| CVE-2025-2312 |
A flaw was found in cifs-utils. When trying to obtain Kerberos credentials, the cifs.upcall program from the cifs-utils package makes an upcall to the wrong namespace in containerized environments. This issue may lead to disclosing sensitive data from the host's Kerberos credentials cache. |
Moderate |
5.9 |
2025-03-25 |
| CVE-2025-31162 |
A flaw was found in fig2dev. The package is affected by floating point exception (FPE) when executing function get_slope. This may result in local code execution. |
Moderate |
6.6 |
2025-03-28 |
| CVE-2025-31163 |
A flaw was found in fig2dev. The package is affected by segmentation fault (SEGV) when executing function put_patternarc. This may result in local code execution. |
Moderate |
6.6 |
2025-03-28 |
| CVE-2025-31164 |
A flaw was found in fig2dev. The package is affected by Heap-buffer Overflow when executing function create_line_with_spline. This may result in local code execution. |
Moderate |
6.6 |
2025-03-28 |
| CVE-2025-46397 |
A flaw was found in fig2dev. The package is affected by stack-based overflow when executing function bezier_spline. This may result in local code execution. |
Important |
7.1 |
2025-04-23 |
| CVE-2025-46398 |
A flaw was found in fig2dev. The package is affected by stack-based overflow when executing function read_objects. This may result in local code execution. |
Important |
7.1 |
2025-04-23 |
| CVE-2025-46399 |
A flaw was found in fig2dev. The package is affected by segmentation fault (SEGV) when executing function genge_itp_spline. This may result in local code execution. |
Important |
7.1 |
2025-04-23 |
| CVE-2025-46400 |
A flaw was found in fig2dev. The package is affected by segmentation fault (SEGV) when executing function read_arcobject. This may result in local code execution. |
Important |
7.1 |
2025-04-23 |
| CVE-2026-1616 |
A flaw was found in OSIM. The $uri$args concatenation in nginx configuration file present in Open Security Issue Management (OSIM) prior v2025.9.0 allows path traversal attacks via query parameters. |
Important |
7.5 |
2026-01-29 |
| CVE-2026-40470 |
A critical XSS vulnerability affected hackage-server and hackage.haskell.org. HTML and JavaScript files provided in source packages or via the documentation upload facility were served as-is on the main hackage.haskell.org. As a consequence, when a user with latent HTTP credentials browses to the package pages or documentation uploaded by a malicious package maintainer, their session can be hijacked to upload packages or documentation, amend maintainers or other package metadata, or perform any other action the user is authorized to do. |
Critical |
9.9 |
2026-04-23 |
| CVE-2026-40471 |
hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to upload packages or perform other administrative actions. Some unauthenticated actions could also be abused, for example, creating new user accounts. |
Critical |
9.6 |
2026-04-23 |
| CVE-2026-40472 |
In hackage-server, user-controlled metadata from .cabal files are rendered into HTML href attributes without proper sanitization, enabling stored Cross-Site Scripting (XSS) attacks. |
Critical |
9.9 |
2026-04-23 |
