Common Weakness Enumeration

CWE-73

External Control of File Name or Path

The product allows user input to control or influence paths or file names that are used in filesystem operations.

CVE-2026-10559 (GCVE-0-2026-10559)

Vulnerability from cvelistv5 – Published: 2026-06-02 01:15 – Updated: 2026-06-02 15:45 X_Freeware
VLAI
Title
SourceCodester Pizzafy Ecommerce System index.php file inclusion
Summary
A flaw has been found in SourceCodester Pizzafy Ecommerce System 1.0. The affected element is an unknown function of the file /index.php. Executing a manipulation of the argument page can lead to file inclusion. The attack may be performed from remote. The exploit has been published and may be used.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
SourceCodester Pizzafy Ecommerce System Affected: 1.0
    cpe:2.3:a:sourcecodester:pizzafy_ecommerce_system:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
bhaskar10 (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-10559",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-02T14:27:22.881288Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-02T15:45:21.472Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:sourcecodester:pizzafy_ecommerce_system:*:*:*:*:*:*:*:*"
          ],
          "product": "Pizzafy Ecommerce System",
          "vendor": "SourceCodester",
          "versions": [
            {
              "status": "affected",
              "version": "1.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "bhaskar10 (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw has been found in SourceCodester Pizzafy Ecommerce System 1.0. The affected element is an unknown function of the file /index.php. Executing a manipulation of the argument page can lead to file inclusion. The attack may be performed from remote. The exploit has been published and may be used."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.5,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-73",
              "description": "File Inclusion",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-02T01:15:09.815Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-367649 | SourceCodester Pizzafy Ecommerce System index.php file inclusion",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/367649"
        },
        {
          "name": "VDB-367649 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/367649/cti"
        },
        {
          "name": "CVE-2026-10559 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-10559"
        },
        {
          "name": "Submit #828822 | SourceCodester Pizzafy Ecommerce System 1.0 File Inclusion",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/828822"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/cyber-bhaskar10/CVE-Writeups/blob/main/CVE%20Writeup%20LFI%20via%20Null%20Byte%20Injection%20in%20index.php.md"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://www.sourcecodester.com/"
        }
      ],
      "tags": [
        "x_freeware"
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-01T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-06-01T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-06-01T17:04:51.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "SourceCodester Pizzafy Ecommerce System index.php file inclusion"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-10559",
    "datePublished": "2026-06-02T01:15:09.815Z",
    "dateReserved": "2026-06-01T14:59:42.789Z",
    "dateUpdated": "2026-06-02T15:45:21.472Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-10694 (GCVE-0-2026-10694)

Vulnerability from cvelistv5 – Published: 2026-06-03 00:15 – Updated: 2026-06-03 12:29 X_Freeware
VLAI
Title
SourceCodester Online Food Ordering System index.php include file inclusion
Summary
A vulnerability was detected in SourceCodester Online Food Ordering System 2.0. Affected by this issue is the function include of the file /index.php. The manipulation of the argument page results in file inclusion. The attack can be launched remotely. The exploit is now public and may be used.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
URL Tags
https://vuldb.com/vuln/367963 vdb-entrytechnical-description
https://vuldb.com/vuln/367963/cti signaturepermissions-required
https://vuldb.com/cve/CVE-2026-10694 third-party-advisory
https://vuldb.com/submit/830903 third-party-advisory
https://github.com/Mikkoseven/cve/issues/4 exploitissue-tracking
https://www.sourcecodester.com/ product
Impacted products
Vendor Product Version
SourceCodester Online Food Ordering System Affected: 2.0
    cpe:2.3:a:sourcecodester:online_food_ordering_system:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Jxsec (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-10694",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-03T12:28:49.927004Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-03T12:29:00.364Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:sourcecodester:online_food_ordering_system:*:*:*:*:*:*:*:*"
          ],
          "product": "Online Food Ordering System",
          "vendor": "SourceCodester",
          "versions": [
            {
              "status": "affected",
              "version": "2.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Jxsec (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was detected in SourceCodester Online Food Ordering System 2.0. Affected by this issue is the function include of the file /index.php. The manipulation of the argument page results in file inclusion. The attack can be launched remotely. The exploit is now public and may be used."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 7.5,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-73",
              "description": "File Inclusion",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-03T00:15:08.880Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-367963 | SourceCodester Online Food Ordering System index.php include file inclusion",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/367963"
        },
        {
          "name": "VDB-367963 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/367963/cti"
        },
        {
          "name": "CVE-2026-10694 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-10694"
        },
        {
          "name": "Submit #830903 | Sourcecodester Online Food Ordering System v2 using PHP8 and MySQL Free Source Code v2.0 Local File Inclusion",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/830903"
        },
        {
          "tags": [
            "exploit",
            "issue-tracking"
          ],
          "url": "https://github.com/Mikkoseven/cve/issues/4"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://www.sourcecodester.com/"
        }
      ],
      "tags": [
        "x_freeware"
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-02T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-06-02T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-06-02T17:52:12.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "SourceCodester Online Food Ordering System index.php include file inclusion"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-10694",
    "datePublished": "2026-06-03T00:15:08.880Z",
    "dateReserved": "2026-06-02T15:47:06.210Z",
    "dateUpdated": "2026-06-03T12:29:00.364Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-10816 (GCVE-0-2026-10816)

