Common Weakness Enumeration

CWE-115

Allowed

Misinterpretation of Input

Abstraction: Base · Status: Incomplete

The product misinterprets an input, whether from an attacker or another product, in a security-relevant fashion.

48 vulnerabilities reference this CWE, most recent first.

CVE-2026-12491 (GCVE-0-2026-12491)

Vulnerability from cvelistv5 – Published: 2026-06-17 10:07 – Updated: 2026-07-07 07:44
VLAI
Title
Vllm: vllm: image exif rotation & png trns transparency not normalized, causing mismatch between model input and expectations
Summary
A flaw was found in vLLM, an open-source library for large language model inference. This vulnerability arises from improper handling of image metadata, specifically EXIF orientation and PNG transparency (tRNS) data, during image processing. When images are converted to RGB, transparency information may be implicitly discarded or remapped, leading to unexpected rendering of transparent pixels and distortion of input content. This can result in the model misinterpreting image content, potentially affecting the integrity of processed data.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-115 - Misinterpretation of Input
Assigner
References
URL Tags
https://access.redhat.com/security/cve/CVE-2026-12491 vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2489786 issue-trackingx_refsource_REDHAT
Impacted products
Date Public
2026-06-10 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12491",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-17T14:47:47.319727Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-17T14:47:57.047Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/vllm-project/vllm",
          "defaultStatus": "unaffected",
          "packageName": "vllm",
          "product": "vLLM",
          "vendor": "vllm-project",
          "versions": [
            {
              "lessThan": "0.24.0",
              "status": "affected",
              "version": "0.11.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:ai_inference_server:3"
          ],
          "defaultStatus": "affected",
          "packageName": "rhaiis/vllm-cpu-rhel9",
          "product": "Red Hat AI Inference Server",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:ai_inference_server:3"
          ],
          "defaultStatus": "affected",
          "packageName": "rhaiis/vllm-cuda-rhel9",
          "product": "Red Hat AI Inference Server",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:ai_inference_server:3"
          ],
          "defaultStatus": "affected",
          "packageName": "rhaiis/vllm-neuron-rhel9",
          "product": "Red Hat AI Inference Server",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:ai_inference_server:3"
          ],
          "defaultStatus": "affected",
          "packageName": "rhaiis/vllm-rocm-rhel9",
          "product": "Red Hat AI Inference Server",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:ai_inference_server:3"
          ],
          "defaultStatus": "affected",
          "packageName": "rhaiis/vllm-spyre-rhel9",
          "product": "Red Hat AI Inference Server",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:ai_inference_server:3"
          ],
          "defaultStatus": "affected",
          "packageName": "rhaiis/vllm-tpu-rhel9",
          "product": "Red Hat AI Inference Server",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:ai_inference_server:3"
          ],
          "defaultStatus": "affected",
          "packageName": "rhaii/vllm-cpu-rhel9",
          "product": "Red Hat AI Inference Server",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:ai_inference_server:3"
          ],
          "defaultStatus": "affected",
          "packageName": "rhaii/vllm-cuda-rhel9",
          "product": "Red Hat AI Inference Server",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:ai_inference_server:3"
          ],
          "defaultStatus": "affected",
          "packageName": "rhaii/vllm-gaudi-rhel9",
          "product": "Red Hat AI Inference Server",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:ai_inference_server:3"
          ],
          "defaultStatus": "affected",
          "packageName": "rhaii/vllm-neuron-rhel9",
          "product": "Red Hat AI Inference Server",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:ai_inference_server:3"
          ],
          "defaultStatus": "affected",
          "packageName": "rhaii/vllm-rocm-rhel9",
          "product": "Red Hat AI Inference Server",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:ai_inference_server:3"
          ],
          "defaultStatus": "affected",
          "packageName": "rhaii/vllm-spyre-rhel9",
          "product": "Red Hat AI Inference Server",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:ai_inference_server:3"
          ],
          "defaultStatus": "affected",
          "packageName": "rhaii/vllm-tpu-rhel9",
          "product": "Red Hat AI Inference Server",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux_ai:3"
          ],
          "defaultStatus": "affected",
          "packageName": "rhelai3/bootc-aws-cuda-rhel9",
          "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux_ai:3"
          ],
          "defaultStatus": "affected",
          "packageName": "rhelai3/bootc-azure-cuda-rhel9",
          "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux_ai:3"
          ],
          "defaultStatus": "affected",
          "packageName": "rhelai3/bootc-azure-rocm-rhel9",
          "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux_ai:3"
          ],
          "defaultStatus": "affected",
          "packageName": "rhelai3/bootc-cuda-rhel9",
          "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux_ai:3"
          ],
          "defaultStatus": "affected",
          "packageName": "rhelai3/bootc-gaudi-rhel9",
          "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux_ai:3"
          ],
          "defaultStatus": "affected",
          "packageName": "rhelai3/bootc-gcp-cuda-rhel9",
          "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux_ai:3"
          ],
          "defaultStatus": "affected",
          "packageName": "rhelai3/bootc-rocm-rhel9",
          "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_ai"
          ],
          "defaultStatus": "affected",
          "packageName": "rhoai/odh-kserve-agent-rhel9",
          "product": "Red Hat OpenShift AI (RHOAI)",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_ai"
          ],
          "defaultStatus": "affected",
          "packageName": "rhoai/odh-kserve-controller-rhel9",
          "product": "Red Hat OpenShift AI (RHOAI)",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_ai"
          ],
          "defaultStatus": "affected",
          "packageName": "rhoai/odh-kserve-router-rhel9",
          "product": "Red Hat OpenShift AI (RHOAI)",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_ai"
          ],
          "defaultStatus": "affected",
          "packageName": "rhoai/odh-kserve-storage-initializer-rhel9",
          "product": "Red Hat OpenShift AI (RHOAI)",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_ai"
          ],
          "defaultStatus": "affected",
          "packageName": "rhoai/odh-llm-d-kv-cache-rhel9",
          "product": "Red Hat OpenShift AI (RHOAI)",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_ai"
          ],
          "defaultStatus": "affected",
          "packageName": "rhoai/odh-vllm-cuda-rhel9",
          "product": "Red Hat OpenShift AI (RHOAI)",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_ai"
          ],
          "defaultStatus": "affected",
          "packageName": "rhoai/odh-vllm-gaudi-rhel9",
          "product": "Red Hat OpenShift AI (RHOAI)",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_ai"
          ],
          "defaultStatus": "affected",
          "packageName": "rhoai/odh-vllm-rocm-rhel9",
          "product": "Red Hat OpenShift AI (RHOAI)",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2026-06-10T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in vLLM, an open-source library for large language model inference. This vulnerability arises from improper handling of image metadata, specifically EXIF orientation and PNG transparency (tRNS) data, during image processing. When images are converted to RGB, transparency information may be implicitly discarded or remapped, leading to unexpected rendering of transparent pixels and distortion of input content. This can result in the model misinterpreting image content, potentially affecting the integrity of processed data."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-115",
              "description": "Misinterpretation of Input",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-07T07:44:29.614Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2026-12491"
        },
        {
          "name": "RHBZ#2489786",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489786"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-17T07:56:27.368Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2026-06-10T00:00:00.000Z",
          "value": "Made public."
        }
      ],
      "title": "Vllm: vllm: image exif rotation \u0026 png trns transparency not normalized, causing mismatch between model input and expectations",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-115: Misinterpretation of Input"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2026-12491",
    "datePublished": "2026-06-17T10:07:28.756Z",
    "dateReserved": "2026-06-17T07:24:01.437Z",
    "dateUpdated": "2026-07-07T07:44:29.614Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68113 (GCVE-0-2025-68113)

