CWE-754
Improper Check for Unusual or Exceptional Conditions
The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
CVE-2026-41662 (GCVE-0-2026-41662)
Vulnerability from cvelistv5 – Published: 2026-05-07 02:59 – Updated: 2026-05-07 14:06
VLAI
Title
Admidio: Missing Minimum Administrator Check in Role Membership Removal
Summary
Admidio is an open-source user management solution. Prior to version 5.0.9, Role::stopMembership() does not verify whether removing a user from the administrator role leaves zero administrators. The deprecated Membership::stopMembership() contains this safety check, but the current code path bypasses it. Any administrator can remove the last remaining other administrator, locking the entire system out of administrative access. The exploit does not require concurrent requests; sequential removals produce the same result. This issue has been patched in version 5.0.9.
Severity
5.2 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Admidio/admidio/security/advis… | x_refsource_CONFIRM |
| https://github.com/Admidio/admidio/releases/tag/v5.0.9 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41662",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-07T14:05:50.940508Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T14:06:48.349Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-c7xm-r6vj-8vg6"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "admidio",
"vendor": "Admidio",
"versions": [
{
"status": "affected",
"version": "\u003c 5.0.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Admidio is an open-source user management solution. Prior to version 5.0.9, Role::stopMembership() does not verify whether removing a user from the administrator role leaves zero administrators. The deprecated Membership::stopMembership() contains this safety check, but the current code path bypasses it. Any administrator can remove the last remaining other administrator, locking the entire system out of administrative access. The exploit does not require concurrent requests; sequential removals produce the same result. This issue has been patched in version 5.0.9."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T02:59:50.508Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Admidio/admidio/security/advisories/GHSA-c7xm-r6vj-8vg6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-c7xm-r6vj-8vg6"
},
{
"name": "https://github.com/Admidio/admidio/releases/tag/v5.0.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Admidio/admidio/releases/tag/v5.0.9"
}
],
"source": {
"advisory": "GHSA-c7xm-r6vj-8vg6",
"discovery": "UNKNOWN"
},
"title": "Admidio: Missing Minimum Administrator Check in Role Membership Removal"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41662",
"datePublished": "2026-05-07T02:59:50.508Z",
"dateReserved": "2026-04-21T23:58:43.803Z",
"dateUpdated": "2026-05-07T14:06:48.349Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42246 (GCVE-0-2026-42246)
Vulnerability from cvelistv5 – Published: 2026-05-09 19:33 – Updated: 2026-05-12 02:29
VLAI
Title
net-imap vulnerable to STARTTLS stripping via invalid response timing
Summary
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS. This issue has been patched in versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://github.com/ruby/net-imap/security/advisor… | x_refsource_CONFIRM |
| https://github.com/ruby/net-imap/commit/0ede4c40b… | x_refsource_MISC |
| https://github.com/ruby/net-imap/commit/24a4e770b… | x_refsource_MISC |
| https://github.com/ruby/net-imap/commit/97e2488fb… | x_refsource_MISC |
| https://github.com/ruby/net-imap/commit/f79d35bf5… | x_refsource_MISC |
| https://github.com/ruby/net-imap/releases/tag/v0.3.10 | x_refsource_MISC |
| https://github.com/ruby/net-imap/releases/tag/v0.4.24 | x_refsource_MISC |
| https://github.com/ruby/net-imap/releases/tag/v0.5.14 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42246",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-12T02:29:05.120225Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T02:29:15.333Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "net-imap",
"vendor": "ruby",
"versions": [
{
"status": "affected",
"version": "\u003c 0.3.10"
},
{
"status": "affected",
"version": "\u003e= 0.4.0, \u003c 0.4.24"
},
{
"status": "affected",
"version": "\u003e= 0.5.0, \u003c 0.5.14"
},
{
"status": "affected",
