CVE Catalog

A vulnerability in the Linux kernel clock driver for Microchip PolarFire SoC has been addressed. The issue involved an out-of-bounds access during the registration of output dividers for certain clock IDs. This occurred because the driver only allocated space for two Phase-Locked Loops (PLLs) and their corresponding output dividers, while the defined IDs included two Delay-Locked Loops (DLLs) and their outputs, which the driver does not support. The vulnerability has been fixed by adjusting the output IDs to prevent the out-of-bounds access.

A vulnerability in the Linux kernel's power management domain handling for virtual devices has been addressed. When a device is attached to a power management (PM) domain, the kernel enables runtime PM for the virtual device. However, there was no mechanism to disable runtime PM when the device is detached from the PM domain. This oversight could lead to runtime PM remaining active for detached virtual devices, causing potential NULL pointer dereference errors and unnecessary performance state votes. The vulnerability affects the Linux kernel stable tree.

A vulnerability in the Linux kernel's CAAM crypto driver has been addressed. The issue involved improper handling of HMAC key hex dumps, which could lead to unintentional leakage of sensitive key information at runtime, especially when dynamic debugging was enabled. The vulnerability affected the hash_digest_key function, where the HMAC key bytes were dumped in a way that could expose secrets. This issue has been resolved by modifying the key dumping method to a more secure approach.

A vulnerability in the Linux kernel's EFI handling can lead to system freezes. This issue arises from changes in how the kernel manages floating-point operations during EFI runtime service calls. The problem was introduced in a commit that aimed to improve cryptographic performance by allowing kernel-mode floating-point operations to be safely used in softirqs. However, this change inadvertently caused the EFI fault handler to misinterpret the task context, leading to unhandled page faults on systems with problematic firmware. As a result, instead of a graceful recovery, the system experiences a severe hang.

A vulnerability exists in the Linux kernel's handling of scatterlist length calculations when extracting data from kvec and user buffers. This issue, present in versions 6.3 prior to 6.5, can lead to incorrect length calculations that allow an sglist entry to exceed the actual number of bytes in a page. Additionally, when extracting user buffers, the sglist is used as a temporary scratch space for page pointers, which can overlap with existing sglist entries if not managed properly. The vulnerability was introduced in kernel 6.3 and remained unaddressed until the extraction function was revised in version 6.5. The flaw has been documented and tested, with the necessary fix applied in the latest version.

A use-after-free vulnerability has been identified in the Linux kernel's unittest component. The issue arises in the 'of_unittest_changeset' function, where the 'parent' variable is assigned the same value as 'nchangeset', pointing to the same struct device_node. The vulnerability occurs when 'of_node_put(nchangeset)' is called, potentially freeing the node if no other references exist. Subsequently, the code still uses 'parent' to access properties, leading to a use-after-free condition. This vulnerability affects the Linux kernel stable tree.

A vulnerability in the Linux kernel's TXGBE network driver can lead to a Real-Time Networking Layer (RTNL) assertion failure. This issue occurs when the driver disconnects from the physical layer (PHY) during module removal, particularly for copper network interface cards (NICs) with external PHYs. The problem arises because the disconnection process triggers an assertion warning, indicating a potential flaw in how the driver manages its connection to the PHY when the module is unloaded.

An array overflow vulnerability has been identified in the Linux kernel's QCOM LED driver. This issue arises when high-resolution values are selected from an array using the FIELD_GET() macro, which retrieves data from a 3-bit register. The problem occurs because the array being accessed contains only five values, creating a risk of reading random data. Although the hardware is likely functioning correctly, it is essential to implement proper checks to prevent overflow and ensure that only valid data is read before configuring chip values.

A use-after-free vulnerability has been identified in the Linux kernel's MTD DOCG3 driver. The issue arises in the 'docg3_release' function, where a pointer to a 'docg3' structure is obtained from 'cascade->floors[0]->priv' before a loop that calls 'doc_release_device()' on each floor. The 'doc_release_device()' function frees the 'docg3' structure, leading to a dereference of a freed pointer when accessing 'docg3->cascade->bch' after the loop. This vulnerability affects the Linux kernel stable tree.

