        },
        {
          "url": "https://url.sap/sapsecuritypatchday"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Multiple vulnerabilities in SAP Fiori App (Intercompany Balance Reconciliation)",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
    "assignerShortName": "sap",
    "cveId": "CVE-2026-0495",
    "datePublished": "2026-01-13T01:13:20.999Z",
    "dateReserved": "2025-12-09T22:06:37.539Z",
    "dateUpdated": "2026-01-13T15:15:41.236Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-1784 (GCVE-0-2026-1784)

Vulnerability from cvelistv5 – Published: 2026-06-02 07:22 – Updated: 2026-07-02 12:04
VLAI
Title
Ose-cluster-ingress-operator: remote code execution through haproxy configuration injection
Summary
The Route OpenShift resource allows to define routes to make pods reachable at a subdomain through HAProxy. It was found that the checks performed on the spec.path YAML stanza in a Route document was insufficient and could allow a controlled injection of the HAProxy configuration.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-15 - External Control of System or Configuration Setting
Assigner
References
URL Tags
https://access.redhat.com/errata/RHSA-2026:23241 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:23246 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:25045 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:25182 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:25194 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:26543 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:28893 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:28964 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2026-1784 vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2436075 issue-trackingx_refsource_REDHAT
https://security.access.redhat.com/data/csaf/v2/v… x_sadp-csaf-vex
Impacted products
Vendor Product Version
Red Hat Red Hat OpenShift Container Platform 4.13 Unaffected: 1781123014 , < * (rpm)
    cpe:/a:redhat:openshift:4.13::el9
Create a notification for this product.
Red Hat Red Hat OpenShift Container Platform 4.14 Unaffected: 1781870101 , < * (rpm)
    cpe:/a:redhat:openshift:4.14::el9
Create a notification for this product.
Red Hat Red Hat OpenShift Container Platform 4.15 Unaffected: 1781928857 , < * (rpm)
    cpe:/a:redhat:openshift:4.15::el9
Create a notification for this product.
Red Hat Red Hat OpenShift Container Platform 4.16 Unaffected: 1780962617 , < * (rpm)
    cpe:/a:redhat:openshift:4.16::el9
Create a notification for this product.
Red Hat Red Hat OpenShift Container Platform 4.18 Unaffected: 1780988280 , < * (rpm)
    cpe:/a:redhat:openshift:4.18::el9
Create a notification for this product.
Red Hat Red Hat OpenShift Container Platform 4.19 Unaffected: 1780043338 , < * (rpm)
    cpe:/a:redhat:openshift:4.19::el9
Create a notification for this product.
Red Hat Red Hat OpenShift Container Platform 4.20 Unaffected: 1780990977 , < * (rpm)
    cpe:/a:redhat:openshift:4.20::el9
Create a notification for this product.
Red Hat Red Hat OpenShift Container Platform 4.21 Unaffected: 1780444348 , < * (rpm)
    cpe:/a:redhat:openshift:4.21::el9
Create a notification for this product.
Red Hat Red Hat OpenShift Container Platform 4.13     cpe:/a:redhat:openshift:4.13::el9
Create a notification for this product.
Red Hat Red Hat OpenShift Container Platform 4.14     cpe:/a:redhat:openshift:4.14::el9
Create a notification for this product.
Red Hat Red Hat OpenShift Container Platform 4.15     cpe:/a:redhat:openshift:4.15::el9
Create a notification for this product.
Red Hat Red Hat OpenShift Container Platform 4.16     cpe:/a:redhat:openshift:4.16::el9
Create a notification for this product.
Red Hat Red Hat OpenShift Container Platform 4.18     cpe:/a:redhat:openshift:4.18::el9
Create a notification for this product.
Red Hat Red Hat OpenShift Container Platform 4.19     cpe:/a:redhat:openshift:4.19::el9
Create a notification for this product.
Red Hat Red Hat OpenShift Container Platform 4.20     cpe:/a:redhat:openshift:4.20::el9
Create a notification for this product.
Red Hat Red Hat OpenShift Container Platform 4.21     cpe:/a:redhat:openshift:4.21::el9
Create a notification for this product.
Date Public
2026-06-02 07:12
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-1784",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-02T12:20:08.030702Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-02T12:20:25.547Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:/a:redhat:openshift:4.13::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift Container Platform 4.13",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift:4.14::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift Container Platform 4.14",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift:4.15::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift Container Platform 4.15",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift:4.16::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift Container Platform 4.16",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift:4.18::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift Container Platform 4.18",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift:4.19::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift Container Platform 4.19",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift:4.20::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift Container Platform 4.20",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift:4.21::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift Container Platform 4.21",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-06-02T07:12:31.172Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "The Route OpenShift resource allows to define routes to make pods reachable at a subdomain through HAProxy. It was found that the checks performed on the spec.path YAML stanza in a Route document was insufficient and could allow a controlled injection of the HAProxy configuration."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-15",
                "description": "External Control of System or Configuration Setting",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-02T12:04:55.064Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-1784"
          },
          {