"version": "\u003e= 0.6.0, \u003c 0.6.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAP#starttls to return \"successfully\", without starting TLS. This issue has been patched in versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-392",
"description": "CWE-392: Missing Report of Error Condition",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-393",
"description": "CWE-393: Return of Wrong Status Code",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-636",
"description": "CWE-636: Not Failing Securely (\u0027Failing Open\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-841",
"description": "CWE-841: Improper Enforcement of Behavioral Workflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T19:33:17.880Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ruby/net-imap/security/advisories/GHSA-vcgp-9326-pqcp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ruby/net-imap/security/advisories/GHSA-vcgp-9326-pqcp"
},
{
"name": "https://github.com/ruby/net-imap/commit/0ede4c40b1523dfeaf95777b2678e54cc0fd9618",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ruby/net-imap/commit/0ede4c40b1523dfeaf95777b2678e54cc0fd9618"
},
{
"name": "https://github.com/ruby/net-imap/commit/24a4e770b43230286a05aa2a9746cdbb3eb8485e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ruby/net-imap/commit/24a4e770b43230286a05aa2a9746cdbb3eb8485e"
},
{
"name": "https://github.com/ruby/net-imap/commit/97e2488fb5401a1783bddd959dde007d9fbce42c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ruby/net-imap/commit/97e2488fb5401a1783bddd959dde007d9fbce42c"
},
{
"name": "https://github.com/ruby/net-imap/commit/f79d35bf5833f186e81044c57c843eda30c873da",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ruby/net-imap/commit/f79d35bf5833f186e81044c57c843eda30c873da"
},
{
"name": "https://github.com/ruby/net-imap/releases/tag/v0.3.10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ruby/net-imap/releases/tag/v0.3.10"
},
{
"name": "https://github.com/ruby/net-imap/releases/tag/v0.4.24",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ruby/net-imap/releases/tag/v0.4.24"
},
{
"name": "https://github.com/ruby/net-imap/releases/tag/v0.5.14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ruby/net-imap/releases/tag/v0.5.14"
}
],
"source": {
"advisory": "GHSA-vcgp-9326-pqcp",
"discovery": "UNKNOWN"
},
"title": "net-imap vulnerable to STARTTLS stripping via invalid response timing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42246",
"datePublished": "2026-05-09T19:33:17.880Z",
"dateReserved": "2026-04-25T05:37:12.118Z",
"dateUpdated": "2026-05-12T02:29:15.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42349 (GCVE-0-2026-42349)
Vulnerability from cvelistv5 – Published: 2026-05-11 16:08 – Updated: 2026-05-14 18:19
VLAI
Title
Clerk: Authorization bypass when combining organization, billing, or reverification checks
Summary
Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/clerk/javascript/security/advi… | x_refsource_CONFIRM |
Impacted products
17 products
| Vendor | Product | Version | |
|---|---|---|---|
| clerk | javascript |
Affected:
>= 5.22.0, < 5.125.10
Affected: >= 6.0.0, < 6.7.5 |
|
| @clerk | shared |
Affected:
>= 3.0.0, <= 3.47.4
Affected: >= 4.0.0, <= 4.8.2 |
|
| @clerk | backend |
Affected:
>= 2.0.0, <= 2.33.2
Affected: >= 3.0.0, <= 3.2.13 |
|
| @clerk | nextjs |
Affected:
>= 6.0.0, <= 6.39.2
Affected: >= 7.0.0, <= 7.2.3 |
|
| @clerk | clerk-react |
Affected:
>= 5.9.0, <= 5.61.5
|
|
| @clerk | react |
Affected:
>= 6.0.0, <= 6.4.2
|
|
| @clerk | vue |
Affected:
>= 1.0.0, <= 1.17.20
Affected: >= 2.0.0, <= 2.0.15 |
|
| @clerk | astro |
Affected:
>= 2.0.0, <= 2.17.10
Affected: >= 3.0.0, <= 3.0.17 |
|
| @clerk | nuxt |
Affected:
>= 1.0.0, <= 1.13.28
Affected: >= 2.0.0, <= 2.2.4 |
|
| @clerk | clerk-expo |
Affected:
>= 2.2.11, <= 2.19.35
|
|
| @clerk | expo |
Affected:
>= 3.0.0, <= 3.2.1
|
|
| @clerk | react-router |
Affected:
>= 0.0.1, <= 2.4.12
Affected: >= 3.0.0, <= 3.1.3 |
|
| @clerk | tanstack-react-start |
Affected:
>= 0.0.1, <= 0.29.10
Affected: >= 1.0.0, <= 1.1.3 |
|
| @clerk | chrome-extension |
Affected:
>= 1.3.5, <= 2.9.14
Affected: >= 3.0.0, <= 3.1.14 |
|
| @clerk | fastify |
Affected:
>= 1.0.42, <= 2.6.30
Affected: >= 3.0.0, <= 3.1.15 |
|
| @clerk | express |
Affected:
>= 0.1.0, <= 1.7.78
Affected: >= 2.0.0, <= 2.1.5 |
|
| @clerk | hono |
Affected:
>= 0.0.2, <= 0.1.15