Vulnerability from cvelistv5 – Published: 2025-12-16 00:53 – Updated: 2025-12-16 21:14
VLAI
Title
ALTCHA Proof-of-Work Vulnerable to Challenge Splicing and Replay
Summary
ALTCHA is privacy-first software for captcha and bot protection. A cryptographic semantic binding flaw in ALTCHA libraries allows challenge payload splicing, which may enable replay attacks. The HMAC signature does not unambiguously bind challenge parameters to the nonce, allowing an attacker to reinterpret a valid proof-of-work submission with a modified expiration value. This may allow previously solved challenges to be reused beyond their intended lifetime, depending on server-side replay handling and deployment assumptions. The vulnerability primarily impacts abuse-prevention mechanisms such as rate limiting and bot mitigation. It does not directly affect data confidentiality or integrity. This issue has been addressed by enforcing explicit semantic separation between challenge parameters and the nonce during HMAC computation. Users are advised to upgrade to patched versions, which include version 1.0.0 of the altcha Golang package, version 1.0.0 of the altcha Rubygem, version 1.0.0 of the altcha pip package, version 1.0.0 of the altcha Erlang package, version 1.4.1 of the altcha-lib npm package, version 1.3.1 of the altcha-org/altcha Composer package, and version 1.3.0 of the org.altcha:altcha Maven package. As a mitigation, implementations may append a delimiter to the end of the `salt` value prior to HMAC computation (for example, `<salt>?expires=<time>&`). This prevents ambiguity between parameters and the nonce and is backward-compatible with existing implementations, as the delimiter is treated as a standard URL parameter separator.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-115 - Misinterpretation of Input
  • CWE-347 - Improper Verification of Cryptographic Signature
Assigner
Impacted products
Vendor Product Version
altcha-org altcha-lib Affected: < 1.4.1
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-68113",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-16T21:13:57.662095Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-16T21:14:09.436Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "altcha-lib",
          "vendor": "altcha-org",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.4.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "ALTCHA is privacy-first software for captcha and bot protection. A cryptographic semantic binding flaw in ALTCHA libraries allows challenge payload splicing, which may enable replay attacks. The HMAC signature does not unambiguously bind challenge parameters to the nonce, allowing an attacker to reinterpret a valid proof-of-work submission with a modified expiration value. This may allow previously solved challenges to be reused beyond their intended lifetime, depending on server-side replay handling and deployment assumptions. The vulnerability primarily impacts abuse-prevention mechanisms such as rate limiting and bot mitigation. It does not directly affect data confidentiality or integrity. This issue has been addressed by enforcing explicit semantic separation between challenge parameters and the nonce during HMAC computation. Users are advised to upgrade to patched versions, which include version 1.0.0 of the altcha Golang package, version 1.0.0 of the altcha Rubygem, version 1.0.0 of the altcha pip package, version 1.0.0 of the altcha Erlang package, version 1.4.1 of the altcha-lib npm package, version 1.3.1 of the altcha-org/altcha Composer package, and version 1.3.0 of the org.altcha:altcha Maven package. As a mitigation, implementations may append a delimiter to the end of the `salt` value prior to HMAC computation (for example, `\u003csalt\u003e?expires=\u003ctime\u003e\u0026`). This prevents ambiguity between parameters and the nonce and is backward-compatible with existing implementations, as the delimiter is treated as a standard URL parameter separator."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-115",
              "description": "CWE-115: Misinterpretation of Input",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-347",
              "description": "CWE-347: Improper Verification of Cryptographic Signature",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T00:53:59.401Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/altcha-org/altcha-lib/security/advisories/GHSA-6gvq-jcmp-8959",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/altcha-org/altcha-lib/security/advisories/GHSA-6gvq-jcmp-8959"
        },
        {
          "name": "https://github.com/altcha-org/altcha-lib-ex/commit/09b2bad466ad0338a5b24245380950ea9918333e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/altcha-org/altcha-lib-ex/commit/09b2bad466ad0338a5b24245380950ea9918333e"
        },
        {
          "name": "https://github.com/altcha-org/altcha-lib-go/commit/4a5610745ef79895a67bac858b2e4f291c2614b8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/altcha-org/altcha-lib-go/commit/4a5610745ef79895a67bac858b2e4f291c2614b8"
        },
        {
          "name": "https://github.com/altcha-org/altcha-lib-java/commit/69277651fdd6418ae10bf3a088901506f9c62114",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/altcha-org/altcha-lib-java/commit/69277651fdd6418ae10bf3a088901506f9c62114"
        },
        {
          "name": "https://github.com/altcha-org/altcha-lib-php/commit/9e9e70c864a9db960d071c77c778be0c9ff1a4d0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/altcha-org/altcha-lib-php/commit/9e9e70c864a9db960d071c77c778be0c9ff1a4d0"
        },
        {
          "name": "https://github.com/altcha-org/altcha-lib-rb/commit/4fd7b64cbbfc713f3ca4e066c2dd466e3b8d359b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/altcha-org/altcha-lib-rb/commit/4fd7b64cbbfc713f3ca4e066c2dd466e3b8d359b"
        },
        {
          "name": "https://github.com/altcha-org/altcha-lib/commit/cb95d83a8d08e273b6be15e48988e7eaf60d5c08",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/altcha-org/altcha-lib/commit/cb95d83a8d08e273b6be15e48988e7eaf60d5c08"
        },
        {
          "name": "https://github.com/altcha-org/altcha-lib-java/releases/tag/v1.3.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/altcha-org/altcha-lib-java/releases/tag/v1.3.0"
        },
        {
          "name": "https://github.com/altcha-org/altcha-lib-php/releases/tag/v1.3.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/altcha-org/altcha-lib-php/releases/tag/v1.3.1"
        },
        {
          "name": "https://github.com/altcha-org/altcha-lib/releases/tag/1.4.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/altcha-org/altcha-lib/releases/tag/1.4.1"
        }
      ],
      "source": {
        "advisory": "GHSA-6gvq-jcmp-8959",
        "discovery": "UNKNOWN"
      },
      "title": "ALTCHA Proof-of-Work Vulnerable to Challenge Splicing and Replay"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-68113",
    "datePublished": "2025-12-16T00:53:59.401Z",
    "dateReserved": "2025-12-15T14:44:59.221Z",
    "dateUpdated": "2025-12-16T21:14:09.436Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-55303 (GCVE-0-2025-55303)