            "name": "RHBZ#2436075",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436075"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-1784.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:26543"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:28893"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:28964"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:25045"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:25182"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:23246"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:25194"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:23241"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:26543: Red Hat OpenShift Container Platform 4.13"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:28893: Red Hat OpenShift Container Platform 4.14"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:28964: Red Hat OpenShift Container Platform 4.15"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:25045: Red Hat OpenShift Container Platform 4.16"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:25182: Red Hat OpenShift Container Platform 4.18"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:23246: Red Hat OpenShift Container Platform 4.19"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:25194: Red Hat OpenShift Container Platform 4.20"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:23241: Red Hat OpenShift Container Platform 4.21"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-02-02T21:05:20.978Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-06-02T07:12:31.172Z",
            "value": "Made public."
          }
        ],
        "title": "ose-cluster-ingress-operator: Remote Code Execution Through HAProxy Configuration Injection",
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift:4.13::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift4/ose-cluster-ingress-operator",
          "product": "Red Hat OpenShift Container Platform 4.13",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1781123014",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift:4.14::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift4/ose-cluster-ingress-operator",
          "product": "Red Hat OpenShift Container Platform 4.14",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1781870101",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift:4.15::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift4/ose-cluster-ingress-rhel9-operator",
          "product": "Red Hat OpenShift Container Platform 4.15",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1781928857",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift:4.16::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift4/ose-cluster-ingress-rhel9-operator",
          "product": "Red Hat OpenShift Container Platform 4.16",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1780962617",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift:4.18::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift4/ose-cluster-ingress-rhel9-operator",
          "product": "Red Hat OpenShift Container Platform 4.18",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1780988280",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift4/ose-cluster-ingress-rhel9-operator",
          "product": "Red Hat OpenShift Container Platform 4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1780043338",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift:4.20::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift4/ose-cluster-ingress-rhel9-operator",
          "product": "Red Hat OpenShift Container Platform 4.20",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1780990977",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift:4.21::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift4/ose-cluster-ingress-rhel9-operator",
          "product": "Red Hat OpenShift Container Platform 4.21",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1780444348",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "datePublic": "2026-06-02T07:12:31.172Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The Route OpenShift resource allows to define routes to make pods reachable at a subdomain through HAProxy. It was found that the checks performed on the spec.path YAML stanza in a Route document was insufficient and could allow a controlled injection of the HAProxy configuration."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-15",
              "description": "External Control of System or Configuration Setting",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-01T23:47:44.455Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2026:23241",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:23241"
        },
        {
          "name": "RHSA-2026:23246",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:23246"
        },
        {
          "name": "RHSA-2026:25045",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:25045"
        },
        {
          "name": "RHSA-2026:25182",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:25182"
        },
        {
          "name": "RHSA-2026:25194",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:25194"
        },
        {
          "name": "RHSA-2026:26543",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:26543"
        },
        {
          "name": "RHSA-2026:28893",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:28893"
        },
        {
          "name": "RHSA-2026:28964",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:28964"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2026-1784"
        },
        {
          "name": "RHBZ#2436075",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436075"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-02-02T21:05:20.978Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2026-06-02T07:12:31.172Z",
          "value": "Made public."
        }
      ],
      "title": "Ose-cluster-ingress-operator: remote code execution through haproxy configuration injection",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-15: External Control of System or Configuration Setting"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2026-1784",
    "datePublished": "2026-06-02T07:22:26.461Z",
    "dateReserved": "2026-02-02T21:17:24.893Z",
    "dateUpdated": "2026-07-02T12:04:55.064Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-21422 (GCVE-0-2026-21422)