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42349",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T18:18:41.752602Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T18:19:38.735Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/clerk/javascript/security/advisories/GHSA-w24r-5266-9c3c"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "javascript",
"vendor": "clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.22.0, \u003c 5.125.10"
},
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.7.5"
}
]
},
{
"product": "shared",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c= 3.47.4"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c= 4.8.2"
}
]
},
{
"product": "backend",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c= 2.33.2"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c= 3.2.13"
}
]
},
{
"product": "nextjs",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c= 6.39.2"
},
{
"status": "affected",
"version": "\u003e= 7.0.0, \u003c= 7.2.3"
}
]
},
{
"product": "clerk-react",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.9.0, \u003c= 5.61.5"
}
]
},
{
"product": "react",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c= 6.4.2"
}
]
},
{
"product": "vue",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c= 1.17.20"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c= 2.0.15"
}
]
},
{
"product": "astro",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c= 2.17.10"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c= 3.0.17"
}
]
},
{
"product": "nuxt",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c= 1.13.28"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c= 2.2.4"
}
]
},
{
"product": "clerk-expo",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.2.11, \u003c= 2.19.35"
}
]
},
{
"product": "expo",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c= 3.2.1"
}
]
},
{
"product": "react-router",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.0.1, \u003c= 2.4.12"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c= 3.1.3"
}
]
},
{
"product": "tanstack-react-start",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.0.1, \u003c= 0.29.10"
},
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c= 1.1.3"
}
]
},
{
"product": "chrome-extension",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.3.5, \u003c= 2.9.14"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c= 3.1.14"
}
]
},
{
"product": "fastify",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.42, \u003c= 2.6.30"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c= 3.1.15"
}
]
},
{
"product": "express",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.1.0, \u003c= 1.7.78"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c= 2.1.5"
}
]
},
{
"product": "hono",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.0.2, \u003c= 0.1.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T16:08:27.869Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/clerk/javascript/security/advisories/GHSA-w24r-5266-9c3c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/clerk/javascript/security/advisories/GHSA-w24r-5266-9c3c"
}
],
"source": {
"advisory": "GHSA-w24r-5266-9c3c",
"discovery": "UNKNOWN"
},
"title": "Clerk: Authorization bypass when combining organization, billing, or reverification checks"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42349",
"datePublished": "2026-05-11T16:08:27.869Z",
"dateReserved": "2026-04-26T13:26:14.515Z",
"dateUpdated": "2026-05-14T18:19:38.735Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42950 (GCVE-0-2026-42950)
Vulnerability from cvelistv5 – Published: 2026-05-13 12:02 – Updated: 2026-05-13 15:05
VLAI
Summary
ELECOM wireless LAN access point devices do not check if language parameter has an appropriate value. If a user views a malicious page while logged in, the admin page on the user's web browser may become broken.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-754 - Improper check for unusual or exceptional conditions
Assigner
References
2 references
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| ELECOM CO.,LTD. | WAB-BE187-M |
Affected:
v1.1.10 and earlier
|
|
| ELECOM CO.,LTD. | WAB-BE72-M |
Affected:
v1.1.3 and earlier
|
|
| ELECOM CO.,LTD. | WAB-BE36-M |
Affected:
v1.1.3 and earlier
|
|
| ELECOM CO.,LTD. | WAB-BE36-S |
Affected:
v1.1.3 and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42950",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T15:05:24.135095Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T15:05:49.437Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WAB-BE187-M",
"vendor": "ELECOM CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "v1.1.10 and earlier"
