<?xml version='1.0' encoding='UTF-8'?>
<?xml-stylesheet href="/static/style.xsl" type="text/xsl"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/" version="2.0">
  <channel>
    <title>Most recent sightings.</title>
    <link>https://vulnerability.circl.lu</link>
    <description>Contains only the most 10 recent sightings.</description>
    <docs>http://www.rssboard.org/rss-specification</docs>
    <generator>python-feedgen</generator>
    <language>en</language>
    <lastBuildDate>Sat, 11 Jul 2026 12:24:02 +0000</lastBuildDate>
    <item>
      <title>795f4f91-4bcf-49a2-8075-fe8c7d0aa66b</title>
      <link>https://vulnerability.circl.lu/sighting/795f4f91-4bcf-49a2-8075-fe8c7d0aa66b/export</link>
      <description>{"uuid": "795f4f91-4bcf-49a2-8075-fe8c7d0aa66b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-35381", "type": "seen", "source": "https://gist.github.com/alon710/61c7500d7ede6fc47b0cecdd16d710a9", "content": "# CVE-2026-35381: CVE-2026-35381: Logic Error and Parameter Mismatch in uutils coreutils cut Utility\n\n&amp;gt; **CVSS Score:** 3.3\n&amp;gt; **Published:** 2026-07-06\n&amp;gt; **Full Report:** https://cvereports.com/reports/CVE-2026-35381\n\n## Summary\nA logic error in the cut utility of uutils coreutils prior to version 0.8.0 causes the utility to ignore the -s (suppress non-delimited records) flag when invoked with the zero-terminated (-z) and empty delimiter (-d '') flags in combination. This results in unintended preservation of undelimited input streams, which breaks the functional parity with GNU coreutils and leads to potential data integrity issues in automated data processing pipelines.\n\n## TL;DR\nA logic error and parameter-ordering mismatch in the cut utility of Rust-written uutils coreutils causes the -s flag to be ignored when used alongside -z and -d ''. This allows undelimited data to bypass suppression filters, presenting a data integrity and parsing injection risk.\n\n## Technical Details\n\n- **CWE ID**: CWE-684 (Incorrect Provision of Specified Functionality)\n- **Attack Vector**: Local (AV:L)\n- **CVSS Score**: 3.3\n- **EPSS Score**: 0.00149\n- **Impact**: Low Integrity Impact\n- **Exploit Status**: none/theoretical\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Linux distributions packaging uutils coreutils\n- Rust applications utilizing the uu_cut library crate\n- **uutils coreutils**: &amp;lt; 0.8.0 (Fixed in: `0.8.0`)\n- **uu_cut**: &amp;lt; 0.2.2 (Fixed in: `0.2.2`)\n\n## Mitigation\n\n- Upgrade uutils coreutils to version 0.8.0 or later.\n- In Cargo environments, update the uu_cut crate to version 0.2.2 or higher.\n- Avoid combining the -z, -d '', and -s flags in vulnerable environments.\n- Implement auxiliary filtering using utilities like grep or awk to drop non-delimited records before sending them to cut.\n\n**Remediation Steps:**\n1. Identify the deployed version of uutils coreutils by running the system-level binary with the --version flag.\n2. If the version is prior to 0.8.0, download and compile the updated uutils coreutils source code from the official repository or install the updated distribution package.\n3. For Rust applications wrapping uu_cut, edit the Cargo.toml file to enforce a minimum dependency version of 0.2.2 for uu_cut.\n4. Test pipelines by feeding a null-terminated string containing no delimiter to ensure that the suppress flag (-s) functions correctly.\n\n## References\n\n- [CVE-2026-35381 Record on CVE.org](https://www.cve.org/CVERecord?id=CVE-2026-35381)\n- [National Vulnerability Database CVE-2026-35381 Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-35381)\n- [uutils coreutils v0.8.0 Release Page](https://github.com/uutils/coreutils/releases/tag/0.8.0)\n- [Wiz Vulnerability Database - CVE-2026-35381](https://www.wiz.io/vulnerability-database/cve/cve-2026-35381)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-35381) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-07T00:00:03.125284Z"}</description>