Vulnerability from cvelistv5 – Published: 2025-08-19 18:08 – Updated: 2025-08-19 20:50
VLAI
Title
Unauthorized third-party images in Astro’s _image endpoint
Summary
Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of images. A bug in impacted versions of astro allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. /_image?href=//example.com/image.png. This vulnerability is fixed in 5.13.2 and 4.16.18.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CWE-115 - Misinterpretation of Input
Assigner
References
Impacted products
Vendor Product Version
withastro astro Affected: >= 5.0.0-alpha.0, < 5.13.2
Affected: < 4.16.18
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-55303",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-19T20:49:42.803973Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-19T20:50:34.071Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/withastro/astro/security/advisories/GHSA-xf8x-j4p2-f749"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "astro",
          "vendor": "withastro",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 5.0.0-alpha.0, \u003c 5.13.2"
            },
            {
              "status": "affected",
              "version": "\u003c 4.16.18"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of images. A bug in impacted versions of astro allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. /_image?href=//example.com/image.png. This vulnerability is fixed in 5.13.2 and 4.16.18."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-115",
              "description": "CWE-115: Misinterpretation of Input",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-19T18:08:00.244Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/withastro/astro/security/advisories/GHSA-xf8x-j4p2-f749",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/withastro/astro/security/advisories/GHSA-xf8x-j4p2-f749"
        },
        {
          "name": "https://github.com/withastro/astro/commit/4d16de7f95db5d1ec1ce88610d2a95e606e83820",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/withastro/astro/commit/4d16de7f95db5d1ec1ce88610d2a95e606e83820"
        }
      ],
      "source": {
        "advisory": "GHSA-xf8x-j4p2-f749",
        "discovery": "UNKNOWN"
      },
      "title": "Unauthorized third-party images in Astro\u2019s _image endpoint"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-55303",
    "datePublished": "2025-08-19T18:08:00.244Z",
    "dateReserved": "2025-08-12T16:15:30.238Z",
    "dateUpdated": "2025-08-19T20:50:34.071Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-54584 (GCVE-0-2025-54584)