}
]
},
{
"product": "WAB-BE72-M",
"vendor": "ELECOM CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "v1.1.3 and earlier"
}
]
},
{
"product": "WAB-BE36-M",
"vendor": "ELECOM CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "v1.1.3 and earlier"
}
]
},
{
"product": "WAB-BE36-S",
"vendor": "ELECOM CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "v1.1.3 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ELECOM wireless LAN access point devices do not check if language parameter has an appropriate value. If a user views a malicious page while logged in, the admin page on the user\u0027s web browser may become broken."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "Improper check for unusual or exceptional conditions",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T12:02:12.851Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.elecom.co.jp/news/security/20260512-01/"
},
{
"url": "https://jvn.jp/en/jp/JVN03037325/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2026-42950",
"datePublished": "2026-05-13T12:02:12.851Z",
"dateReserved": "2026-05-07T05:47:10.836Z",
"dateUpdated": "2026-05-13T15:05:49.437Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44316 (GCVE-0-2026-44316)
Vulnerability from cvelistv5 – Published: 2026-05-27 15:52 – Updated: 2026-05-27 17:54
VLAI
Title
free5GC: PCF npcf-smpolicycontrol POST /sm-policies panics on downstream UDR/OpenAPI 404 via nil pointer dereference
Summary
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's PCF POST /npcf-smpolicycontrol/v1/sm-policies handler (HandleCreateSmPolicyRequest) panics with a nil-pointer dereference when a downstream OpenAPI consumer call (UDR lookup) returns 404 Not Found and the consumer wrapper returns err != nil together with a nil response struct. The handler logs the OpenAPI error and continues executing instead of returning, then dereferences the nil response struct on a subsequent line and panics. Gin recovery converts the panic into HTTP 500, so a single attacker-shaped POST returns 500 instead of a clean 4xx whenever the downstream lookup fails. The PCF process keeps running. The trigger is a single POST containing input that causes the downstream UDR lookup to fail (e.g. an unknown DNN). In 4.2.1 this endpoint is also reachable WITHOUT an Authorization header because the PCF Npcf_SMPolicyControl route group is mounted without inbound auth middleware. This vulnerability is fixed in 4.2.2.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/free5gc/free5gc/security/advis… | x_refsource_CONFIRM |
| https://github.com/free5gc/free5gc/issues/803 | x_refsource_MISC |
| https://github.com/free5gc/pcf/pull/62 | x_refsource_MISC |
| https://github.com/free5gc/pcf/commit/df535f55243… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44316",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T17:54:26.642585Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T17:54:45.817Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/free5gc/free5gc/issues/803"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "free5gc",
"vendor": "free5gc",
"versions": [
{
"status": "affected",
"version": "\u003c 4.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC\u0027s PCF POST /npcf-smpolicycontrol/v1/sm-policies handler (HandleCreateSmPolicyRequest) panics with a nil-pointer dereference when a downstream OpenAPI consumer call (UDR lookup) returns 404 Not Found and the consumer wrapper returns err != nil together with a nil response struct. The handler logs the OpenAPI error and continues executing instead of returning, then dereferences the nil response struct on a subsequent line and panics. Gin recovery converts the panic into HTTP 500, so a single attacker-shaped POST returns 500 instead of a clean 4xx whenever the downstream lookup fails. The PCF process keeps running. The trigger is a single POST containing input that causes the downstream UDR lookup to fail (e.g. an unknown DNN). In 4.2.1 this endpoint is also reachable WITHOUT an Authorization header because the PCF Npcf_SMPolicyControl route group is mounted without inbound auth middleware. This vulnerability is fixed in 4.2.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T15:52:07.224Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/free5gc/free5gc/security/advisories/GHSA-wr8j-6chw-gm6p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-wr8j-6chw-gm6p"
},
{