A vulnerability in the Linux kernel's handling of hugepage parameters during early boot has been fixed. When hugepages, hugepagesz, or default_hugepagesz are specified on the kernel command line without the '=' separator, the parameter parsing incorrectly passes a NULL value to the 'hugetlb_add_param()' function. This NULL dereference can lead to a system crash. The vulnerability has been addressed by modifying 'hugetlb_add_param()' to reject NULL values and return an error instead.

A vulnerability exists in the Linux kernel's handling of TPM (Trusted Platform Module) authentication session data. The issue arises in the 'tpm_dev_release()' function, which uses the standard 'kfree()' to deallocate memory containing sensitive cryptographic information, such as HMAC session keys, nonces, and passphrase data. This approach leaves critical data in freed memory until it is overwritten, creating a potential security risk. In contrast, other functions that manage this data correctly use 'kfree_sensitive()' to clear the information before freeing it. This vulnerability affects Linux kernel versions 6.10 and later.

A NULL pointer dereference vulnerability has been identified in the Linux kernel ADMV1013 driver. When the function 'device_property_read_string()' fails, the string variable 'str' remains uninitialized. The code then proceeds to compare 'str' using 'strcmp()', which leads to dereferencing a garbage pointer. This vulnerability has been addressed by replacing the manual string read and comparison with 'device_property_match_property_string()'. Additionally, the single-ended mode enums have been consolidated into a sequential enum, mapping to hardware register values via a switch, in line with other bitfields in the driver. This issue affects the Linux kernel IIO frequency ADMV1013 driver.

A buffer overflow vulnerability has been identified in the Linux kernel's memory management component, specifically within the 'vmalloc' subsystem. The issue arises in the 'vrealloc_node_align' function, where a new allocation can inadvertently lead to an out-of-bounds write. This occurs when the function is used to shrink an allocation while simultaneously enforcing alignment or NUMA node constraints, causing data to be copied beyond the bounds of the newly allocated buffer.

A use-after-free vulnerability has been identified in the Linux kernel's handling of device private pages during the release of certain file operations. This issue arises in the 'test_hmm' library, specifically within the 'dmirror_fops_release' function. When this function is called, it frees the 'dmirror' structure without first migrating device private pages back to system memory. As a result, these pages are left with a dangling pointer to the freed structure. If a fault occurs on these pages later, such as during a core dump, it can lead to a kernel panic by dereferencing the stale pointer. This vulnerability was reported while running the HMM kernel self-tests on arm64, where a test failure caused a similar fault, triggering the panic.

A vulnerability in the Linux kernel's memory allocation system can lead to uninitialized codetags for certain pages. This issue arises because the page extension, which manages codetags, is not fully initialized during the early boot process. As a result, some pages allocated before this initialization lack a proper codetag. This vulnerability is particularly relevant when the kernel is configured with memory allocation profiling enabled, as it can trigger warnings related to the missing codetag when these pages are freed.

A NULL pointer dereference vulnerability has been identified in the Linux kernel's DRM imagination component. This issue leads to a segmentation fault when updating the ftrace mask, causing an invalid data access. The vulnerability arises from incorrect data being passed to a debugfs entry, which can be exploited by writing to the 'trace_mask' file in the debugfs.

A vulnerability has been identified in the Linux kernel's handling of device folios within the zone device memory management. After a device folio is freed, its contents can be quickly altered by a driver, potentially leading to inconsistencies. The vulnerability arises because the kernel code may attempt to access the folio again to retrieve the page map, not accounting for the possibility that the folio has been reallocated. This issue affects the Linux kernel stable tree.

A vulnerability in the Linux kernel's AMDGPU driver for RDNA4 (GFX 12) hardware has been identified, where the removal of certain on-chip memory resources leads to a kernel crash. The issue arises because the initialization code correctly sets the sizes of these resources to zero, reflecting their absence. However, the resource manager initialization process does not account for this, causing a crash during the module loading process for the AMDGPU driver on affected graphics cards, such as the RX 9070 XT. The problem has been present since the hardware was released over a year ago, but it was only recently reported.

A vulnerability exists in Hyperledger Fabric Chaincode Java versions 2.3.1 prior to 2.5.10, when deployed in chaincode-as-a-service mode with TLS enabled. The chaincode server's INFO level logs inadvertently include the TLS private key password in plaintext. An attacker with access to these logs could retrieve the password, and if they also obtain the TLS private key, they could impersonate the chaincode server.