Vulnerability from cvelistv5 – Published: 2025-07-30 20:01 – Updated: 2025-07-30 20:19
VLAI
Title
GitProxy is vulnerable to a packfile parsing exploit
Summary
GitProxy is an application that stands between developers and a Git remote endpoint (e.g., github.com). In versions 1.19.1 and below, an attacker can craft a malicious Git packfile to exploit the PACK signature detection in the parsePush.ts file. By embedding a misleading PACK signature within commit content and carefully constructing the packet structure, the attacker can trick the parser into treating invalid or unintended data as the packfile. Potentially, this would allow bypassing approval or hiding commits. This issue is fixed in version 1.19.2.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-115 - Misinterpretation of Input
Assigner
Impacted products
Vendor Product Version
finos git-proxy Affected: < 1.19.2
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-54584",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-30T20:18:53.257366Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-30T20:19:21.613Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "git-proxy",
          "vendor": "finos",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.19.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "GitProxy is an application that stands between developers and a Git remote endpoint (e.g., github.com). In versions 1.19.1 and below, an attacker can craft a malicious Git packfile to exploit the PACK signature detection in the parsePush.ts file. By embedding a misleading PACK signature within commit content and carefully constructing the packet structure, the attacker can trick the parser into treating invalid or unintended data as the packfile. Potentially, this would allow bypassing approval or hiding commits. This issue is fixed in version 1.19.2."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-115",
              "description": "CWE-115: Misinterpretation of Input",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-30T20:01:16.338Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/finos/git-proxy/security/advisories/GHSA-xxmh-rf63-qwjv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/finos/git-proxy/security/advisories/GHSA-xxmh-rf63-qwjv"
        },
        {
          "name": "https://github.com/finos/git-proxy/commit/333c98a165a5a1ec88414db3d4a2c6f81e083e0f",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/finos/git-proxy/commit/333c98a165a5a1ec88414db3d4a2c6f81e083e0f"
        },
        {
          "name": "https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a"
        },
        {
          "name": "https://github.com/finos/git-proxy/releases/tag/v1.19.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/finos/git-proxy/releases/tag/v1.19.2"
        }
      ],
      "source": {
        "advisory": "GHSA-xxmh-rf63-qwjv",
        "discovery": "UNKNOWN"
      },
      "title": "GitProxy is vulnerable to a packfile parsing exploit"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-54584",
    "datePublished": "2025-07-30T20:01:16.338Z",
    "dateReserved": "2025-07-25T16:19:16.093Z",
    "dateUpdated": "2025-07-30T20:19:21.613Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-32908 (GCVE-0-2025-32908)