"name": "https://github.com/free5gc/free5gc/issues/803",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/free5gc/free5gc/issues/803"
},
{
"name": "https://github.com/free5gc/pcf/pull/62",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/free5gc/pcf/pull/62"
},
{
"name": "https://github.com/free5gc/pcf/commit/df535f5524314620715e842baf9723efbeb481a7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/free5gc/pcf/commit/df535f5524314620715e842baf9723efbeb481a7"
}
],
"source": {
"advisory": "GHSA-wr8j-6chw-gm6p",
"discovery": "UNKNOWN"
},
"title": "free5GC: PCF npcf-smpolicycontrol POST /sm-policies panics on downstream UDR/OpenAPI 404 via nil pointer dereference"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44316",
"datePublished": "2026-05-27T15:52:07.224Z",
"dateReserved": "2026-05-05T19:00:06.022Z",
"dateUpdated": "2026-05-27T17:54:45.817Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44317 (GCVE-0-2026-44317)
Vulnerability from cvelistv5 – Published: 2026-05-27 15:50 – Updated: 2026-05-28 14:46
VLAI
Title
free5GC: PCF npcf-policyauthorization POST /app-sessions panics on suppFeat=1 with missing AfRoutReq via nil pointer dereference
Summary
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's PCF POST /npcf-policyauthorization/v1/app-sessions handler panics on a single authenticated request whose ascReqData.suppFeat == "1" (enabling traffic-routing feature negotiation) and whose medComponents entries supply an afAppId but NO AfRoutReq. The create path then calls provisioningOfTrafficRoutingInfo(smPolicy, appID, routeReq, ...) with routeReq == nil and dereferences routeReq.RouteToLocs (and other fields) without a nil check, causing runtime error: invalid memory address or nil pointer dereference. Gin recovery converts the panic into HTTP 500. This vulnerability is fixed in 4.2.2.
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/free5gc/free5gc/security/advis… | x_refsource_CONFIRM |
| https://github.com/free5gc/free5gc/issues/879 | x_refsource_MISC |
| https://github.com/free5gc/pcf/pull/65 | x_refsource_MISC |
| https://github.com/free5gc/pcf/commit/508d70b8527… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44317",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T14:45:45.407067Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T14:46:12.592Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-wwqh-7jm5-gj7w"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "free5gc",
"vendor": "free5gc",
"versions": [
{
"status": "affected",
"version": "\u003c 4.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC\u0027s PCF POST /npcf-policyauthorization/v1/app-sessions handler panics on a single authenticated request whose ascReqData.suppFeat == \"1\" (enabling traffic-routing feature negotiation) and whose medComponents entries supply an afAppId but NO AfRoutReq. The create path then calls provisioningOfTrafficRoutingInfo(smPolicy, appID, routeReq, ...) with routeReq == nil and dereferences routeReq.RouteToLocs (and other fields) without a nil check, causing runtime error: invalid memory address or nil pointer dereference. Gin recovery converts the panic into HTTP 500. This vulnerability is fixed in 4.2.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T15:50:18.242Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/free5gc/free5gc/security/advisories/GHSA-wwqh-7jm5-gj7w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-wwqh-7jm5-gj7w"
},
{
"name": "https://github.com/free5gc/free5gc/issues/879",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/free5gc/free5gc/issues/879"
},
{
"name": "https://github.com/free5gc/pcf/pull/65",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/free5gc/pcf/pull/65"
},
{
"name": "https://github.com/free5gc/pcf/commit/508d70b8527a6c8c923179dad450ea01e16b6aeb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/free5gc/pcf/commit/508d70b8527a6c8c923179dad450ea01e16b6aeb"
}
],
"source": {
"advisory": "GHSA-wwqh-7jm5-gj7w",
"discovery": "UNKNOWN"
},
"title": "free5GC: PCF npcf-policyauthorization POST /app-sessions panics on suppFeat=1 with missing AfRoutReq via nil pointer dereference"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44317",
"datePublished": "2026-05-27T15:50:18.242Z",
"dateReserved": "2026-05-05T19:00:06.022Z",
"dateUpdated": "2026-05-28T14:46:12.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44322 (GCVE-0-2026-44322)
Vulnerability from cvelistv5 – Published: 2026-05-27 15:46 – Updated: 2026-05-28 14:42