A vulnerability allowing HTTP response splitting has been identified in ninenines cowlib version 2.9.0 and later. This issue arises from improper handling of non-visible characters in structured-fields string values, which can be exploited to inject carriage return and line feed sequences into HTTP headers. The cow_http_struct_hd:escape_string/2 function fails to adequately escape these bytes, creating a mismatch between the encoding and parsing of header values. As a result, applications that use cow_http_struct_hd:item/1 to build structured HTTP headers from untrusted input may inadvertently introduce CRLF injection, facilitating HTTP response splitting attacks.

An authentication bypass vulnerability has been identified in AdGuard Home versions prior to 0.107.77, when the application is started with the --glinet flag. This vulnerability allows unauthenticated attackers to gain full administrative access by injecting a path traversal sequence into the Admin-Token cookie. The issue arises from unsanitized string concatenation in the token file path construction within the authglinet middleware, enabling attackers to redirect file reads to arbitrary paths.

A missing authorization check vulnerability has been identified in the STACKIT IaaS API, affecting versions prior to the 2026-05-28 update. This vulnerability allows authenticated, low-privileged attackers to escalate privileges and compromise entire organizations. By attaching arbitrary service accounts to virtual machines they control, attackers can exploit the unvalidated PUT servers service-accounts endpoint to gain access to high-privileged service accounts. This access enables them to query the Instance Metadata Service for OAuth2 tokens, bypass tenant boundaries, and gain unauthorized control over the organization's environment.

A credential disclosure vulnerability exists in OpenBullet2 versions through 0.3.2 on Windows. This vulnerability allows remote attackers to capture the NTLMv2 hash of the process user. Exploitation involves configuring a job proxy source with a UNC path pointing to an attacker-controlled server. When the job is executed, the application attempts to load proxies from the UNC path, inadvertently triggering an SMB authentication attempt that discloses the NTLMv2 hash. This hash can then be relayed or cracked offline.

A remote code execution vulnerability has been identified in OpenBullet2 versions through 0.3.2. This vulnerability allows authenticated users to execute arbitrary C# code on the server by creating or modifying job configurations. The plain C# execution mode, which lacks reference filtering or API restrictions, can be exploited to access the file system, spawn processes, and invoke arbitrary .NET APIs as the process user.

A remote code execution vulnerability has been identified in OpenBullet2 versions through 0.3.2. This vulnerability allows authenticated users to execute arbitrary commands by uploading script files with extensions .bat, .ps1, or .sh through the FileProxySource proxy loading feature. Once uploaded as proxy sources, the server executes these scripts and returns the output as proxy lines, enabling command execution on the host as the process user.

A path traversal vulnerability has been identified in OpenBullet2 versions through 0.3.2, specifically within the wordlist endpoint. This vulnerability allows authenticated attackers to read, write, and delete arbitrary files by providing unsanitized absolute paths to the upload handler and wordlist functions. Exploitation of this vulnerability can lead to remote code execution by manipulating critical system files, such as /etc/passwd, since the application runs as root by default.

An authentication bypass vulnerability has been identified in OpenBullet2 versions through 0.3.2. This vulnerability resides in the API key authentication middleware, where unauthenticated attackers can gain admin access by sending an empty X-Api-Key header. The exploitation takes advantage of the middleware's comparison of the header value against a default empty AdminApiKey string, allowing access to the admin console and all API endpoints without valid credentials.

A denial-of-service vulnerability has been identified in 389 Directory Server versions 11, 12, 13, and in the 389-ds-base package of Red Hat Enterprise Linux 7, 8, and 9. The issue arises in the Content Synchronization persistent search plugin, where unbounded memory growth occurs when an authenticated client halts reading synchronization responses. This can lead to memory exhaustion and server crashes. Additionally, race conditions in the plugin's thread lifecycle may cause crashes during connection teardown or shutdown.

A stored cross-site scripting vulnerability has been identified in the imvks786 student management system, affecting versions up to commit 9599b560ad3c3b83e75d328b76bedcd489ef1f46. The issue arises in the file add.php, where user input from fields such as name and address is directly inserted into an SQL query without proper sanitization. This allows for the injection of malicious scripts, which are executed when the data is viewed on various pages, including see.php and std_home/std_profile.php. The vulnerability can be exploited remotely, and the injected scripts run in the context of the user's browser, potentially leading to session hijacking and unauthorized access to user accounts.