Vulnerability from cvelistv5 – Published: 2025-04-14 14:00 – Updated: 2026-06-29 20:39
VLAI
Title
Libsoup: denial of service on libsoup through http/2 server
Summary
A flaw was found in libsoup. The HTTP/2 server in libsoup may not fully validate the values of pseudo-headers :scheme, :authority, and :path, which may allow a user to cause a denial of service (DoS).
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-115 - Misinterpretation of Input
Assigner
Impacted products
Vendor Product Version
Affected: 0 , < 3.6.5 (semver)
Red Hat Red Hat Enterprise Linux 10 Unaffected: 0:3.6.5-3.el10_0 , < * (rpm)
    cpe:/o:redhat:enterprise_linux:10.0
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 6     cpe:/o:redhat:enterprise_linux:6
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 7     cpe:/o:redhat:enterprise_linux:7
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 9     cpe:/o:redhat:enterprise_linux:9
Create a notification for this product.
Date Public
2025-04-14 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-32908",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-14T14:12:19.790872Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-14T18:06:53.056Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://gitlab.gnome.org/GNOME/libsoup/",
          "defaultStatus": "unaffected",
          "packageName": "libsoup",
          "versions": [
            {
              "lessThan": "3.6.5",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10.0"
          ],
          "defaultStatus": "affected",
          "packageName": "libsoup3",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:3.6.5-3.el10_0",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "libsoup",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "unaffected",
          "packageName": "libsoup",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "libsoup",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "unaffected",
          "packageName": "libsoup",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2025-04-14T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in libsoup. The HTTP/2 server in libsoup may not fully validate the values of pseudo-headers :scheme, :authority, and :path, which may allow a user to cause a denial of service (DoS)."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-115",
              "description": "Misinterpretation of Input",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-29T20:39:30.041Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2025:7505",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:7505"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2025-32908"
        },
        {
          "name": "RHBZ#2359343",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359343"
        },
        {
          "url": "https://gitlab.gnome.org/GNOME/libsoup/-/issues/429"
        },
        {
          "url": "https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/451"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-04-14T01:27:09.097Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2025-04-14T00:00:00.000Z",
          "value": "Made public."
        }
      ],
      "title": "Libsoup: denial of service on libsoup through http/2 server",
      "workarounds": [
        {
          "lang": "en",
          "value": "Currently, no mitigation was found for this vulnerability."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-115: Misinterpretation of Input"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2025-32908",
    "datePublished": "2025-04-14T14:00:30.423Z",
    "dateReserved": "2025-04-14T01:37:48.152Z",
    "dateUpdated": "2026-06-29T20:39:30.041Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-25069 (GCVE-0-2025-25069)

Vulnerability from cvelistv5 – Published: 2025-02-07 12:46 – Updated: 2025-02-13 21:21
VLAI
Title
Apache Kvrocks: Cross-Protocol Scripting Vulnerability
Summary
A Cross-Protocol Scripting vulnerability is found in Apache Kvrocks. Since Kvrocks didn't detect if "Host:" or "POST" appears in RESP requests, a valid HTTP request can also be sent to Kvrocks as a valid RESP request and trigger some database operations, which can be dangerous when it is chained with SSRF. It is similiar to CVE-2016-10517 in Redis. This issue affects Apache Kvrocks: from the initial version to the latest version 2.11.0. Users are recommended to upgrade to version 2.11.1, which fixes the issue.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-115 - Misinterpretation of Input
Assigner
Impacted products
Vendor Product Version
Apache Software Foundation Apache Kvrocks Affected: 0 , ≤ 2.11.0 (semver)
Create a notification for this product.
Credits
Sergey Volosatov
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-25069",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-13T21:21:35.668189Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-13T21:21:42.342Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Kvrocks",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.11.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Sergey Volosatov"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eA Cross-Protocol Scripting vulnerability is found in Apache Kvrocks.\u003c/p\u003eSince Kvrocks didn\u0027t detect if \"Host:\" or \"POST\" appears in RESP requests,\u003cbr\u003ea valid HTTP request can also be sent to Kvrocks as a valid RESP request \u003cbr\u003eand trigger some database operations, which can be\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;dangerous when \u003cbr\u003eit is chained with SSRF.\u003cbr\u003e\u003cbr\u003e\u003c/span\u003eIt is similiar to\u0026nbsp;CVE-2016-10517 in Redis.\u003cbr\u003e\u003cbr\u003e\u003cp\u003eThis issue affects Apache Kvrocks: from the initial version to the latest version 2.11.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.11.1, which fixes the issue.\u003c/p\u003e"
            }
          ],
          "value": "A Cross-Protocol Scripting vulnerability is found in Apache Kvrocks.\n\nSince Kvrocks didn\u0027t detect if \"Host:\" or \"POST\" appears in RESP requests,\na valid HTTP request can also be sent to Kvrocks as a valid RESP request \nand trigger some database operations, which can be\u00a0dangerous when \nit is chained with SSRF.\n\nIt is similiar to\u00a0CVE-2016-10517 in Redis.\n\nThis issue affects Apache Kvrocks: from the initial version to the latest version 2.11.0.\n\nUsers are recommended to upgrade to version 2.11.1, which fixes the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "Moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-115",
              "description": "CWE-115 Misinterpretation of Input",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-07T12:46:11.350Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "related"
          ],
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-10517"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/gbxv9gpsskmdzg6z48zm3tvo8cyo9v3t"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Kvrocks: Cross-Protocol Scripting Vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-25069",
    "datePublished": "2025-02-07T12:46:11.350Z",
    "dateReserved": "2025-02-03T13:33:31.674Z",
    "dateUpdated": "2025-02-13T21:21:42.342Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-5826 (GCVE-0-2025-5826)