Vulnerability from cvelistv5 – Published: 2026-06-30 12:52 – Updated: 2026-06-30 13:28
VLAI
Title
Arbitrary File Read (Unauthenticated)
Summary
Arbitrary File Read (Unauthenticated) in NetScaler ADC and NetScaler Gateway if the access to NSIP, Cluster Management IP or SNIP with management access is enabled
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-73 - External control of file name or path
Assigner
Impacted products
Vendor Product Version
NetScaler ADC Affected: 14.1 , < 72.61 (patch)
Affected: 13.1 , < 63.18 (patch)
Affected: 14.1 FIPS , < 72.61 (patch)
Affected: 13.1 FIPS and NDcPP , < 37.272 (patch)
Create a notification for this product.
NetScaler Gateway Affected: 14.1 , < 72.61 (patch)
Affected: 13.1 , < 63.18 (patch)
Create a notification for this product.
Date Public
2026-06-30 12:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-10816",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-30T13:28:37.909957Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-30T13:28:45.455Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "ADC",
          "vendor": "NetScaler",
          "versions": [
            {
              "lessThan": "72.61",
              "status": "affected",
              "version": "14.1",
              "versionType": "patch"
            },
            {
              "lessThan": "63.18",
              "status": "affected",
              "version": "13.1",
              "versionType": "patch"
            },
            {
              "lessThan": "72.61",
              "status": "affected",
              "version": "14.1 FIPS",
              "versionType": "patch"
            },
            {
              "lessThan": "37.272",
              "status": "affected",
              "version": "13.1 FIPS and NDcPP",
              "versionType": "patch"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Gateway",
          "vendor": "NetScaler",
          "versions": [
            {
              "lessThan": "72.61",
              "status": "affected",
              "version": "14.1",
              "versionType": "patch"
            },
            {
              "lessThan": "63.18",
              "status": "affected",
              "version": "13.1",
              "versionType": "patch"
            }
          ]
        }
      ],
      "datePublic": "2026-06-30T12:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003e\u003cspan\u003eArbitrary File Read (Unauthenticated) in\u0026nbsp;\u003c/span\u003e\u003cspan\u003eNetScaler ADC and NetScaler Gateway if the a\u003c/span\u003e\u003cspan\u003eccess to NSIP, Cluster Management IP or SNIP with management access is enabled\u003c/span\u003e\u003cbr\u003e\u003c/div\u003e"
            }
          ],
          "value": "Arbitrary File Read (Unauthenticated) in\u00a0NetScaler ADC and NetScaler Gateway if the access to NSIP, Cluster Management IP or SNIP with management access is enabled"
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "ADJACENT",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-73",
              "description": "CWE-73 External control of file name or path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-30T12:59:25.926Z",
        "orgId": "50a63c94-1ea7-4568-8c11-eb79e7c5a2b5",
        "shortName": "NetScaler"
      },
      "references": [
        {
          "url": "https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696604"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Arbitrary File Read (Unauthenticated)",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "50a63c94-1ea7-4568-8c11-eb79e7c5a2b5",
    "assignerShortName": "NetScaler",
    "cveId": "CVE-2026-10816",
    "datePublished": "2026-06-30T12:52:14.461Z",
    "dateReserved": "2026-06-04T05:48:47.634Z",
    "dateUpdated": "2026-06-30T13:28:45.455Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-11526 (GCVE-0-2026-11526)

Vulnerability from cvelistv5 – Published: 2026-06-14 11:39 – Updated: 2026-06-21 13:34
VLAI
Title
GD versions before 2.86 for Perl allow OS command injection and file overwrite via a 2-arg open() of filename arguments in _make_filehandle
Summary
GD versions before 2.86 for Perl allow OS command injection and file overwrite via a 2-arg open() of filename arguments in _make_filehandle. GD::Image::_make_filehandle opens a filename argument with Perl's 2-arg open(), so a filename that begins or ends with a pipe ("| cmd", "cmd |") or begins with a redirect ("> path", ">> path") is run as a command or redirect rather than opened as a file. _make_filehandle is the single open path behind every filename-accepting constructor (new, newFromPng, newFromJpeg, and the rest); the in-memory *Data variants do not open a path and are unaffected. Any caller that forwards untrusted input to one of these constructors as a pathname can run an arbitrary command or truncate a file under the process UID.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • CWE-73 - External Control of File Name or Path
Assigner
Impacted products
Vendor Product Version
RURBAN GD Affected: 0 , < 2.86 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-06-21T13:34:16.065Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/06/14/4"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2026/06/msg00027.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-11526",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-15T16:17:04.865826Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-15T16:17:32.599Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "GD",
          "product": "GD",
          "programFiles": [
            "lib/GD/Image.pm",
            "lib/GD/Image_pm.PL"
          ],
          "programRoutines": [
            {
              "name": "GD::Image::_make_filehandle"
            }
          ],
          "repo": "https://github.com/lstein/Perl-GD",
          "vendor": "RURBAN",
          "versions": [
            {
              "lessThan": "2.86",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "GD versions before 2.86 for Perl allow OS command injection and file overwrite via a 2-arg open() of filename arguments in _make_filehandle.\n\nGD::Image::_make_filehandle opens a filename argument with Perl\u0027s 2-arg open(), so a filename that begins or ends with a pipe (\"| cmd\", \"cmd |\") or begins with a redirect (\"\u003e path\", \"\u003e\u003e path\") is run as a command or redirect rather than opened as a file. _make_filehandle is the single open path behind every filename-accepting constructor (new, newFromPng, newFromJpeg, and the rest); the in-memory *Data variants do not open a path and are unaffected.\n\nAny caller that forwards untrusted input to one of these constructors as a pathname can run an arbitrary command or truncate a file under the process UID."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-73",
              "description": "CWE-73 External Control of File Name or Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T11:39:21.122Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/lstein/Perl-GD/commit/67b163713c6c78dfeb693da0978ae934e5cd8210.patch"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://metacpan.org/release/RURBAN/GD-2.86/changes"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to GD 2.86 or later, which opens filename arguments with a 3-arg read open so the filename is never interpreted as a command or redirect."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "GD versions before 2.86 for Perl allow OS command injection and file overwrite via a 2-arg open() of filename arguments in _make_filehandle",
      "workarounds": [
        {
          "lang": "en",
          "value": "For deployments that cannot upgrade to 2.86, do not pass untrusted input as a pathname to GD::Image constructors. Callers can open the file themselves and pass the resulting filehandle, which bypasses the affected string path."
        }
      ],
      "x_generator": {
        "engine": "cpansec-cna-tool 0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2026-11526",
    "datePublished": "2026-06-14T11:39:21.122Z",
    "dateReserved": "2026-06-07T19:26:46.259Z",
    "dateUpdated": "2026-06-21T13:34:16.065Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-11527 (GCVE-0-2026-11527)