VLAI
Title
free5GC: NEF 3gpp-pfd-management PATCH applications/{appId} panics on UDR access failure due to nil ProblemDetails dereference
Summary
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF PATCH /3gpp-pfd-management/v1/{afId}/transactions/{transId}/applications/{appId} handler panics with a nil-pointer dereference when the upstream UDR call fails AND the consumer wrapper returns err != nil together with a nil *ProblemDetails. The handler's errPfdData != nil branch builds its own problemDetailsErr correctly, but immediately after it reads problemDetails.Cause (the OTHER value, which is nil in this branch) and panics. Gin recovery converts the panic into HTTP 500, so a single PATCH against this endpoint returns 500 instead of the intended controlled error response whenever UDR access is failing. This vulnerability is fixed in 4.2.2.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/free5gc/free5gc/security/advis… | x_refsource_CONFIRM |
| https://github.com/free5gc/free5gc/issues/925 | x_refsource_MISC |
| https://github.com/free5gc/nef/pull/22 | x_refsource_MISC |
| https://github.com/free5gc/nef/commit/72a47f3fab4… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44322",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T14:41:42.971095Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T14:42:42.998Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-j59f-x285-69jx"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "free5gc",
"vendor": "free5gc",
"versions": [
{
"status": "affected",
"version": "\u003c 4.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC\u0027s NEF PATCH /3gpp-pfd-management/v1/{afId}/transactions/{transId}/applications/{appId} handler panics with a nil-pointer dereference when the upstream UDR call fails AND the consumer wrapper returns err != nil together with a nil *ProblemDetails. The handler\u0027s errPfdData != nil branch builds its own problemDetailsErr correctly, but immediately after it reads problemDetails.Cause (the OTHER value, which is nil in this branch) and panics. Gin recovery converts the panic into HTTP 500, so a single PATCH against this endpoint returns 500 instead of the intended controlled error response whenever UDR access is failing. This vulnerability is fixed in 4.2.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T15:46:10.475Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/free5gc/free5gc/security/advisories/GHSA-j59f-x285-69jx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-j59f-x285-69jx"
},
{
"name": "https://github.com/free5gc/free5gc/issues/925",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/free5gc/free5gc/issues/925"
},
{
"name": "https://github.com/free5gc/nef/pull/22",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/free5gc/nef/pull/22"
},
{
"name": "https://github.com/free5gc/nef/commit/72a47f3fab4dffbd227f8d92c5f69dca93b610cb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/free5gc/nef/commit/72a47f3fab4dffbd227f8d92c5f69dca93b610cb"
}
],
"source": {
"advisory": "GHSA-j59f-x285-69jx",
"discovery": "UNKNOWN"
},
"title": "free5GC: NEF 3gpp-pfd-management PATCH applications/{appId} panics on UDR access failure due to nil ProblemDetails dereference"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44322",
"datePublished": "2026-05-27T15:46:10.475Z",
"dateReserved": "2026-05-05T19:00:06.022Z",
"dateUpdated": "2026-05-28T14:42:42.998Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44324 (GCVE-0-2026-44324)
Vulnerability from cvelistv5 – Published: 2026-05-27 15:44 – Updated: 2026-05-28 14:38
VLAI
Title
free5GC: UDR nudr-dr DELETE amf-subscriptions panics on missing UE state via nil interface type assertion (single authenticated request)
Summary
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's UDR nudr-dr DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions handler panics on a single authenticated request against a fresh UDR instance when the supplied ueId does not exist in UESubsCollection. The processor checks value, ok := udrSelf.UESubsCollection.Load(ueId) and sets a 404 USER_NOT_FOUND problem-details on the miss path, but execution continues and immediately runs value.(*udr_context.UESubsData) -- a Go type assertion on a nil interface, which panics with interface conversion: interface {} is nil, not *context.UESubsData. Gin recovery converts the panic into HTTP 500, but the endpoint remains repeatedly panicable. This vulnerability is fixed in 4.2.2.