Vulnerability from cvelistv5 – Published: 2025-06-25 18:00 – Updated: 2025-06-26 13:18
VLAI
Title
Autel MaxiCharger AC Wallbox Commercial ble_process_esp32_msg Misinterpretation of Input Vulnerability
Summary
Autel MaxiCharger AC Wallbox Commercial ble_process_esp32_msg Misinterpretation of Input Vulnerability. This vulnerability allows network-adjacent attackers to inject arbitrary AT commands on affected installations of Autel MaxiCharger AC Wallbox Commercial charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ble_process_esp32_msg function. The issue results from misinterpretation of input data. An attacker can leverage this vulnerability to execute AT commands in the context of the device. Was ZDI-CAN-26368.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-115 - Misinterpretation of Input
Assigner
zdi
References
Impacted products
Date Public
2025-06-11 17:27
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-5826",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-26T13:18:29.924076Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-26T13:18:35.182Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Autel MaxiCharger AC Wallbox Commercial",
          "vendor": "Autel",
          "versions": [
            {
              "status": "affected",
              "version": "1.36.00"
            }
          ]
        }
      ],
      "dateAssigned": "2025-06-06T19:16:55.452Z",
      "datePublic": "2025-06-11T17:27:21.049Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Autel MaxiCharger AC Wallbox Commercial ble_process_esp32_msg Misinterpretation of Input Vulnerability. This vulnerability allows network-adjacent attackers to inject arbitrary AT commands on affected installations of Autel MaxiCharger AC Wallbox Commercial charging stations. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the ble_process_esp32_msg function. The issue results from misinterpretation of input data. An attacker can leverage this vulnerability to execute AT commands in the context of the device. Was ZDI-CAN-26368."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-115",
              "description": "CWE-115: Misinterpretation of Input",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-25T18:00:38.520Z",
        "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "shortName": "zdi"
      },
      "references": [
        {
          "name": "ZDI-25-345",
          "tags": [
            "x_research-advisory"
          ],
          "url": "https://www.zerodayinitiative.com/advisories/ZDI-25-345/"
        }
      ],
      "source": {
        "lang": "en",
        "value": "Quarkslab"
      },
      "title": "Autel MaxiCharger AC Wallbox Commercial ble_process_esp32_msg Misinterpretation of Input Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
    "assignerShortName": "zdi",
    "cveId": "CVE-2025-5826",
    "datePublished": "2025-06-25T18:00:38.520Z",
    "dateReserved": "2025-06-06T19:16:55.415Z",
    "dateUpdated": "2025-06-26T13:18:35.182Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-5747 (GCVE-0-2025-5747)

Vulnerability from cvelistv5 – Published: 2025-06-06 15:30 – Updated: 2025-06-06 15:53
VLAI
Title
WOLFBOX Level 2 EV Charger MCU Command Parsing Misinterpretation of Input Remote Code Execution Vulnerability
Summary
WOLFBOX Level 2 EV Charger MCU Command Parsing Misinterpretation of Input Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installatons of WOLFBOX Level 2 EV Charger devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of command frames received by the MCU. When parsing frames, the process does not properly detect the start of a frame, which can lead to misinterpretation of input. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the device. Was ZDI-CAN-26501.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-115 - Misinterpretation of Input
Assigner
zdi
References
Impacted products
Vendor Product Version
WOLFBOX Level 2 EV Charger Affected: 3.1.17 (main), 1.2.6 (MCU)
Create a notification for this product.
Date Public
2025-06-06 15:28
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-5747",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-06T15:53:08.383122Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-06T15:53:13.993Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Level 2 EV Charger",
          "vendor": "WOLFBOX",
          "versions": [
            {
              "status": "affected",
              "version": "3.1.17 (main), 1.2.6 (MCU)"
            }
          ]
        }
      ],
      "dateAssigned": "2025-06-05T20:45:21.172Z",
      "datePublic": "2025-06-06T15:28:28.531Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "WOLFBOX Level 2 EV Charger MCU Command Parsing Misinterpretation of Input Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installatons of WOLFBOX Level 2 EV Charger devices. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of command frames received by the MCU. When parsing frames, the process does not properly detect the start of a frame, which can lead to misinterpretation of input. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the device. Was ZDI-CAN-26501."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-115",
              "description": "CWE-115: Misinterpretation of Input",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-06T15:30:59.842Z",
        "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "shortName": "zdi"
      },
      "references": [
        {
          "name": "ZDI-25-326",
          "tags": [
            "x_research-advisory"
          ],
          "url": "https://www.zerodayinitiative.com/advisories/ZDI-25-326/"
        }
      ],
      "source": {
        "lang": "en",
        "value": "PHP Hooligans"
      },
      "title": "WOLFBOX Level 2 EV Charger MCU Command Parsing Misinterpretation of Input Remote Code Execution Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
    "assignerShortName": "zdi",
    "cveId": "CVE-2025-5747",
    "datePublished": "2025-06-06T15:30:59.842Z",
    "dateReserved": "2025-06-05T20:45:21.121Z",
    "dateUpdated": "2025-06-06T15:53:13.993Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-11169 (GCVE-0-2024-11169)