Vulnerability from cvelistv5 – Published: 2026-06-14 11:40 – Updated: 2026-06-19 20:31
VLAI
Title
Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a 2-arg open() of the -file argument in _make_filehandle
Summary
Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a 2-arg open() of the -file argument in _make_filehandle. Config::IniFiles::_make_filehandle opens a filename argument with Perl's 2-arg open(), so a filename that begins or ends with a pipe ("| cmd", "cmd |") or begins with a redirect ("> path", ">> path") is run as a command or redirect rather than opened as a file. The helper is the open path behind the documented -file argument: new(-file => $thing) reaches it through ReadConfig. An in-memory scalar reference (-file => \$text) does not open a path and is unaffected. Any caller that forwards untrusted input to the -file argument can run an arbitrary command or truncate a file under the process UID.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • CWE-73 - External Control of File Name or Path
Assigner
Impacted products
Vendor Product Version
SHLOMIF Config::IniFiles Affected: 0 , < 3.001000 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-06-19T20:31:36.704Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/06/14/5"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2026/06/msg00026.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 8.6,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-11527",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-15T18:52:43.717589Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-15T19:25:43.977Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "Config-IniFiles",
          "product": "Config::IniFiles",
          "programFiles": [
            "lib/Config/IniFiles.pm"
          ],
          "programRoutines": [
            {
              "name": "Config::IniFiles::_make_filehandle"
            }
          ],
          "repo": "https://github.com/shlomif/perl-Config-IniFiles",
          "vendor": "SHLOMIF",
          "versions": [
            {
              "lessThan": "3.001000",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a 2-arg open() of the -file argument in _make_filehandle.\n\nConfig::IniFiles::_make_filehandle opens a filename argument with Perl\u0027s 2-arg open(), so a filename that begins or ends with a pipe (\"| cmd\", \"cmd |\") or begins with a redirect (\"\u003e path\", \"\u003e\u003e path\") is run as a command or redirect rather than opened as a file. The helper is the open path behind the documented -file argument: new(-file =\u003e $thing) reaches it through ReadConfig. An in-memory scalar reference (-file =\u003e \\$text) does not open a path and is unaffected.\n\nAny caller that forwards untrusted input to the -file argument can run an arbitrary command or truncate a file under the process UID."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-73",
              "description": "CWE-73 External Control of File Name or Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T11:40:45.634Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/shlomif/perl-Config-IniFiles/commit/3e48f9627fbba4dae5de35be1f735cdeb7e47fb8.patch"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://metacpan.org/release/SHLOMIF/Config-IniFiles-3.001000/changes"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to Config::IniFiles 3.001000 or later, which opens the -file argument with a 3-arg read open so the filename is never interpreted as a command or redirect."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a 2-arg open() of the -file argument in _make_filehandle",
      "workarounds": [
        {
          "lang": "en",
          "value": "For deployments that cannot upgrade to 3.001000, do not pass untrusted input as the -file argument. Callers can open the file themselves and pass the resulting filehandle, or pass the configuration as an in-memory scalar reference, which bypasses the affected string path."
        }
      ],
      "x_generator": {
        "engine": "cpansec-cna-tool 0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2026-11527",
    "datePublished": "2026-06-14T11:40:45.634Z",
    "dateReserved": "2026-06-07T19:33:54.590Z",
    "dateUpdated": "2026-06-19T20:31:36.704Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12480 (GCVE-0-2026-12480)

Vulnerability from cvelistv5 – Published: 2026-07-01 16:53 – Updated: 2026-07-01 17:46
VLAI
Title
Arbitrary HDF5 File Read via Virtual Dataset Bypass in keras-team/keras
Summary
Keras versions up to and including 3.13.2 are vulnerable to an arbitrary HDF5 file read due to an incomplete fix for CVE-2026-1669. The vulnerability resides in the `H5IOStore._verify_dataset()` and `file_editor.py` methods, which fail to check the `dataset.is_virtual` property of HDF5 datasets. This allows an attacker to craft a malicious `.keras` model archive or `.h5` weights file containing a Virtual Dataset (VDS) that references external HDF5 files on the victim's filesystem. When the victim loads the model using `keras.models.load_model()` or `keras.saving.load_model()`, the external file is transparently read, leading to potential information disclosure. Fixed in versions 3.12.2 and 3.14.1.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-73 - External Control of File Name or Path
Assigner
Impacted products
Vendor Product Version
keras-team keras-team/keras Affected: unspecified , < 3.12.2, 3.14.1 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12480",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-01T17:46:27.752463Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-01T17:46:31.093Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://huntr.com/bounties/1875d257-5b03-4a69-ac70-e98653fa12c7"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "keras-team/keras",
          "vendor": "keras-team",
          "versions": [
            {
              "lessThan": "3.12.2, 3.14.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Keras versions up to and including 3.13.2 are vulnerable to an arbitrary HDF5 file read due to an incomplete fix for CVE-2026-1669. The vulnerability resides in the `H5IOStore._verify_dataset()` and `file_editor.py` methods, which fail to check the `dataset.is_virtual` property of HDF5 datasets. This allows an attacker to craft a malicious `.keras` model archive or `.h5` weights file containing a Virtual Dataset (VDS) that references external HDF5 files on the victim\u0027s filesystem. When the victim loads the model using `keras.models.load_model()` or `keras.saving.load_model()`, the external file is transparently read, leading to potential information disclosure. Fixed in versions 3.12.2 and 3.14.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-73",
              "description": "CWE-73 External Control of File Name or Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-01T16:53:32.326Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntr_ai"
      },
      "references": [
        {
          "url": "https://huntr.com/bounties/1875d257-5b03-4a69-ac70-e98653fa12c7"
        },
        {
          "url": "https://github.com/keras-team/keras/commit/d5a88bdb137c0d3039b8f4bbbe8c7099925cc10c"
        }
      ],
      "source": {
        "advisory": "1875d257-5b03-4a69-ac70-e98653fa12c7",
        "discovery": "EXTERNAL"
      },
      "title": "Arbitrary HDF5 File Read via Virtual Dataset Bypass in keras-team/keras"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntr_ai",
    "cveId": "CVE-2026-12480",
    "datePublished": "2026-07-01T16:53:32.326Z",
    "dateReserved": "2026-06-17T00:57:28.799Z",
    "dateUpdated": "2026-07-01T17:46:31.093Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-13748 (GCVE-0-2026-13748)