      <content:encoded>{"uuid": "795f4f91-4bcf-49a2-8075-fe8c7d0aa66b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-35381", "type": "seen", "source": "https://gist.github.com/alon710/61c7500d7ede6fc47b0cecdd16d710a9", "content": "# CVE-2026-35381: CVE-2026-35381: Logic Error and Parameter Mismatch in uutils coreutils cut Utility\n\n&amp;gt; **CVSS Score:** 3.3\n&amp;gt; **Published:** 2026-07-06\n&amp;gt; **Full Report:** https://cvereports.com/reports/CVE-2026-35381\n\n## Summary\nA logic error in the cut utility of uutils coreutils prior to version 0.8.0 causes the utility to ignore the -s (suppress non-delimited records) flag when invoked with the zero-terminated (-z) and empty delimiter (-d '') flags in combination. This results in unintended preservation of undelimited input streams, which breaks the functional parity with GNU coreutils and leads to potential data integrity issues in automated data processing pipelines.\n\n## TL;DR\nA logic error and parameter-ordering mismatch in the cut utility of Rust-written uutils coreutils causes the -s flag to be ignored when used alongside -z and -d ''. This allows undelimited data to bypass suppression filters, presenting a data integrity and parsing injection risk.\n\n## Technical Details\n\n- **CWE ID**: CWE-684 (Incorrect Provision of Specified Functionality)\n- **Attack Vector**: Local (AV:L)\n- **CVSS Score**: 3.3\n- **EPSS Score**: 0.00149\n- **Impact**: Low Integrity Impact\n- **Exploit Status**: none/theoretical\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Linux distributions packaging uutils coreutils\n- Rust applications utilizing the uu_cut library crate\n- **uutils coreutils**: &amp;lt; 0.8.0 (Fixed in: `0.8.0`)\n- **uu_cut**: &amp;lt; 0.2.2 (Fixed in: `0.2.2`)\n\n## Mitigation\n\n- Upgrade uutils coreutils to version 0.8.0 or later.\n- In Cargo environments, update the uu_cut crate to version 0.2.2 or higher.\n- Avoid combining the -z, -d '', and -s flags in vulnerable environments.\n- Implement auxiliary filtering using utilities like grep or awk to drop non-delimited records before sending them to cut.\n\n**Remediation Steps:**\n1. Identify the deployed version of uutils coreutils by running the system-level binary with the --version flag.\n2. If the version is prior to 0.8.0, download and compile the updated uutils coreutils source code from the official repository or install the updated distribution package.\n3. For Rust applications wrapping uu_cut, edit the Cargo.toml file to enforce a minimum dependency version of 0.2.2 for uu_cut.\n4. Test pipelines by feeding a null-terminated string containing no delimiter to ensure that the suppress flag (-s) functions correctly.\n\n## References\n\n- [CVE-2026-35381 Record on CVE.org](https://www.cve.org/CVERecord?id=CVE-2026-35381)\n- [National Vulnerability Database CVE-2026-35381 Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-35381)\n- [uutils coreutils v0.8.0 Release Page](https://github.com/uutils/coreutils/releases/tag/0.8.0)\n- [Wiz Vulnerability Database - CVE-2026-35381](https://www.wiz.io/vulnerability-database/cve/cve-2026-35381)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-35381) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-07T00:00:03.125284Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/795f4f91-4bcf-49a2-8075-fe8c7d0aa66b/export</guid>
      <pubDate>Tue, 07 Jul 2026 00:00:03 +0000</pubDate>
    </item>
    <item>
      <title>be9e7086-73df-4d51-9f99-4def24243afe</title>
      <link>https://vulnerability.circl.lu/sighting/be9e7086-73df-4d51-9f99-4def24243afe/export</link>