A broken access control vulnerability has been identified in the imvks786 student_management_system, affecting versions prior to commit 9599b560ad3c3b83e75d328b76bedcd489ef1f46. The issue resides in the student deletion endpoint within the file see.php. The vulnerability allows users with only VIEW permissions to delete student records by manipulating the del parameter. This deletion occurs before the system verifies the user's authorization level, enabling unauthorized record removal. The vulnerability can be exploited remotely, and has been publicly disclosed.

A vulnerability allowing improper access control has been identified in the imvks786 student management system, in versions up to commit 9599b560ad3c3b83e75d328b76bedcd489ef1f46. The issue resides in the Student Record Handler component, specifically within an unknown function of the file add.php. The vulnerability can be exploited remotely, and has been publicly disclosed. The application fails to enforce role-based access controls on server-side endpoints, allowing users with VIEW permissions to add and delete student records.

A SQL injection vulnerability has been identified in the imvks786 student management system, affecting versions prior to commit 9599b560ad3c3b83e75d328b76bedcd489ef1f46. The issue arises in the administrator login endpoint, specifically within the file admin/admin_login.php. The vulnerability allows remote attackers to inject malicious SQL payloads into the username and password fields, bypassing authentication and gaining administrative access.

A SQL injection vulnerability has been identified in the imvks786 student management system, affecting versions prior to commit 9599b560ad3c3b83e75d328b76bedcd489ef1f46. The vulnerability resides in the login component, specifically within the 'index.php' file. User input for the 'usr' and 'pwd' fields is directly concatenated into SQL queries without proper validation or escaping, allowing remote attackers to manipulate the queries. This exploitation can bypass authentication and lead to unauthorized data deletion, permission changes, and sensitive data exposure.

A vulnerability in Apache HTTP Server's mod_http2 module allows for denial-of-service attacks by exhausting memory resources. This issue arises from improper handling of HTTP/2 requests, where maliciously crafted headers can cause the server to allocate excessive memory, leading to crashes or degraded performance. The vulnerability affects Apache HTTP Server versions 2.4.17 prior to 2.4.67.

A CRLF injection vulnerability has been identified in the Wojtek Mach Req library, specifically in versions 0.5.3 prior to 0.6.0. This vulnerability allows for multipart parameter smuggling through attacker-controlled part metadata. The issue arises because the multipart form encoder directly interpolates the 'name', 'filename', and 'content_type' values into the headers without proper escaping or stripping of CRLF sequences. As a result, an attacker can inject additional headers, smuggle extra form fields, or prepend a new part into the outgoing request. This vulnerability is particularly exploitable when the 'value' parameter is a File.Stream, as POSIX filenames can contain CRLF characters. Applications that use Req to send multipart form data and allow user influence over these header values are at risk.

A denial-of-service vulnerability has been identified in the wojtekmach Req HTTP client for Elixir, versions 0.1.0 prior to 0.6.1. This vulnerability arises from improper handling of highly compressed data, allowing attacker-controlled HTTP servers to exhaust memory in a Req client. The issue is triggered by decompression-bomb response bodies, which expand significantly in size and can crash the BEAM process.

A use-after-free vulnerability has been identified in the Apache HTTP Server module mod_http2. This vulnerability occurs when file handles are exhausted, leading to memory corruption. It affects Apache HTTP Server versions 2.4.55 prior to 2.4.67.

A vulnerability exists in phpMyFAQ versions through 4.1.3, where attachment passwords are hashed using SHA-1, a cryptographically broken algorithm susceptible to collision attacks. This weak hashing provides no real protection, as the hashed passwords are not verified upon retrieval. The vulnerability has been addressed in version 4.1.4.

A vulnerability exists in Bludit CMS versions prior to 3.22.0, allowing deactivated user accounts to retain access through persistent authentication tokens. When an administrator disables a user, the application does not invalidate the associated tokenAuth and tokenRemember fields in the JSON database. As a result, users with a pre-existing 'Remember Me' cookie can bypass the deactivation and maintain an authenticated state. This issue has been patched in version 3.22.0.

A broken access control vulnerability has been identified in Bludit CMS versions prior to 3.22.0. This flaw allows active sessions to remain valid even after the associated user account has been deleted from the database. As a result, revoked users can retain unauthorized access to the system. The vulnerability arises because the application does not re-validate the status of a user account for each request, allowing deleted users to continue performing actions as if they were still active.