Vulnerability from cvelistv5 – Published: 2026-06-29 15:58 – Updated: 2026-06-29 16:20
VLAI
Title
Snowflake CLI Arbitrary Local File Read and Exfiltration Through Improper File Path Restriction
Summary
Improper restriction of file path resolution in Snowflake CLI versions prior to 3.19 allowed arbitrary local file content to be read and transmitted to Snowflake services. An attacker could exploit this by supplying crafted repository or project content that referenced files outside the intended project boundary, causing Snowflake CLI to read local files and upload or embed their contents during deployment or SQL template processing. Successful exploitation required the victim to process attacker-controlled project content, and retrieval of exfiltrated data depended on access to the victim's Snowflake account artifacts such as query history or uploaded stage content. The fix is available in Snowflake CLI version 3.19, and users must manually upgrade.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • CWE-61 - UNIX Symbolic Link (Symlink) Following
  • CWE-73 - External Control of File Name or Path
Assigner
Impacted products
Vendor Product Version
Snowflake Snowflake CLI Affected: 0.2.2 , < 3.19.0 (semver)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-13748",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-29T16:20:50.026529Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-29T16:20:54.942Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Snowflake CLI",
          "vendor": "Snowflake",
          "versions": [
            {
              "lessThan": "3.19.0",
              "status": "affected",
              "version": "0.2.2",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Improper restriction of file path resolution in Snowflake CLI versions prior to 3.19 allowed arbitrary local file content to be read and transmitted to Snowflake services. An attacker could exploit this by supplying crafted repository or project content that referenced files outside the intended project boundary, causing Snowflake CLI to read local files and upload or embed their contents during deployment or SQL template processing. Successful exploitation required the victim to process attacker-controlled project content, and retrieval of exfiltrated data depended on access to the victim\u0027s Snowflake account artifacts such as query history or uploaded stage content. The fix is available in Snowflake CLI version 3.19, and users must manually upgrade."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            },
            {
              "cweId": "CWE-61",
              "description": "UNIX Symbolic Link (Symlink) Following",
              "lang": "en",
              "type": "CWE"
            },
            {
              "cweId": "CWE-73",
              "description": "External Control of File Name or Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-29T15:58:00.158Z",
        "orgId": "412d305a-227d-44f9-a262-a31ba44f2aea",
        "shortName": "SNOWFLAKE"
      },
      "references": [
        {
          "name": "Snowflake CLI Vulnerability Advisory",
          "url": "https://community.snowflake.com/s/article/Snowflake-CLI-Vulnerability-Advisory"
        }
      ],
      "title": "Snowflake CLI Arbitrary Local File Read and Exfiltration Through Improper File Path Restriction",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "412d305a-227d-44f9-a262-a31ba44f2aea",
    "assignerShortName": "SNOWFLAKE",
    "cveId": "CVE-2026-13748",
    "datePublished": "2026-06-29T15:58:00.158Z",
    "dateReserved": "2026-06-29T15:52:52.370Z",
    "dateUpdated": "2026-06-29T16:20:54.942Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-1669 (GCVE-0-2026-1669)

Vulnerability from cvelistv5 – Published: 2026-02-11 22:10 – Updated: 2026-06-30 12:07
VLAI
Title
Arbitrary File Read in Keras via HDF5 External Datasets
Summary
Arbitrary file read in the model loading mechanism (HDF5 integration) in Keras versions 3.0.0 through 3.13.1 on all supported platforms allows a remote attacker to read local files and disclose sensitive information via a crafted .keras model file utilizing HDF5 external dataset references.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-73 - External Control of File Name or Path
  • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
Impacted products
Vendor Product Version
Google Keras Affected: 3.0.0 , < 3.13.1 (semver)
Create a notification for this product.
Red Hat Red Hat OpenShift AI (RHOAI)     cpe:/a:redhat:openshift_ai
Create a notification for this product.
Date Public
2026-02-05 04:42
Credits
Giuseppe Massaro (https://github.com/N3mes1s)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-1669",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-12T14:52:43.037931Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-12T14:53:02.502Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:/a:redhat:openshift_ai"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift AI (RHOAI)",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-02-11T22:10:10.031Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in Keras. A remote attacker can exploit an arbitrary file read vulnerability in the model loading mechanism (HDF5 integration) by providing a specially crafted .keras model file that utilizes HDF5 external dataset references. This allows the attacker to read local files and disclose sensitive information."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-73",
                "description": "External Control of File Name or Path",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-30T12:07:06.918Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-1669"
          },
          {
            "name": "RHBZ#2439205",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439205"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-1669.json"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-02-11T23:00:48.085Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-02-11T22:10:10.031Z",
            "value": "Made public."
          }
        ],
        "title": "keras: Keras: Information disclosure via arbitrary file read in model loading mechanism",
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Keras",
          "vendor": "Google",
          "versions": [
            {
              "lessThan": "3.13.1",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Giuseppe Massaro (https://github.com/N3mes1s)"
        }
      ],
      "datePublic": "2026-02-05T04:42:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Arbitrary file read in the model loading mechanism (HDF5 integration) in Keras versions 3.0.0 through 3.13.1 on all supported platforms allows a remote attacker to read local files and disclose sensitive information via a crafted .keras model file utilizing HDF5 external dataset references."
            }
          ],
          "value": "Arbitrary file read in the model loading mechanism (HDF5 integration) in Keras versions 3.0.0 through 3.13.1 on all supported platforms allows a remote attacker to read local files and disclose sensitive information via a crafted .keras model file utilizing HDF5 external dataset references."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-563",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-563 Add Malicious File to Shared Webroot"
            }
          ]
        },
        {
          "capecId": "CAPEC-126",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-126 Path Traversal"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-73",
              "description": "CWE-73 External Control of File Name or Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-11T22:10:10.031Z",
        "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "shortName": "Google"
      },
      "references": [
        {
          "url": "https://github.com/google/security-research/security/advisories"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Arbitrary File Read in Keras via HDF5 External Datasets",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
    "assignerShortName": "Google",
    "cveId": "CVE-2026-1669",
    "datePublished": "2026-02-11T22:10:10.031Z",
    "dateReserved": "2026-01-29T22:48:03.030Z",
    "dateUpdated": "2026-06-30T12:07:06.918Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-20175 (GCVE-0-2026-20175)