Vulnerability from cvelistv5 – Published: 2025-03-20 10:09 – Updated: 2025-03-20 18:32
VLAI
Title
Unhandled Exception Leading to Server Crash in danny-avila/librechat
Summary
An unhandled exception in danny-avila/librechat version 3c94ff2 can lead to a server crash. The issue occurs when the fs module throws an exception while handling file uploads. An unauthenticated user can trigger this exception by sending a specially crafted request, causing the server to crash. The vulnerability is fixed in version 0.7.6.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-115 - Misinterpretation of Input
Assigner
Impacted products
Vendor Product Version
danny-avila danny-avila/librechat Affected: unspecified , < 0.7.6 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-11169",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-20T17:52:30.415341Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-20T18:32:06.181Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "danny-avila/librechat",
          "vendor": "danny-avila",
          "versions": [
            {
              "lessThan": "0.7.6",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An unhandled exception in danny-avila/librechat version 3c94ff2 can lead to a server crash. The issue occurs when the fs module throws an exception while handling file uploads. An unauthenticated user can trigger this exception by sending a specially crafted request, causing the server to crash. The vulnerability is fixed in version 0.7.6."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-115",
              "description": "CWE-115 Misinterpretation of Input",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-20T10:09:59.233Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntr_ai"
      },
      "references": [
        {
          "url": "https://huntr.com/bounties/754e1649-5612-4ba9-a533-06b46de5c4b5"
        },
        {
          "url": "https://github.com/danny-avila/librechat/commit/629be5c0ca2b332178524b4e3f6fac715aea8cc4"
        }
      ],
      "source": {
        "advisory": "754e1649-5612-4ba9-a533-06b46de5c4b5",
        "discovery": "EXTERNAL"
      },
      "title": "Unhandled Exception Leading to Server Crash in danny-avila/librechat"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntr_ai",
    "cveId": "CVE-2024-11169",
    "datePublished": "2025-03-20T10:09:59.233Z",
    "dateReserved": "2024-11-12T21:32:01.018Z",
    "dateUpdated": "2025-03-20T18:32:06.181Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-32260 (GCVE-0-2023-32260)