      <description>{"uuid": "be9e7086-73df-4d51-9f99-4def24243afe", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-35381", "type": "seen", "source": "https://gist.github.com/alon710/61c7500d7ede6fc47b0cecdd16d710a9", "content": "# CVE-2026-35381: CVE-2026-35381: Logic Error and Parameter Mismatch in uutils coreutils cut Utility\n\n&amp;gt; **CVSS Score:** 3.3\n&amp;gt; **Published:** 2026-07-06\n&amp;gt; **Full Report:** https://cvereports.com/reports/CVE-2026-35381\n\n## Summary\nA logic error in the cut utility of uutils coreutils prior to version 0.8.0 causes the utility to ignore the -s (suppress non-delimited records) flag when invoked with the zero-terminated (-z) and empty delimiter (-d '') flags in combination. This results in unintended preservation of undelimited input streams, which breaks the functional parity with GNU coreutils and leads to potential data integrity issues in automated data processing pipelines.\n\n## TL;DR\nA logic error and parameter-ordering mismatch in the cut utility of Rust-written uutils coreutils causes the -s flag to be ignored when used alongside -z and -d ''. This allows undelimited data to bypass suppression filters, presenting a data integrity and parsing injection risk.\n\n## Technical Details\n\n- **CWE ID**: CWE-684 (Incorrect Provision of Specified Functionality)\n- **Attack Vector**: Local (AV:L)\n- **CVSS Score**: 3.3\n- **EPSS Score**: 0.00149\n- **Impact**: Low Integrity Impact\n- **Exploit Status**: none/theoretical\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Linux distributions packaging uutils coreutils\n- Rust applications utilizing the uu_cut library crate\n- **uutils coreutils**: &amp;lt; 0.8.0 (Fixed in: `0.8.0`)\n- **uu_cut**: &amp;lt; 0.2.2 (Fixed in: `0.2.2`)\n\n## Mitigation\n\n- Upgrade uutils coreutils to version 0.8.0 or later.\n- In Cargo environments, update the uu_cut crate to version 0.2.2 or higher.\n- Avoid combining the -z, -d '', and -s flags in vulnerable environments.\n- Implement auxiliary filtering using utilities like grep or awk to drop non-delimited records before sending them to cut.\n\n**Remediation Steps:**\n1. Identify the deployed version of uutils coreutils by running the system-level binary with the --version flag.\n2. If the version is prior to 0.8.0, download and compile the updated uutils coreutils source code from the official repository or install the updated distribution package.\n3. For Rust applications wrapping uu_cut, edit the Cargo.toml file to enforce a minimum dependency version of 0.2.2 for uu_cut.\n4. Test pipelines by feeding a null-terminated string containing no delimiter to ensure that the suppress flag (-s) functions correctly.\n\n## References\n\n- [CVE-2026-35381 Record on CVE.org](https://www.cve.org/CVERecord?id=CVE-2026-35381)\n- [National Vulnerability Database CVE-2026-35381 Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-35381)\n- [uutils coreutils v0.8.0 Release Page](https://github.com/uutils/coreutils/releases/tag/0.8.0)\n- [Wiz Vulnerability Database - CVE-2026-35381](https://www.wiz.io/vulnerability-database/cve/cve-2026-35381)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-35381) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-06T22:51:38.357815Z"}</description>
      <content:encoded>{"uuid": "be9e7086-73df-4d51-9f99-4def24243afe", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-35381", "type": "seen", "source": "https://gist.github.com/alon710/61c7500d7ede6fc47b0cecdd16d710a9", "content": "# CVE-2026-35381: CVE-2026-35381: Logic Error and Parameter Mismatch in uutils coreutils cut Utility\n\n&amp;gt; **CVSS Score:** 3.3\n&amp;gt; **Published:** 2026-07-06\n&amp;gt; **Full Report:** https://cvereports.com/reports/CVE-2026-35381\n\n## Summary\nA logic error in the cut utility of uutils coreutils prior to version 0.8.0 causes the utility to ignore the -s (suppress non-delimited records) flag when invoked with the zero-terminated (-z) and empty delimiter (-d '') flags in combination. This results in unintended preservation of undelimited input streams, which breaks the functional parity with GNU coreutils and leads to potential data integrity issues in automated data processing pipelines.\n\n## TL;DR\nA logic error and parameter-ordering mismatch in the cut utility of Rust-written uutils coreutils causes the -s flag to be ignored when used alongside -z and -d ''. This allows undelimited data to bypass suppression filters, presenting a data integrity and parsing injection risk.