Vulnerability from cvelistv5 – Published: 2026-03-04 12:57 – Updated: 2026-04-30 08:26
VLAI
Summary
Dell PowerScale OneFS, versions 9.10.0.0 through 9.13.1.0, contains an external control of system or configuration setting vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to protection mechanism bypass.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-15 - External Control of System or Configuration Setting
Assigner
References
Impacted products
Vendor Product Version
Dell PowerScale OneFS Affected: 9.11.0.0 through 9.12.0.1 , < 9.13.0.0 or later (semver)
Affected: 9.10.0.0 through 9.10.1.5 , < 9.10.1.6 or later (semver)
Create a notification for this product.
Date Public
2026-02-24 18:30
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-21422",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-04T14:09:01.547846Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-04T14:09:13.906Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PowerScale OneFS",
          "vendor": "Dell",
          "versions": [
            {
              "lessThan": "9.13.0.0 or later",
              "status": "affected",
              "version": "9.11.0.0 through 9.12.0.1",
              "versionType": "semver"
            },
            {
              "lessThan": "9.10.1.6 or later",
              "status": "affected",
              "version": "9.10.0.0 through 9.10.1.5",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2026-02-24T18:30:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Dell PowerScale OneFS, versions 9.10.0.0 through \u003cstrong\u003e9.13.1.0\u003c/strong\u003e, contains an external control of system or configuration setting vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to protection mechanism bypass."
            }
          ],
          "value": "Dell PowerScale OneFS, versions 9.10.0.0 through 9.13.1.0, contains an external control of system or configuration setting vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to protection mechanism bypass."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 3.4,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-15",
              "description": "CWE-15: External Control of System or Configuration Setting",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-30T08:26:50.159Z",
        "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "shortName": "dell"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.dell.com/support/kbdoc/en-sg/000432452/dsa-2026-038-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
    "assignerShortName": "dell",
    "cveId": "CVE-2026-21422",
    "datePublished": "2026-03-04T12:57:38.774Z",
    "dateReserved": "2025-12-24T16:33:47.095Z",
    "dateUpdated": "2026-04-30T08:26:50.159Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-22177 (GCVE-0-2026-22177)

Vulnerability from cvelistv5 – Published: 2026-03-18 01:34 – Updated: 2026-04-08 16:05 X_Open Source
VLAI
Title
OpenClaw < 2026.2.21 - Environment Variable Injection via Config env.vars
Summary
OpenClaw versions prior to 2026.2.21 fail to filter dangerous process-control environment variables from config env.vars, allowing startup-time code execution. Attackers can inject variables like NODE_OPTIONS or LD_* through configuration to execute arbitrary code in the OpenClaw gateway service runtime context.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-15 - External Control of System or Configuration Setting
Assigner
Impacted products
Vendor Product Version
OpenClaw OpenClaw Affected: 0 , < 2026.2.21 (semver)
Unaffected: 2026.2.21 (semver)
Create a notification for this product.
Date Public
2026-02-21 00:00
Credits
tdjackey Zhijie Zhang
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-22177",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-18T19:48:30.916488Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-18T19:48:38.451Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageURL": "pkg:npm/openclaw",
          "product": "OpenClaw",
          "vendor": "OpenClaw",
          "versions": [
            {
              "lessThan": "2026.2.21",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "2026.2.21",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
                  "versionEndExcluding": "2026.2.21",
                  "vulnerable": true
                }
              ],
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "tdjackey"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Zhijie Zhang"
        }
      ],
      "datePublic": "2026-02-21T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eOpenClaw versions prior to 2026.2.21 fail to filter dangerous process-control environment variables from config env.vars, allowing startup-time code execution. Attackers can inject variables like NODE_OPTIONS or LD_* through configuration to execute arbitrary code in the OpenClaw gateway service runtime context.\u003c/p\u003e"
            }
          ],
          "value": "OpenClaw versions prior to 2026.2.21 fail to filter dangerous process-control environment variables from config env.vars, allowing startup-time code execution. Attackers can inject variables like NODE_OPTIONS or LD_* through configuration to execute arbitrary code in the OpenClaw gateway service runtime context."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-15",
              "description": "CWE-15: External Control of System or Configuration Setting",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T16:05:27.893Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "name": "GitHub Security Advisory (GHSA-8fmp-37rc-p5g7)",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8fmp-37rc-p5g7"
        },
        {
          "name": "Patch Commit",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w9j9-w4cp-6wgr"
        },
        {
          "name": "VulnCheck Advisory: OpenClaw \u003c 2026.2.21 - Environment Variable Injection via Config env.vars",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openclaw/openclaw/commit/2cdbadee1f8fcaa93302d7debbfc529e19868ea4"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/openclaw-environment-variable-injection-via-config-env-vars"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "tags": [
        "x_open-source"
      ],
      "title": "OpenClaw \u003c 2026.2.21 - Environment Variable Injection via Config env.vars",
      "x_generator": {
        "engine": "vulncheck"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2026-22177",
    "datePublished": "2026-03-18T01:34:21.592Z",
    "dateReserved": "2026-01-06T16:47:17.181Z",
    "dateUpdated": "2026-04-08T16:05:27.893Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-22708 (GCVE-0-2026-22708)