Vulnerability from cvelistv5 – Published: 2026-06-03 16:06 – Updated: 2026-06-03 17:46
VLAI
Title
Cisco Finesse File Inclusion Vulnerability
Summary
A vulnerability in Cisco Finesse could allow an unauthenticated, remote attacker to load arbitrary files from remote locations into an active user session on an affected device, possibly leading to browser-based attacks. This vulnerability is due to insufficient validation of user-supplied input for HTTP requests that are sent to an affected device. An attacker who has knowledge of the address of the affected device could exploit this vulnerability by persuading a user to click a crafted link that contains the affected device address. A successful exploit could allow the attacker to conduct browser-based attacks and execute arbitrary script code in the context of the affected interface or access sensitive information on the affected device.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-73 - External Control of File Name or Path
Assigner
Impacted products
Vendor Product Version
Cisco Cisco Finesse Affected: 11.0(1)ES_Rollback
Affected: 10.5(1)ES4
Affected: 11.6(1)ES3
Affected: 11.0(1)ES2
Affected: 12.0(1)ES2
Affected: 10.5(1)ES3
Affected: 11.0(1)
Affected: 11.6(1)FIPS
Affected: 11.6(1)ES4
Affected: 11.0(1)ES3
Affected: 10.5(1)ES6
Affected: 11.0(1)ES7
Affected: 11.5(1)ES4
Affected: 10.5(1)ES8
Affected: 11.5(1)
Affected: 11.6(1)
Affected: 10.5(1)ES10
Affected: 11.6(1)ES2
Affected: 11.6(1)ES
Affected: 11.0(1)ES6
Affected: 11.0(1)ES4
Affected: 12.0(1)
Affected: 11.6(1)ES7
Affected: 10.5(1)ES7
Affected: 11.6(1)ES8
Affected: 11.5(1)ES1
Affected: 11.6(1)ES1
Affected: 11.5(1)ES5
Affected: 11.0(1)ES1
Affected: 10.5(1)
Affected: 11.6(1)ES6
Affected: 10.5(1)ES2
Affected: 12.0(1)ES1
Affected: 11.0(1)ES5
Affected: 10.5(1)ES5
Affected: 11.5(1)ES3
Affected: 11.5(1)ES2
Affected: 10.5(1)ES9
Affected: 11.6(1)ES5
Affected: 11.6(1)ES9
Affected: 11.5(1)ES6
Affected: 10.5(1)ES1
Affected: 12.5(1)
Affected: 12.0(1)ES3
Affected: 11.6(1)ES10
Affected: 12.5(1)ES1
Affected: 12.5(1)ES2
Affected: 12.0(1)ES4
Affected: 12.5(1)ES3
Affected: 12.0(1)ES5
Affected: 12.5(1)ES4
Affected: 12.0(1)ES6
Affected: 12.5(1)ES5
Affected: 12.5(1)ES6
Affected: 12.0(1)ES7
Affected: 12.6(1)
Affected: 12.5(1)ES7
Affected: 11.6(1)ES11
Affected: 12.6(1)ES1
Affected: 12.0(1)ES8
Affected: 12.5(1)ES8
Affected: 12.6(1)ES2
Affected: 12.6(1)ES3
Affected: 12.6(1)ES4
Affected: 12.6(1)ES5
Affected: 12.5(2)
Affected: 12.5(1)_SU
Affected: 12.5(1)SU
Affected: 12.6(1)ES6
Affected: 12.5(1)SU ES1
Affected: 12.6(1)ES7
Affected: 12.6(1)ES7_ET
Affected: 12.6(2)
Affected: 12.6(1)ES8
Affected: 12.6(1)ES9
Affected: 12.6(2)ES1
Affected: 12.6(1)ES10
Affected: 12.5(1)SU ES2
Affected: 12.6(1)ES11
Affected: 12.6(2)ES2
Affected: 12.6(2)ES3
Affected: 12.5(1)SU ES3
Affected: 12.6(2)ES4
Affected: 12.6(2)ES5
Affected: 15.0(1)
Affected: 12.6(2)ES6
Affected: 15.0(1)ES202508
Affected: 15.0(1)ES202511
Affected: 15.0(1)ES202602
Affected: 15.0(1)SU1
Affected: 12.6(2)ES7
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-20175",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-03T17:45:48.882718Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-03T17:46:00.557Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Cisco Finesse",
          "vendor": "Cisco",
          "versions": [
            {
              "status": "affected",
              "version": "11.0(1)ES_Rollback"
            },
            {
              "status": "affected",
              "version": "10.5(1)ES4"
            },
            {
              "status": "affected",
              "version": "11.6(1)ES3"
            },
            {
              "status": "affected",
              "version": "11.0(1)ES2"
            },
            {
              "status": "affected",
              "version": "12.0(1)ES2"
            },
            {
              "status": "affected",
              "version": "10.5(1)ES3"
            },
            {
              "status": "affected",
              "version": "11.0(1)"
            },
            {
              "status": "affected",
              "version": "11.6(1)FIPS"
            },
            {
              "status": "affected",
              "version": "11.6(1)ES4"
            },
            {
              "status": "affected",
              "version": "11.0(1)ES3"
            },
            {
              "status": "affected",
              "version": "10.5(1)ES6"
            },
            {
              "status": "affected",
              "version": "11.0(1)ES7"
            },
            {
              "status": "affected",
              "version": "11.5(1)ES4"
            },
            {
              "status": "affected",
              "version": "10.5(1)ES8"
            },
            {
              "status": "affected",
              "version": "11.5(1)"
            },
            {
              "status": "affected",
              "version": "11.6(1)"
            },
            {
              "status": "affected",
              "version": "10.5(1)ES10"
            },
            {
              "status": "affected",
              "version": "11.6(1)ES2"
            },
            {
              "status": "affected",
              "version": "11.6(1)ES"
            },
            {
              "status": "affected",
              "version": "11.0(1)ES6"
            },
            {
              "status": "affected",
              "version": "11.0(1)ES4"
            },
            {
              "status": "affected",
              "version": "12.0(1)"
            },
            {
              "status": "affected",
              "version": "11.6(1)ES7"
            },
            {
              "status": "affected",
              "version": "10.5(1)ES7"
            },
            {
              "status": "affected",
              "version": "11.6(1)ES8"
            },
            {
              "status": "affected",
              "version": "11.5(1)ES1"
            },
            {
              "status": "affected",
              "version": "11.6(1)ES1"
            },
            {
              "status": "affected",
              "version": "11.5(1)ES5"
            },
            {
              "status": "affected",
              "version": "11.0(1)ES1"
            },
            {
              "status": "affected",
              "version": "10.5(1)"
            },
            {
              "status": "affected",
              "version": "11.6(1)ES6"
            },
            {
              "status": "affected",
              "version": "10.5(1)ES2"
            },
            {
              "status": "affected",
              "version": "12.0(1)ES1"
            },
            {
              "status": "affected",
              "version": "11.0(1)ES5"
            },
            {
              "status": "affected",
              "version": "10.5(1)ES5"
            },
            {
              "status": "affected",
              "version": "11.5(1)ES3"
            },
            {
              "status": "affected",
              "version": "11.5(1)ES2"
            },
            {
              "status": "affected",
              "version": "10.5(1)ES9"