\n\n## Technical Details\n\n- **CWE ID**: CWE-684 (Incorrect Provision of Specified Functionality)\n- **Attack Vector**: Local (AV:L)\n- **CVSS Score**: 3.3\n- **EPSS Score**: 0.00149\n- **Impact**: Low Integrity Impact\n- **Exploit Status**: none/theoretical\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Linux distributions packaging uutils coreutils\n- Rust applications utilizing the uu_cut library crate\n- **uutils coreutils**: &amp;lt; 0.8.0 (Fixed in: `0.8.0`)\n- **uu_cut**: &amp;lt; 0.2.2 (Fixed in: `0.2.2`)\n\n## Mitigation\n\n- Upgrade uutils coreutils to version 0.8.0 or later.\n- In Cargo environments, update the uu_cut crate to version 0.2.2 or higher.\n- Avoid combining the -z, -d '', and -s flags in vulnerable environments.\n- Implement auxiliary filtering using utilities like grep or awk to drop non-delimited records before sending them to cut.\n\n**Remediation Steps:**\n1. Identify the deployed version of uutils coreutils by running the system-level binary with the --version flag.\n2. If the version is prior to 0.8.0, download and compile the updated uutils coreutils source code from the official repository or install the updated distribution package.\n3. For Rust applications wrapping uu_cut, edit the Cargo.toml file to enforce a minimum dependency version of 0.2.2 for uu_cut.\n4. Test pipelines by feeding a null-terminated string containing no delimiter to ensure that the suppress flag (-s) functions correctly.\n\n## References\n\n- [CVE-2026-35381 Record on CVE.org](https://www.cve.org/CVERecord?id=CVE-2026-35381)\n- [National Vulnerability Database CVE-2026-35381 Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-35381)\n- [uutils coreutils v0.8.0 Release Page](https://github.com/uutils/coreutils/releases/tag/0.8.0)\n- [Wiz Vulnerability Database - CVE-2026-35381](https://www.wiz.io/vulnerability-database/cve/cve-2026-35381)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-35381) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-06T22:51:38.357815Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/be9e7086-73df-4d51-9f99-4def24243afe/export</guid>
      <pubDate>Mon, 06 Jul 2026 22:51:38 +0000</pubDate>
    </item>
    <item>
      <title>89925e9b-ec22-4174-a707-3e7fafe25186</title>
      <link>https://vulnerability.circl.lu/sighting/89925e9b-ec22-4174-a707-3e7fafe25186/export</link>
      <description>{"uuid": "89925e9b-ec22-4174-a707-3e7fafe25186", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-35381", "type": "seen", "source": "https://gist.github.com/alon710/b10b20af35b7bf752b36e152bb72f112", "content": "# CVE-2026-35381: CVE-2026-35381: Input Sanitization and Logic Bypass in uutils coreutils cut Utility\n\n&amp;gt; **CVSS Score:** 3.3\n&amp;gt; **Published:** 2026-07-06\n&amp;gt; **Full Report:** https://cvereports.com/reports/CVE-2026-35381\n\n## Summary\nA critical argument order mismatch in the Rust implementation of GNU coreutils (uutils/coreutils) causes the cut utility to ignore the only-delimited (-s) flag when zero-terminated (-z) and empty-delimiter (-d '') options are combined. This logic bypass allows unvalidated inputs to propagate downstream, presenting data integrity risks.\n\n## TL;DR\nAn argument mismatch in uutils cut causes the -s flag to be ignored when paired with -z and -d '', allowing malformed inputs to bypass stream sanitization filters.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-684\n- **Attack Vector**: Local (AV:L)\n- **CVSS v3.1 Score**: 3.3 (Low)\n- **EPSS Score**: 0.00149 (0.15%)\n- **Impact**: Data Integrity Bypass\n- **Exploit Status**: Proof-of-Concept\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- uutils/coreutils cut utility version &amp;lt; 0.8.0\n- Embedded environments or container images running rust-based coreutils implementations\n- **uutils/coreutils**: &amp;lt; 0.8.0 (Fixed in: `0.8.0`)\n\n## Mitigation\n\n- Upgrade to uutils/coreutils 0.8.0 or newer.\n- Avoid using combined -z, -d '', and -s configurations in legacy deployments.\n- Implement pre-validation steps using grep -z before data processing.