Vulnerabilidades

*** Pendiente de traducción *** Issue summary: During processing of a crafted CMS EnvelopedData message<br /> with KeyAgreeRecipientInfo a NULL pointer dereference can happen.<br /> <br /> Impact summary: Applications that process attacker-controlled CMS data may<br /> crash before authentication or cryptographic operations occur resulting in<br /> Denial of Service.<br /> <br /> When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is<br /> processed, the optional parameters field of KeyEncryptionAlgorithmIdentifier<br /> is examined without checking for its presence. This results in a NULL<br /> pointer dereference if the field is missing.<br /> <br /> Applications and services that call CMS_decrypt() on untrusted input<br /> (e.g., S/MIME processing or CMS-based protocols) are vulnerable.<br /> <br /> The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this<br /> issue, as the affected code is outside the OpenSSL FIPS module boundary.

*** Pendiente de traducción *** Issue summary: During processing of a crafted CMS EnvelopedData message<br /> with KeyTransportRecipientInfo a NULL pointer dereference can happen.<br /> <br /> Impact summary: Applications that process attacker-controlled CMS data may<br /> crash before authentication or cryptographic operations occur resulting in<br /> Denial of Service.<br /> <br /> When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with<br /> RSA-OAEP encryption is processed, the optional parameters field of<br /> RSA-OAEP SourceFunc algorithm identifier is examined without checking<br /> for its presence. This results in a NULL pointer dereference if the field<br /> is missing.<br /> <br /> Applications and services that call CMS_decrypt() on untrusted input<br /> (e.g., S/MIME processing or CMS-based protocols) are vulnerable.<br /> <br /> The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this<br /> issue, as the affected code is outside the OpenSSL FIPS module boundary.

*** Pendiente de traducción *** Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can be app-controlled symlinks pointing at arbitrary paths. Flatpak run mounts the resolved host path in the sandbox. This gives apps access to all host files and can be used as a primitive to gain code execution in the host context. This vulnerability is fixed in 1.16.4.

*** Pendiente de traducción *** Issue summary: An uncommon configuration of clients performing DANE TLSA-based<br /> server authentication, when paired with uncommon server DANE TLSA records, may<br /> result in a use-after-free and/or double-free on the client side.<br /> <br /> Impact summary: A use after free can have a range of potential consequences<br /> such as the corruption of valid data, crashes or execution of arbitrary code.<br /> <br /> However, the issue only affects clients that make use of TLSA records with both<br /> the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate<br /> usage.<br /> <br /> By far the most common deployment of DANE is in SMTP MTAs for which RFC7672<br /> recommends that clients treat as &amp;#39;unusable&amp;#39; any TLSA records that have the PKIX<br /> certificate usages. These SMTP (or other similar) clients are not vulnerable<br /> to this issue. Conversely, any clients that support only the PKIX usages, and<br /> ignore the DANE-TA(2) usage are also not vulnerable.<br /> <br /> The client would also need to be communicating with a server that publishes a<br /> TLSA RRset with both types of TLSA records.<br /> <br /> No FIPS modules are affected by this issue, the problem code is outside the<br /> FIPS module boundary.

*** Pendiente de traducción *** Issue summary: Applications using AES-CFB128 encryption or decryption on<br /> systems with AVX-512 and VAES support can trigger an out-of-bounds read<br /> of up to 15 bytes when processing partial cipher blocks.<br /> <br /> Impact summary: This out-of-bounds read may trigger a crash which leads to<br /> Denial of Service for an application if the input buffer ends at a memory<br /> page boundary and the following page is unmapped. There is no information<br /> disclosure as the over-read bytes are not written to output.<br /> <br /> The vulnerable code path is only reached when processing partial blocks<br /> (when a previous call left an incomplete block and the current call provides<br /> fewer bytes than needed to complete it). Additionally, the input buffer<br /> must be positioned at a page boundary with the following page unmapped.<br /> CFB mode is not used in TLS/DTLS protocols, which use CBC, GCM, CCM, or<br /> ChaCha20-Poly1305 instead. For these reasons the issue was assessed as<br /> Low severity according to our Security Policy.<br /> <br /> Only x86-64 systems with AVX-512 and VAES instruction support are affected.<br /> Other architectures and systems without VAES support use different code<br /> paths that are not affected.<br /> <br /> OpenSSL FIPS module in 3.6 version is affected by this issue.