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/free5gc/free5gc/security/advis… | x_refsource_CONFIRM |
| https://github.com/free5gc/free5gc/issues/920 | x_refsource_MISC |
| https://github.com/free5gc/udr/pull/60 | x_refsource_MISC |
| https://github.com/free5gc/udr/commit/8a1d3c63be9… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44324",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T14:38:03.211329Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T14:38:09.624Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-jqfc-gwj5-3w63"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/free5gc/free5gc/issues/920"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "free5gc",
"vendor": "free5gc",
"versions": [
{
"status": "affected",
"version": "\u003c 4.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC\u0027s UDR nudr-dr DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions handler panics on a single authenticated request against a fresh UDR instance when the supplied ueId does not exist in UESubsCollection. The processor checks value, ok := udrSelf.UESubsCollection.Load(ueId) and sets a 404 USER_NOT_FOUND problem-details on the miss path, but execution continues and immediately runs value.(*udr_context.UESubsData) -- a Go type assertion on a nil interface, which panics with interface conversion: interface {} is nil, not *context.UESubsData. Gin recovery converts the panic into HTTP 500, but the endpoint remains repeatedly panicable. This vulnerability is fixed in 4.2.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-704",
"description": "CWE-704: Incorrect Type Conversion or Cast",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T15:44:27.616Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/free5gc/free5gc/security/advisories/GHSA-jqfc-gwj5-3w63",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-jqfc-gwj5-3w63"
},
{
"name": "https://github.com/free5gc/free5gc/issues/920",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/free5gc/free5gc/issues/920"
},
{
"name": "https://github.com/free5gc/udr/pull/60",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/free5gc/udr/pull/60"
},
{
"name": "https://github.com/free5gc/udr/commit/8a1d3c63be99d378806d771f086ff32f1867da99",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/free5gc/udr/commit/8a1d3c63be99d378806d771f086ff32f1867da99"
}
],
"source": {
"advisory": "GHSA-jqfc-gwj5-3w63",
"discovery": "UNKNOWN"
},
"title": "free5GC: UDR nudr-dr DELETE amf-subscriptions panics on missing UE state via nil interface type assertion (single authenticated request)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44324",
"datePublished": "2026-05-27T15:44:27.616Z",
"dateReserved": "2026-05-05T19:00:06.023Z",
"dateUpdated": "2026-05-28T14:38:09.624Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45678 (GCVE-0-2026-45678)
Vulnerability from cvelistv5 – Published: 2026-06-02 15:24 – Updated: 2026-06-02 15:54
VLAI
Title
OpenTelemetry eBPF Instrumentation: Postgres BIND parsing can panic on malformed payloads
Summary
OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, the Postgres protocol parser assumes BIND message payloads contain a valid NUL-terminated portal name. A crafted empty or unterminated payload can make OBI slice beyond the end of the captured buffer and panic. This issue has been patched in version 0.9.0.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/open-telemetry/opentelemetry-e… | x_refsource_CONFIRM |
| https://github.com/open-telemetry/opentelemetry-e… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-telemetry | opentelemetry-ebpf-instrumentation |
Affected:
< 0.9.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45678",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T15:54:02.639290Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T15:54:32.180Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-pgvv-q3wf-mm9m"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "opentelemetry-ebpf-instrumentation",
"vendor": "open-telemetry",
"versions": [
{
"status": "affected",
"version": "\u003c 0.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, the Postgres protocol parser assumes BIND message payloads contain a valid NUL-terminated portal name. A crafted empty or unterminated payload can make OBI slice beyond the end of the captured buffer and panic. This issue has been patched in version 0.9.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T15:24:12.340Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-pgvv-q3wf-mm9m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-pgvv-q3wf-mm9m"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/releases/tag/v0.9.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/releases/tag/v0.9.0"
}
],
"source": {
"advisory": "GHSA-pgvv-q3wf-mm9m",
"discovery": "UNKNOWN"
},
"title": "OpenTelemetry eBPF Instrumentation: Postgres BIND parsing can panic on malformed payloads"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45678",
"datePublished": "2026-06-02T15:24:12.340Z",
"dateReserved": "2026-05-12T21:59:25.666Z",