\n\n**Remediation Steps:**\n1. Identify all installations of uutils/coreutils across application servers and container base images.\n2. Update the packages via the respective system package manager (e.g., apt-get install --only-upgrade uutils-coreutils) or cargo install coreutils --locked --force.\n3. Audit automated shell pipelines for pattern sequences matching 'cut -z -d \"\" -s' or 'cut -z -d \\'\\' -s'.\n4. Implement input sanitization fallbacks where immediate software updates are restricted by change controls.\n\n## References\n\n- [CVE-2026-35381 Record](https://www.cve.org/CVERecord?id=CVE-2026-35381)\n- [Official Fix Commit](https://github.com/uutils/coreutils/commit/483f13e91830c468262aa1e010e753d6ae99c898)\n- [Fix Pull Request #11394](https://github.com/uutils/coreutils/pull/11394)\n- [uutils/coreutils v0.8.0 Release Notes](https://github.com/uutils/coreutils/releases/tag/0.8.0)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-35381) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-06T22:41:49.132185Z"}</description>
      <content:encoded>{"uuid": "89925e9b-ec22-4174-a707-3e7fafe25186", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-35381", "type": "seen", "source": "https://gist.github.com/alon710/b10b20af35b7bf752b36e152bb72f112", "content": "# CVE-2026-35381: CVE-2026-35381: Input Sanitization and Logic Bypass in uutils coreutils cut Utility\n\n&amp;gt; **CVSS Score:** 3.3\n&amp;gt; **Published:** 2026-07-06\n&amp;gt; **Full Report:** https://cvereports.com/reports/CVE-2026-35381\n\n## Summary\nA critical argument order mismatch in the Rust implementation of GNU coreutils (uutils/coreutils) causes the cut utility to ignore the only-delimited (-s) flag when zero-terminated (-z) and empty-delimiter (-d '') options are combined. This logic bypass allows unvalidated inputs to propagate downstream, presenting data integrity risks.\n\n## TL;DR\nAn argument mismatch in uutils cut causes the -s flag to be ignored when paired with -z and -d '', allowing malformed inputs to bypass stream sanitization filters.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-684\n- **Attack Vector**: Local (AV:L)\n- **CVSS v3.1 Score**: 3.3 (Low)\n- **EPSS Score**: 0.00149 (0.15%)\n- **Impact**: Data Integrity Bypass\n- **Exploit Status**: Proof-of-Concept\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- uutils/coreutils cut utility version &amp;lt; 0.8.0\n- Embedded environments or container images running rust-based coreutils implementations\n- **uutils/coreutils**: &amp;lt; 0.8.0 (Fixed in: `0.8.0`)\n\n## Mitigation\n\n- Upgrade to uutils/coreutils 0.8.0 or newer.\n- Avoid using combined -z, -d '', and -s configurations in legacy deployments.\n- Implement pre-validation steps using grep -z before data processing.\n\n**Remediation Steps:**\n1. Identify all installations of uutils/coreutils across application servers and container base images.\n2. Update the packages via the respective system package manager (e.g., apt-get install --only-upgrade uutils-coreutils) or cargo install coreutils --locked --force.\n3. Audit automated shell pipelines for pattern sequences matching 'cut -z -d \"\" -s' or 'cut -z -d \\'\\' -s'.\n4. Implement input sanitization fallbacks where immediate software updates are restricted by change controls.\n\n## References\n\n- [CVE-2026-35381 Record](https://www.cve.org/CVERecord?id=CVE-2026-35381)\n- [Official Fix Commit](https://github.com/uutils/coreutils/commit/483f13e91830c468262aa1e010e753d6ae99c898)\n- [Fix Pull Request #11394](https://github.com/uutils/coreutils/pull/11394)\n- [uutils/coreutils v0.8.0 Release Notes](https://github.com/uutils/coreutils/releases/tag/0.8.0)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-35381) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-06T22:41:49.132185Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/89925e9b-ec22-4174-a707-3e7fafe25186/export</guid>
      <pubDate>Mon, 06 Jul 2026 22:41:49 +0000</pubDate>
    </item>
  </channel>
</rss>
