Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Multiple vulnerabilities in Apt-Cacher-NG

Posted date 29/09/2025
Identificador
INCIBE-2025-0524
Importance
3 - Medium
Affected Resources

Apt-Cacher-NG, 3.2.1 version.

Description

INCIBE has coordinated the publication of two vulnerabilities, both of medium severity, affecting Apt-Cacher-NG, a caching proxy for software packages downloaded via Unix/Linux distribution mechanisms from mirror servers accessible via HTTP. The vulnerabilities were discovered by Pablo Lago Romaní.

These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type for each vulnerability:

  • CVE-2025-11146 and CVE-2025-11147: CVSS v4.0: 5.1 | CVSS: AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
Solution

The vulnerabilities have been fixed by the Apt-Cacher-NG team in the latest available version.

Detail
  • CVE-2025-11146 : reflected Cross-site scripting (XSS) in Apt-Cacher-NG v3.2.1. The vulnerability allows an attacker to execute malicious scripts (XSS) in the web management application. The vulnerability is caused by improper handling of GET inputs included in the URL in “/acng-report.html”.
  • CVE-2025-11147 : reflected cross-site scripting (XSS) in Apt-Cacher-NG v3.2.1. The vulnerability allows malicious scripts (XSS) to be executed in “/html/<filename>.html”.
CVE
Explotación
No
References list
apt-cacher-ng
Etiquetas