            },
            {
              "status": "affected",
              "version": "11.6(1)ES5"
            },
            {
              "status": "affected",
              "version": "11.6(1)ES9"
            },
            {
              "status": "affected",
              "version": "11.5(1)ES6"
            },
            {
              "status": "affected",
              "version": "10.5(1)ES1"
            },
            {
              "status": "affected",
              "version": "12.5(1)"
            },
            {
              "status": "affected",
              "version": "12.0(1)ES3"
            },
            {
              "status": "affected",
              "version": "11.6(1)ES10"
            },
            {
              "status": "affected",
              "version": "12.5(1)ES1"
            },
            {
              "status": "affected",
              "version": "12.5(1)ES2"
            },
            {
              "status": "affected",
              "version": "12.0(1)ES4"
            },
            {
              "status": "affected",
              "version": "12.5(1)ES3"
            },
            {
              "status": "affected",
              "version": "12.0(1)ES5"
            },
            {
              "status": "affected",
              "version": "12.5(1)ES4"
            },
            {
              "status": "affected",
              "version": "12.0(1)ES6"
            },
            {
              "status": "affected",
              "version": "12.5(1)ES5"
            },
            {
              "status": "affected",
              "version": "12.5(1)ES6"
            },
            {
              "status": "affected",
              "version": "12.0(1)ES7"
            },
            {
              "status": "affected",
              "version": "12.6(1)"
            },
            {
              "status": "affected",
              "version": "12.5(1)ES7"
            },
            {
              "status": "affected",
              "version": "11.6(1)ES11"
            },
            {
              "status": "affected",
              "version": "12.6(1)ES1"
            },
            {
              "status": "affected",
              "version": "12.0(1)ES8"
            },
            {
              "status": "affected",
              "version": "12.5(1)ES8"
            },
            {
              "status": "affected",
              "version": "12.6(1)ES2"
            },
            {
              "status": "affected",
              "version": "12.6(1)ES3"
            },
            {
              "status": "affected",
              "version": "12.6(1)ES4"
            },
            {
              "status": "affected",
              "version": "12.6(1)ES5"
            },
            {
              "status": "affected",
              "version": "12.5(2)"
            },
            {
              "status": "affected",
              "version": "12.5(1)_SU"
            },
            {
              "status": "affected",
              "version": "12.5(1)SU"
            },
            {
              "status": "affected",
              "version": "12.6(1)ES6"
            },
            {
              "status": "affected",
              "version": "12.5(1)SU ES1"
            },
            {
              "status": "affected",
              "version": "12.6(1)ES7"
            },
            {
              "status": "affected",
              "version": "12.6(1)ES7_ET"
            },
            {
              "status": "affected",
              "version": "12.6(2)"
            },
            {
              "status": "affected",
              "version": "12.6(1)ES8"
            },
            {
              "status": "affected",
              "version": "12.6(1)ES9"
            },
            {
              "status": "affected",
              "version": "12.6(2)ES1"
            },
            {
              "status": "affected",
              "version": "12.6(1)ES10"
            },
            {
              "status": "affected",
              "version": "12.5(1)SU ES2"
            },
            {
              "status": "affected",
              "version": "12.6(1)ES11"
            },
            {
              "status": "affected",
              "version": "12.6(2)ES2"
            },
            {
              "status": "affected",
              "version": "12.6(2)ES3"
            },
            {
              "status": "affected",
              "version": "12.5(1)SU ES3"
            },
            {
              "status": "affected",
              "version": "12.6(2)ES4"
            },
            {
              "status": "affected",
              "version": "12.6(2)ES5"
            },
            {
              "status": "affected",
              "version": "15.0(1)"
            },
            {
              "status": "affected",
              "version": "12.6(2)ES6"
            },
            {
              "status": "affected",
              "version": "15.0(1)ES202508"
            },
            {
              "status": "affected",
              "version": "15.0(1)ES202511"
            },
            {
              "status": "affected",
              "version": "15.0(1)ES202602"
            },
            {
              "status": "affected",
              "version": "15.0(1)SU1"
            },
            {
              "status": "affected",
              "version": "12.6(2)ES7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in Cisco Finesse could allow an unauthenticated, remote attacker to load arbitrary files from remote locations into an active user session on an affected device, possibly leading to browser-based attacks.\r\n\r\nThis vulnerability is due to insufficient validation of user-supplied input for HTTP requests that are sent to an affected device. An attacker who has knowledge of the address of the affected device could exploit this vulnerability by persuading a user to click a crafted link that contains the affected device address. A successful exploit could allow the attacker to conduct browser-based attacks and execute arbitrary script code in the context of the affected interface or access sensitive information on the affected device."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "cvssV3_1"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-73",
              "description": "External Control of File Name or Path",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-03T16:06:15.233Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "cisco-sa-finesse-rfi-gwpkdc89",
          "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-finesse-rfi-gwpkdc89"
        }
      ],
      "source": {
        "advisory": "cisco-sa-finesse-rfi-gwpkdc89",
        "defects": [
          "CSCws76655"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "Cisco Finesse File Inclusion Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2026-20175",
    "datePublished": "2026-06-03T16:06:15.233Z",
    "dateReserved": "2025-10-08T11:59:15.392Z",
    "dateUpdated": "2026-06-03T17:46:00.557Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-20872 (GCVE-0-2026-20872)