A mass assignment vulnerability has been identified in Flowise, a user interface for building customized large language model flows. This issue, present in versions through 3.1.1, allows for cross-workspace evaluator takeover by improperly handling workspace-related data during evaluator creation and updates. The vulnerability arises because the Evaluator controller does not validate which fields can be overwritten with client-controlled data, enabling authenticated users to manipulate evaluator ownership and access across workspaces.

A mass assignment vulnerability has been identified in Flowise versions prior to 3.1.2, specifically within the evaluations management feature. This issue allows an authenticated user to manipulate evaluation data across different workspaces, potentially leading to unauthorized access and modification of evaluation records. The vulnerability arises because the evaluation controller does not properly validate which fields can be updated, allowing client-controlled data to overwrite critical workspace-specific information. As a result, evaluations can be transferred between workspaces, disrupting data integrity and privacy.

A mass assignment vulnerability has been identified in Flowise versions prior to 3.1.2, allowing cross-workspace row takeover in the DatasetRow entity. The issue arises because the DatasetRow controller mass-assigns client-controlled data, including workspace IDs, without proper validation. This flaw enables authenticated users to manipulate dataset rows across different workspaces, violating data isolation and potentially exposing sensitive information.

A mass assignment vulnerability has been identified in Flowise, a user interface for building customized large language model flows. This issue, present in versions prior to 3.1.2, allows for cross-workspace dataset takeover by exploiting the dataset creation and update processes. The vulnerability arises because the Dataset controller does not properly validate which fields can be overwritten, enabling authenticated users to manipulate dataset ownership and access through the workspaceId field.

A vulnerability in Flowise prior to version 3.1.2 allows for cross-workspace template takeover through mass assignment in the CustomTemplate creation and update processes. The issue arises because the application does not properly validate which fields can be overwritten, allowing authenticated users to manipulate workspace-specific data and disrupt workspace isolation. This flaw can be exploited by any user with permission to edit custom templates, potentially leading to unauthorized access and modification rights in another workspace.

A mass assignment vulnerability has been identified in Flowise, a user interface for building customized large language model flows. This issue, present in versions through 3.1.1, allows for cross-workspace assistant takeover by improperly handling workspace IDs during the creation and updating of assistant entities. The vulnerability arises because the application does not validate which fields can be overwritten, enabling authenticated users to manipulate assistant ownership and access across workspaces.

A vulnerability exists in Flowise versions prior to 3.1.2, where all CRUD endpoints for the OpenAI Assistants Vector Store lack authentication middleware. The route '/api/v1/openai-assistants-vector-store' is not included in WHITELIST_URLS and, although it requires API key authentication, it does not enforce any permission checks. This oversight allows any authenticated user to create, modify, delete vector stores, and upload or exfiltrate files, regardless of their assigned permissions.

A vulnerability in Flowise prior to version 3.1.2 allows authenticated users to access unredacted encrypted credential data, such as API keys and tokens, when using the 'credentialName' filter parameter. This data leak occurs because the 'encryptedData' field is not properly omitted from the response when the filter is applied, despite the code correctly excluding it when no filter is used. The issue has been patched in version 3.1.2.

A remote code execution vulnerability has been identified in Flowise, a user interface for building large language model flows. This issue affects versions through 3.1.1. The vulnerability arises because the POST /api/v1/node-custom-function endpoint lacks proper authorization, allowing any authenticated user or API key to send arbitrary JavaScript to the Custom JS Function node. In typical deployments where E2B_APIKEY is not set, Flowise runs this code in a NodeVM sandbox, which can be escaped. This escape route enables access to the host process object, facilitating the execution of system commands through the child_process module. Consequently, this flaw results in authenticated remote code execution on the server hosting Flowise.

A mass assignment vulnerability has been identified in Flowise versions prior to 3.1.2, specifically within the assistant update endpoint. This vulnerability allows authenticated users to modify server-controlled properties, such as workspaceId, createdDate, and updatedDate, when updating an assistant resource. The issue arises from a lack of proper server-side validation and authorization checks, enabling attackers to manipulate the workspaceId field and reassign assistants to arbitrary workspaces. This flaw disrupts tenant isolation in multi-workspace environments.