*** Pendiente de traducción *** Issue summary: When a delta CRL that contains a Delta CRL Indicator extension<br /> is processed a NULL pointer dereference might happen if the required CRL<br /> Number extension is missing.<br /> <br /> Impact summary: A NULL pointer dereference can trigger a crash which<br /> leads to a Denial of Service for an application.<br /> <br /> When CRL processing and delta CRL processing is enabled during X.509<br /> certificate verification, the delta CRL processing does not check<br /> whether the CRL Number extension is NULL before dereferencing it.<br /> When a malformed delta CRL file is being processed, this parameter<br /> can be NULL, causing a NULL pointer dereference.<br /> <br /> Exploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled in<br /> the verification context, the certificate being verified to contain a<br /> freshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, and<br /> an attacker to provide a malformed CRL to an application that processes it.<br /> <br /> The vulnerability is limited to Denial of Service and cannot be escalated to<br /> achieve code execution or memory disclosure. For that reason the issue was<br /> assessed as Low severity according to our Security Policy.<br /> <br /> The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,<br /> as the affected code is outside the OpenSSL FIPS module boundary.

*** Pendiente de traducción *** Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, jb child processes can include an update_event key in their JSON output. The server applies this directly to the parent event&amp;#39;s stored configuration without any authorization check. A low-privilege user who can create and run events can modify any event property, including webhook URLs and notification emails. This vulnerability is fixed in 0.9.111.

*** Pendiente de traducción *** Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with create_events and run_events privileges can inject arbitrary JavaScript through job output fields (html.content, html.title, table.header, table.rows, table.caption). The server stores this data without sanitization, and the client renders it via innerHTML on the Job Details page. This vulnerability is fixed in 0.9.111.

*** Pendiente de traducción *** @delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/* CRUD endpoint handlers registered by createPuckPlugin() called Payload&amp;#39;s local API with the default overrideAccess: true, bypassing all collection-level access control. The access option passed to createPuckPlugin() and any access rules defined on Puck-registered collections were silently ignored on these endpoints. This vulnerability is fixed in 0.6.23.

*** Pendiente de traducción *** xdg-dbus-proxy is a filtering proxy for D-Bus connections. Prior to 0.1.7, a policy parser vulnerability allows bypassing eavesdrop restrictions. The proxy checks for eavesdrop=true in policy rules but fails to handle eavesdrop =&amp;#39;true&amp;#39; (with a space before the equals sign) and similar cases. Clients can intercept D-Bus messages they should not have access to. This vulnerability is fixed in 0.1.7.

*** Pendiente de traducción *** mise manages dev tools like node, python, cmake, and terraform. From 2026.2.18 through 2026.4.5, mise loads trust-control settings from a local project .mise.toml before the trust check runs. An attacker who can place a malicious .mise.toml in a repository can make that same file appear trusted and then reach dangerous directives such as [env] _.source, templates, hooks, or tasks.

*** Pendiente de traducción *** Podman Desktop is a graphical tool for developing on containers and Kubernetes. Prior to 1.26.2, an unauthenticated HTTP server exposed by Podman Desktop allows any network attacker to remotely trigger denial-of-service conditions and extract sensitive information. By abusing missing connection limits and timeouts, an attacker can exhaust file descriptors and kernel memory, leading to application crash or full host freeze. Additionally, verbose error responses disclose internal paths and system details (including usernames on Windows), aiding further exploitation. The issue requires no authentication or user interaction and is exploitable over the network. This vulnerability is fixed in 1.26.2.