Vulnerability from cvelistv5 – Published: 2026-01-13 17:57 – Updated: 2026-04-01 13:49
VLAI
Title
NTLM Hash Disclosure Spoofing Vulnerability
Summary
External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-73 - External Control of File Name or Path
Assigner
Impacted products
Vendor Product Version
Microsoft Windows 10 Version 1607 Affected: 10.0.14393.0 , < 10.0.14393.8783 (custom)
Create a notification for this product.
Microsoft Windows 10 Version 1809 Affected: 10.0.17763.0 , < 10.0.17763.8276 (custom)
Create a notification for this product.
Microsoft Windows 10 Version 21H2 Affected: 10.0.19044.0 , < 10.0.19044.6809 (custom)
Create a notification for this product.
Microsoft Windows 10 Version 22H2 Affected: 10.0.19045.0 , < 10.0.19045.6809 (custom)
Create a notification for this product.
Microsoft Windows 11 version 22H3 Affected: 10.0.22631.0 , < 10.0.22631.6491 (custom)
Create a notification for this product.
Microsoft Windows 11 Version 23H2 Affected: 10.0.22631.0 , < 10.0.22631.6491 (custom)
Create a notification for this product.
Microsoft Windows 11 Version 24H2 Affected: 10.0.26100.0 , < 10.0.26100.7623 (custom)
Create a notification for this product.
Microsoft Windows 11 Version 25H2 Affected: 10.0.26200.0 , < 10.0.26200.7623 (custom)
Create a notification for this product.
Microsoft Windows Server 2008 R2 Service Pack 1 Affected: 6.1.7601.0 , < 6.1.7601.28117 (custom)
Create a notification for this product.
Microsoft Windows Server 2008 R2 Service Pack 1 (Server Core installation) Affected: 6.1.7601.0 , < 6.1.7601.28117 (custom)
Create a notification for this product.
Microsoft Windows Server 2008 Service Pack 2 Affected: 6.0.6003.0 , < 6.0.6003.23717 (custom)
Create a notification for this product.
Microsoft Windows Server 2008 Service Pack 2 (Server Core installation) Affected: 6.0.6003.0 , < 6.0.6003.23717 (custom)
Create a notification for this product.
Microsoft Windows Server 2012 Affected: 6.2.9200.0 , < 6.2.9200.25868 (custom)
Create a notification for this product.
Microsoft Windows Server 2012 (Server Core installation) Affected: 6.2.9200.0 , < 6.2.9200.25868 (custom)
Create a notification for this product.
Microsoft Windows Server 2012 R2 Affected: 6.3.9600.0 , < 6.3.9600.22968 (custom)
Create a notification for this product.
Microsoft Windows Server 2012 R2 (Server Core installation) Affected: 6.3.9600.0 , < 6.3.9600.22968 (custom)
Create a notification for this product.
Microsoft Windows Server 2016 Affected: 10.0.14393.0 , < 10.0.14393.8783 (custom)
Create a notification for this product.
Microsoft Windows Server 2016 (Server Core installation) Affected: 10.0.14393.0 , < 10.0.14393.8783 (custom)
Create a notification for this product.
Microsoft Windows Server 2019 Affected: 10.0.17763.0 , < 10.0.17763.8276 (custom)
Create a notification for this product.
Microsoft Windows Server 2019 (Server Core installation) Affected: 10.0.17763.0 , < 10.0.17763.8276 (custom)
Create a notification for this product.
Microsoft Windows Server 2022 Affected: 10.0.20348.0 , < 10.0.20348.4648 (custom)
Create a notification for this product.
Microsoft Windows Server 2022, 23H2 Edition (Server Core installation) Affected: 10.0.25398.0 , < 10.0.25398.2092 (custom)
Create a notification for this product.
Microsoft Windows Server 2025 Affected: 10.0.26100.0 , < 10.0.26100.32230 (custom)
Create a notification for this product.
Microsoft Windows Server 2025 (Server Core installation) Affected: 10.0.26100.0 , < 10.0.26100.32230 (custom)
Create a notification for this product.
Date Public
2026-01-13 16:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-20872",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-13T20:07:20.075074Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-13T20:07:30.680Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-03-27T20:57:06.889Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://www.vicarius.io/vsociety/posts/cve-2026-20872-detection-script-spoofing-vulnerability-in-windows-ntlm"
          },
          {
            "url": "https://www.vicarius.io/vsociety/posts/cve-2026-20872-mitigation-script-spoofing-vulnerability-in-windows-ntlm"
          }
        ],
        "title": "CVE Program Container",
        "x_generator": {
          "engine": "ADPogram 0.0.1"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Windows 10 Version 1607",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.14393.8783",
              "status": "affected",
              "version": "10.0.14393.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Windows 10 Version 1809",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.17763.8276",
              "status": "affected",
              "version": "10.0.17763.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "ARM64-based Systems",
            "x64-based Systems"
          ],
          "product": "Windows 10 Version 21H2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.19044.6809",
              "status": "affected",
              "version": "10.0.19044.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "ARM64-based Systems",
            "x64-based Systems"
          ],
          "product": "Windows 10 Version 22H2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.19045.6809",
              "status": "affected",
              "version": "10.0.19045.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "ARM64-based Systems"
          ],
          "product": "Windows 11 version 22H3",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.22631.6491",
              "status": "affected",
              "version": "10.0.22631.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows 11 Version 23H2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.22631.6491",
              "status": "affected",
              "version": "10.0.22631.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "ARM64-based Systems",
            "x64-based Systems"
          ],
          "product": "Windows 11 Version 24H2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.26100.7623",
              "status": "affected",
              "version": "10.0.26100.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Windows 11 Version 25H2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.26200.7623",
              "status": "affected",
              "version": "10.0.26200.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2008 R2 Service Pack 1",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "6.1.7601.28117",
              "status": "affected",
              "version": "6.1.7601.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2008 R2 Service Pack 1 (Server Core installation)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "6.1.7601.28117",
              "status": "affected",
              "version": "6.1.7601.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Windows Server 2008 Service Pack 2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "6.0.6003.23717",
              "status": "affected",
              "version": "6.0.6003.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Windows Server 2008 Service Pack 2 (Server Core installation)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "6.0.6003.23717",
              "status": "affected",
              "version": "6.0.6003.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2012",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "6.2.9200.25868",
              "status": "affected",
              "version": "6.2.9200.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2012 (Server Core installation)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "6.2.9200.25868",
              "status": "affected",
              "version": "6.2.9200.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2012 R2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "6.3.9600.22968",
              "status": "affected",
              "version": "6.3.9600.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2012 R2 (Server Core installation)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "6.3.9600.22968",
              "status": "affected",
              "version": "6.3.9600.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.14393.8783",
              "status": "affected",
              "version": "10.0.14393.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2016 (Server Core installation)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.14393.8783",
              "status": "affected",
              "version": "10.0.14393.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.17763.8276",
              "status": "affected",
              "version": "10.0.17763.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2019 (Server Core installation)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.17763.8276",
              "status": "affected",
              "version": "10.0.17763.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2022",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.20348.4648",
              "status": "affected",
              "version": "10.0.20348.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2022, 23H2 Edition (Server Core installation)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.25398.2092",
              "status": "affected",
              "version": "10.0.25398.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2025",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.26100.32230",
              "status": "affected",
              "version": "10.0.26100.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2025 (Server Core installation)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.26100.32230",
              "status": "affected",
              "version": "10.0.26100.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*",
                  "versionEndExcluding": "10.0.17763.8276",
                  "versionStartIncluding": "10.0.17763.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.17763.8276",
                  "versionStartIncluding": "10.0.17763.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.17763.8276",
                  "versionStartIncluding": "10.0.17763.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.20348.4648",
                  "versionStartIncluding": "10.0.20348.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_10_21H2:*:*:*:*:*:*:x86:*",
                  "versionEndExcluding": "10.0.19044.6809",
                  "versionStartIncluding": "10.0.19044.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_10_22H2:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "10.0.19045.6809",
                  "versionStartIncluding": "10.0.19045.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.26100.32230",
                  "versionStartIncluding": "10.0.26100.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_11_25H2:*:*:*:*:*:*:arm64:*",
                  "versionEndExcluding": "10.0.26200.7623",
                  "versionStartIncluding": "10.0.26200.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:arm64:*",
                  "versionEndExcluding": "10.0.22631.6491",
                  "versionStartIncluding": "10.0.22631.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "10.0.22631.6491",
                  "versionStartIncluding": "10.0.22631.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_23h2:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.25398.2092",
                  "versionStartIncluding": "10.0.25398.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_11_24H2:*:*:*:*:*:*:arm64:*",
                  "versionEndExcluding": "10.0.26100.7623",
                  "versionStartIncluding": "10.0.26100.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.26100.32230",
                  "versionStartIncluding": "10.0.26100.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*",
                  "versionEndExcluding": "10.0.14393.8783",
                  "versionStartIncluding": "10.0.14393.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.14393.8783",
                  "versionStartIncluding": "10.0.14393.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.14393.8783",
                  "versionStartIncluding": "10.0.14393.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2008_sp2:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "6.0.6003.23717",
                  "versionStartIncluding": "6.0.6003.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2008_sp2:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "6.0.6003.23717",
                  "versionStartIncluding": "6.0.6003.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2008_R2:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "6.1.7601.28117",
                  "versionStartIncluding": "6.1.7601.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2008_R2:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "6.1.7601.28117",
                  "versionStartIncluding": "6.1.7601.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2012:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "6.2.9200.25868",
                  "versionStartIncluding": "6.2.9200.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2012:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "6.2.9200.25868",
                  "versionStartIncluding": "6.2.9200.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2012_R2:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "6.3.9600.22968",
                  "versionStartIncluding": "6.3.9600.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2012_R2:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "6.3.9600.22968",
                  "versionStartIncluding": "6.3.9600.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-01-13T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-73",
              "description": "CWE-73: External Control of File Name or Path",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-01T13:49:11.105Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "NTLM Hash Disclosure Spoofing Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20872"
        }
      ],
      "title": "NTLM Hash Disclosure Spoofing Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-20872",
    "datePublished": "2026-01-13T17:57:00.955Z",
    "dateReserved": "2025-12-03T05:54:20.382Z",
    "dateUpdated": "2026-04-01T13:49:11.105Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation

Phase: Architecture and Design

Description:

  • When the set of filenames is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames, and reject all other inputs. For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap provide this capability.
Mitigation

Phases: Architecture and Design, Operation

Description:

  • Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict all access to files within a particular directory.
  • Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection.
  • This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise.
  • Be careful to avoid CWE-243 and other weaknesses related to jails.
Mitigation

Phase: Architecture and Design

Description:

  • For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Mitigation ID: MIT-5.1

Phase: Implementation

Strategy: Input Validation

Description:

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
  • Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation

Phase: Implementation

Description:

  • Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59).
Mitigation

Phases: Installation, Operation

Description:

  • Use OS-level permissions and run as a low-privileged user to limit the scope of any successful attack.
Mitigation

Phases: Operation, Implementation

Description:

  • If you are using PHP, configure your application so that it does not use register_globals. During implementation, develop your application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.
Mitigation

Phase: Testing

Description:

  • Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.
CAPEC-13: Subverting Environment Variable Values

The adversary directly or indirectly modifies environment variables used by or controlling the target software. The adversary's goal is to cause the target software to deviate from its expected operation in a manner that benefits the adversary.

CAPEC-267: Leverage Alternate Encoding

An adversary leverages the possibility to encode potentially harmful input or content used by applications such that the applications are ineffective at validating this encoding standard.

CAPEC-64: Using Slashes and URL Encoding Combined to Bypass Validation Logic

This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple ways of encoding a URL and abuse the interpretation of the URL. A URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.

CAPEC-72: URL Encoding

This attack targets the encoding of the URL. An adversary can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.

CAPEC-78: Using Escaped Slashes in Alternate Encoding

This attack targets the use of the backslash in alternate encoding. An adversary can provide a backslash as a leading character and causes a parser to believe that the next character is special. This is called an escape. By using that trick, the adversary tries to exploit alternate ways to encode the same character which leads to filter problems and opens avenues to attack.

CAPEC-79: Using Slashes in Alternate Encoding

This attack targets the encoding of the Slash characters. An adversary would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the adversary many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.

CAPEC-80: Using UTF-8 Encoding to Bypass Validation Logic

This attack is a specific variation on leveraging alternate encodings to bypass validation logic. This attack leverages the possibility to encode potentially harmful input in UTF-8 and submit it to applications not expecting or effective at validating this encoding standard making input filtering difficult. UTF-8 (8-bit UCS/Unicode Transformation Format) is a variable-length character encoding for Unicode. Legal UTF-8 characters are one to four bytes long. However, early version of the UTF-8 specification got some entries wrong (in some cases it permitted overlong characters). UTF-8 encoders are supposed to use the "shortest possible" encoding, but naive decoders may accept encodings that are longer than necessary. According to the RFC 3629, a particularly subtle form of this attack can be carried out against a parser which performs security-critical validity checks against the UTF-8 encoded form of its input, but interprets certain illegal octet sequences as characters.

Back to CWE stats page