Vulnerability from cvelistv5 – Published: 2024-03-19 15:54 – Updated: 2024-08-02 15:10
VLAI
Title
A potential Misinterpretation of Input vulnerability has been identified in SMAX, AMX, and HCMX products.
Summary
Misinterpretation of Input vulnerability in OpenText™ Service Management Automation X (SMAX), OpenText™ Asset Management X (AMX), and OpenText™ Hybrid Cloud Management X (HCMX) products. The vulnerability could allow Input data manipulation.This issue affects Service Management Automation X (SMAX) versions: 2020.05, 2020.08, 2020.11, 2021.02, 2021.05, 2021.08, 2021.11, 2022.05, 2022.11, 2023.05; Asset Management X (AMX) versions: 2021.08, 2021.11, 2022.05, 2022.11, 2023.05; and Hybrid Cloud Management X (HCMX) versions: 2020.05, 2020.08, 2020.11, 2021.02, 2021.05, 2021.08, 2021.11, 2022.05, 2022.11, 2023.05.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-115 - Misinterpretation of Input
Assigner
Impacted products
Vendor Product Version
OpenText™ Service Management Automation X (SMAX) Affected: 2020.05
Affected: 2020.08
Affected: 2020.11
Affected: 2021.02
Affected: 2021.05
Affected: 2021.08
Affected: 2021.11
Affected: 2022.05
Affected: 2022.11
Affected: 2023.05
Create a notification for this product.
OpenText™ Asset Management X (AMX) Affected: 2021.08
Affected: 2021.11
Affected: 2022.05
Affected: 2022.11
Affected: 2023.05
Create a notification for this product.
OpenText™ Hybrid Cloud Management X (HCMX) Affected: 2020.05
Affected: 2020.08
Affected: 2020.11
Affected: 2021.02
Affected: 2021.05
Affected: 2021.08
Affected: 2021.11
Affected: 2022.05
Affected: 2022.11
Affected: 2023.05
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-32260",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-19T17:25:55.218838Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:26:13.050Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T15:10:24.228Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://portal.microfocus.com/s/article/KM000018804?language=en_US"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Service Management Automation X (SMAX)",
          "vendor": "OpenText\u2122",
          "versions": [
            {
              "status": "affected",
              "version": "2020.05"
            },
            {
              "status": "affected",
              "version": "2020.08"
            },
            {
              "status": "affected",
              "version": "2020.11"
            },
            {
              "status": "affected",
              "version": "2021.02"
            },
            {
              "status": "affected",
              "version": "2021.05"
            },
            {
              "status": "affected",
              "version": "2021.08"
            },
            {
              "status": "affected",
              "version": "2021.11"
            },
            {
              "status": "affected",
              "version": "2022.05"
            },
            {
              "status": "affected",
              "version": "2022.11"
            },
            {
              "status": "affected",
              "version": "2023.05"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Asset Management X (AMX)",
          "vendor": "OpenText\u2122",
          "versions": [
            {
              "status": "affected",
              "version": "2021.08"
            },
            {
              "status": "affected",
              "version": "2021.11"
            },
            {
              "status": "affected",
              "version": "2022.05"
            },
            {
              "status": "affected",
              "version": "2022.11"
            },
            {
              "status": "affected",
              "version": "2023.05"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Hybrid Cloud Management X (HCMX)",
          "vendor": "OpenText\u2122",
          "versions": [
            {
              "status": "affected",
              "version": "2020.05"
            },
            {
              "status": "affected",
              "version": "2020.08"
            },
            {
              "status": "affected",
              "version": "2020.11"
            },
            {
              "status": "affected",
              "version": "2021.02"
            },
            {
              "status": "affected",
              "version": "2021.05"
            },
            {
              "status": "affected",
              "version": "2021.08"
            },
            {
              "status": "affected",
              "version": "2021.11"
            },
            {
              "status": "affected",
              "version": "2022.05"
            },
            {
              "status": "affected",
              "version": "2022.11"
            },
            {
              "status": "affected",
              "version": "2023.05"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Misinterpretation of Input vulnerability in OpenText\u2122 Service Management Automation X (SMAX), OpenText\u2122 Asset Management X (AMX), and OpenText\u2122 Hybrid Cloud Management X (HCMX) products. The vulnerability could allow Input data manipulation.\u003cp\u003eThis issue affects Service Management Automation X (SMAX) versions: 2020.05, 2020.08, 2020.11, 2021.02, 2021.05, 2021.08, 2021.11, 2022.05, 2022.11, 2023.05; Asset Management X (AMX) versions: 2021.08, 2021.11, 2022.05, 2022.11, 2023.05; and Hybrid Cloud Management X (HCMX) versions: 2020.05, 2020.08, 2020.11, 2021.02, 2021.05, 2021.08, 2021.11, 2022.05, 2022.11, 2023.05.\u003c/p\u003e"
            }
          ],
          "value": "Misinterpretation of Input vulnerability in OpenText\u2122 Service Management Automation X (SMAX), OpenText\u2122 Asset Management X (AMX), and OpenText\u2122 Hybrid Cloud Management X (HCMX) products. The vulnerability could allow Input data manipulation.This issue affects Service Management Automation X (SMAX) versions: 2020.05, 2020.08, 2020.11, 2021.02, 2021.05, 2021.08, 2021.11, 2022.05, 2022.11, 2023.05; Asset Management X (AMX) versions: 2021.08, 2021.11, 2022.05, 2022.11, 2023.05; and Hybrid Cloud Management X (HCMX) versions: 2020.05, 2020.08, 2020.11, 2021.02, 2021.05, 2021.08, 2021.11, 2022.05, 2022.11, 2023.05.\n\n"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-153",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-153 Input Data Manipulation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-115",
              "description": "CWE-115 Misinterpretation of Input",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-03-19T15:54:23.508Z",
        "orgId": "f81092c5-7f14-476d-80dc-24857f90be84",
        "shortName": "OpenText"
      },
      "references": [
        {
          "url": "https://portal.microfocus.com/s/article/KM000018804?language=en_US"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://portal.microfocus.com/s/article/KM000018804?language=en_US\"\u003ehttps://portal.microfocus.com/s/article/KM000018804?language=en_US\u003c/a\u003e\u003cbr\u003e"
            }
          ],
          "value": " https://portal.microfocus.com/s/article/KM000018804?language=en_US \n"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "A potential Misinterpretation of Input vulnerability has been identified in SMAX, AMX, and HCMX products.",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84",
    "assignerShortName": "OpenText",
    "cveId": "CVE-2023-32260",
    "datePublished": "2024-03-19T15:54:23.508Z",
    "dateReserved": "2023-05-05T14:42:20.152Z",
    "dateUpdated": "2024-08-02T15:10:24.228Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.