"dateUpdated": "2026-06-02T15:54:32.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4643 (GCVE-0-2026-4643)
Vulnerability from cvelistv5 – Published: 2026-05-18 08:43 – Updated: 2026-05-18 14:36
VLAI
Title
Calling window.close() from server-side content causes crash in the Mattermost Desktop App
Summary
Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent server-rendered content from closing an underlying application view in the Mattermost Desktop App which allows a malicious server or plugin to crash the desktop client via invoking {{window.close()}} in the renderer context, leading to a denial of service condition at the client level. Mattermost Advisory ID: MMSA-2026-00633
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
0 , ≤ 6.0.1
(semver)
Affected: 0 , ≤ 5.4.13 (semver) Unaffected: 6.2.0 Unaffected: 6.1.1.0 Unaffected: 5.13.5.0 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4643",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T14:35:39.361607Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T14:36:01.271Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "6.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.13",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "6.2.0"
},
{
"status": "unaffected",
"version": "6.1.1.0"
},
{
"status": "unaffected",
"version": "5.13.5.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Devin Binnie"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost Desktop App versions \u003c=6.1 6.0.1 5.4.13.0 fail to prevent server-rendered content from closing an underlying application view in the Mattermost Desktop App which allows a malicious server or plugin to crash the desktop client via invoking {{window.close()}} in the renderer context, leading to a denial of service condition at the client level. Mattermost Advisory ID: MMSA-2026-00633"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T08:43:34.588Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2026-00633",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost Desktop App to versions 6.2.0, 6.1.1.0, 5.13.5.0 or higher."
}
],
"source": {
"advisory": "MMSA-2026-00633",
"defect": [
"https://mattermost.atlassian.net/browse/MM-67910"
],
"discovery": "{\"self\"=\u003e\"https://mattermost.atlassian.net/rest/api/2/customFieldOption/10557\", \"value\"=\u003e\"Internal\", \"id\"=\u003e\"10557\"}"
},
"title": "Calling window.close() from server-side content causes crash in the Mattermost Desktop App",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-4643",
"datePublished": "2026-05-18T08:43:34.588Z",
"dateReserved": "2026-03-23T11:42:45.791Z",
"dateUpdated": "2026-05-18T14:36:01.271Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation ID: MIT-3
Phase: Requirements
Strategy: Language Selection
Description:
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- Choose languages with features such as exception handling that force the programmer to anticipate unusual conditions that may generate exceptions. Custom exceptions may need to be developed to handle unusual business-logic conditions. Be careful not to pass sensitive exceptions back to the user (CWE-209, CWE-248).
Mitigation
Phase: Implementation
Description:
- Check the results of all functions that return a value and verify that the value is expected.
Mitigation
Phase: Implementation
Description:
- If using exception handling, catch and throw specific exceptions instead of overly-general exceptions (CWE-396, CWE-397). Catch and handle exceptions as locally as possible so that exceptions do not propagate too far up the call stack (CWE-705). Avoid unchecked or uncaught exceptions where feasible (CWE-248).
Mitigation ID: MIT-39
Phase: Implementation
Description:
- Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
- If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
- Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
- Exposing additional information to a potential attacker in the context of an exceptional condition can help the attacker determine what attack vectors are most likely to succeed beyond DoS.
Mitigation ID: MIT-5
Phase: Implementation
Strategy: Input Validation
Description:
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation ID: MIT-38
Phases: Architecture and Design, Implementation
Description:
- If the program must fail, ensure that it fails gracefully (fails closed). There may be a temptation to simply let the program fail poorly in cases such as low memory conditions, but an attacker may be able to assert control before the software has fully exited. Alternately, an uncontrolled failure could cause cascading problems with other downstream components; for example, the program could send a signal to a downstream process so the process immediately knows that a problem has occurred and has a better chance of recovery.
Mitigation
Phase: Architecture and Design
Description:
- Use system limits, which should help to prevent resource exhaustion. However, the product should still handle low resource conditions since they may still occur.
No CAPEC attack patterns related to this CWE.