Vulnerability from cvelistv5 – Published: 2026-01-14 16:43 – Updated: 2026-01-14 16:59
VLAI
Title
Cursor has a Terminal Tool Allowlist Bypass via Environment Variables
Summary
Cursor is a code editor built for programming with AI. Prior to 2.3, hen the Cursor Agent is running in Auto-Run Mode with Allowlist mode enabled, certain shell built-ins can still be executed without appearing in the allowlist and without requiring user approval. This allows an attacker via indirect or direct prompt injection to poison the shell environment by setting, modifying, or removing environment variables that influence trusted commands. This vulnerability is fixed in 2.3.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-15 - External Control of System or Configuration Setting
  • CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
  • CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
  • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • CWE-94 - Improper Control of Generation of Code ('Code Injection')
  • CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
Vendor Product Version
cursor cursor Affected: < 2.3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-22708",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-14T16:59:44.747154Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-14T16:59:53.022Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cursor",
          "vendor": "cursor",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Cursor is a code editor built for programming with AI. Prior to 2.3, hen the Cursor Agent is running in Auto-Run Mode with Allowlist mode enabled, certain shell built-ins can still be executed without appearing in the allowlist and without requiring user approval.\nThis allows an attacker via indirect or direct prompt injection to poison the shell environment by setting, modifying, or removing environment variables that influence trusted commands. This vulnerability is fixed in 2.3."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-15",
              "description": "CWE-15: External Control of System or Configuration Setting",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269: Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-14T16:43:54.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/cursor/cursor/security/advisories/GHSA-82wg-qcm4-fp2w",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/cursor/cursor/security/advisories/GHSA-82wg-qcm4-fp2w"
        }
      ],
      "source": {
        "advisory": "GHSA-82wg-qcm4-fp2w",
        "discovery": "UNKNOWN"
      },
      "title": "Cursor has a Terminal Tool Allowlist Bypass via Environment Variables"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-22708",
    "datePublished": "2026-01-14T16:43:54.000Z",
    "dateReserved": "2026-01-08T19:23:09.857Z",
    "dateUpdated": "2026-01-14T16:59:53.022Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27203 (GCVE-0-2026-27203)

Vulnerability from cvelistv5 – Published: 2026-02-20 23:30 – Updated: 2026-02-25 21:29
VLAI
Title
eBay API MCP Server Affected by Environment Variable Injection
Summary
eBay API MCP Server is an open source local MCP server providing AI assistants with comprehensive access to eBay's Sell APIs. All versions are vulnerable to Environment Variable Injection through the updateEnvFile function. The ebay_set_user_tokens tool allows updating the .env file with new tokens. The updateEnvFile function in src/auth/oauth.ts blindly appends or replaces values without validating them for newlines or quotes. This allows an attacker to inject arbitrary environment variables into the configuration file. An attacker can inject arbitrary environment variables into the .env file. This could lead to configuration overwrites, Denial of Service, and potential RCE. There was no fix for this issue at the time of publication.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-15 - External Control of System or Configuration Setting
  • CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
Impacted products
Vendor Product Version
YosefHayim ebay-mcp Affected: <= 1.7.2
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27203",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-25T21:29:04.945257Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-25T21:29:27.100Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ebay-mcp",
          "vendor": "YosefHayim",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 1.7.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "eBay API MCP Server is an open source local MCP server providing AI assistants with comprehensive access to eBay\u0027s Sell APIs. All versions are vulnerable to Environment Variable Injection through the updateEnvFile function. The ebay_set_user_tokens tool allows updating the .env file with new tokens. The updateEnvFile function in src/auth/oauth.ts blindly appends or replaces values without validating them for newlines or quotes. This allows an attacker to inject arbitrary environment variables into the configuration file. An attacker can inject arbitrary environment variables into the .env file. This could lead to configuration overwrites, Denial of Service, and potential RCE. There was no fix for this issue at the time of publication."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-15",
              "description": "CWE-15: External Control of System or Configuration Setting",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-20T23:30:46.134Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/YosefHayim/ebay-mcp/security/advisories/GHSA-97rm-xj73-33jh",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/YosefHayim/ebay-mcp/security/advisories/GHSA-97rm-xj73-33jh"
        },
        {
          "name": "https://github.com/YosefHayim/ebay-mcp/commit/aab0bda75ea9dd27aa37d0d8524d7cf41b3c4a9a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/YosefHayim/ebay-mcp/commit/aab0bda75ea9dd27aa37d0d8524d7cf41b3c4a9a"
        }
      ],
      "source": {
        "advisory": "GHSA-97rm-xj73-33jh",
        "discovery": "UNKNOWN"
      },
      "title": "eBay API MCP Server Affected by Environment Variable Injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-27203",
    "datePublished": "2026-02-20T23:30:46.134Z",
    "dateReserved": "2026-02-18T19:47:02.155Z",
    "dateUpdated": "2026-02-25T21:29:27.100Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation ID: MIT-46

Phase: Architecture and Design

Strategy: Separation of Privilege

Description:

  • Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation

Phases: Implementation, Architecture and Design

Description:

  • Because setting manipulation covers a diverse set of functions, any attempt at illustrating it will inevitably be incomplete. Rather than searching for a tight-knit relationship between the functions addressed in the setting manipulation category, take a step back and consider the sorts of system values that an attacker should not be allowed to control.
Mitigation

Phases: Implementation, Architecture and Design

Description:

  • In general, do not allow user-provided or otherwise untrusted data to control sensitive values. The leverage that an attacker gains by controlling these values is not always immediately obvious, but do not underestimate the creativity of the attacker.
CAPEC-13: Subverting Environment Variable Values

The adversary directly or indirectly modifies environment variables used by or controlling the target software. The adversary's goal is to cause the target software to deviate from its expected operation in a manner that benefits the adversary.

CAPEC-146: XML Schema Poisoning

An adversary corrupts or modifies the content of XML schema information passed between a client and server for the purpose of undermining the security of the target. XML Schemas provide the structure and content definitions for XML documents. Schema poisoning is the ability to manipulate a schema either by replacing or modifying it to compromise the programs that process documents that use this schema.

CAPEC-176: Configuration/Environment Manipulation

An attacker manipulates files or settings external to a target application which affect the behavior of that application. For example, many applications use external configuration files and libraries - modification of these entities or otherwise affecting the application's ability to use them would constitute a configuration/environment manipulation attack.

CAPEC-203: Manipulate Registry Information

An adversary exploits a weakness in authorization in order to modify content within a registry (e.g., Windows Registry, Mac plist, application registry). Editing registry information can permit the adversary to hide configuration information or remove indicators of compromise to cover up activity. Many applications utilize registries to store configuration and service information. As such, modification of registry information can affect individual services (affecting billing, authorization, or even allowing for identity spoofing) or the overall configuration of a targeted application. For example, both Java RMI and SOAP use registries to track available services. Changing registry values is sometimes a preliminary step towards completing another attack pattern, but given the long term usage of many registry values, manipulation of registry information could be its own end.

CAPEC-270: Modification of Registry Run Keys

An adversary adds a new entry to the "run keys" in the Windows registry so that an application of their choosing is executed when a user logs in. In this way, the adversary can get their executable to operate and run on the target system with the authorized user's level of permissions. This attack is a good way for an adversary to run persistent spyware on a user's machine, such as a keylogger.

CAPEC-271: Schema Poisoning

An adversary corrupts or modifies the content of a schema for the purpose of undermining the security of the target. Schemas provide the structure and content definitions for resources used by an application. By replacing or modifying a schema, the adversary can affect how the application handles or interprets a resource, often leading to possible denial of service, entering into an unexpected state, or recording incomplete data.

CAPEC-579: Replace Winlogon Helper DLL

Winlogon is a part of Windows that performs logon actions. In Windows systems prior to Windows Vista, a registry key can be modified that causes Winlogon to load a DLL on startup. Adversaries may take advantage of this feature to load adversarial code at startup.

CAPEC-69: Target Programs with Elevated Privileges

This attack targets programs running with elevated privileges. The adversary tries to leverage a vulnerability in the running program and get arbitrary code to execute with elevated privileges.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

Back to CWE stats page