Search for packages
| purl | pkg:apk/alpine/rclone@1.73.5-r0?arch=armv7&distroversion=edge&reponame=community |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-245f-jhkn-w3ck |
CVE-2026-32281
|
|
| VCID-6a6z-bq7m-c3gf | crypto/x509: Panic in name constraint checking for malformed certificates in crypto/x509 |
CVE-2026-27138
|
| VCID-6gj4-t3v3-gyhp | Denial of service in github.com/buger/jsonparser The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack. |
CVE-2026-32285
GHSA-6g7g-w4f8-9c9x |
| VCID-82wq-13vf-ufb2 | CIRCL has an incorrect calculation in secp384r1 CombinedMult The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in **[v1.6.3](https://github.com/cloudflare/circl/releases/tag/v1.6.3)**. |
CVE-2026-1229
GHSA-q9hv-hpm4-hj6x |
| VCID-8s5d-1byz-8fhz | html/template: URLs in meta content attribute actions are not escaped in html/template |
CVE-2026-27142
|
| VCID-91yp-p6st-8ucd |
CVE-2026-32288
|
|
| VCID-dp1t-v58b-43du | crypto/tls: Unexpected session resumption in crypto/tls |
CVE-2025-68121
|
| VCID-gtys-5r5h-p7ht |
CVE-2026-33810
|
|
| VCID-h4tn-wydf-mydg | golang.org/x/net/http2: golang.org/x/net/http2: Denial of Service due to malformed HTTP/2 frames |
CVE-2026-27141
|
| VCID-ju53-xpej-3qca |
CVE-2026-27140
|
|
| VCID-mhf1-8kyt-pbbx | gRPC-Go has an authorization bypass via missing leading slash in :path ### Impact _What kind of vulnerability is it? Who is impacted?_ It is an **Authorization Bypass** resulting from **Improper Input Validation** of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. **Who is impacted?** This affects gRPC-Go servers that meet both of the following criteria: 1. They use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`. 2. Their security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. ### Patches _Has the problem been patched? What versions should users upgrade to?_ Yes, the issue has been patched. The fix ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. Users should upgrade to the following versions (or newer): * **v1.79.3** * The latest **master** branch. It is recommended that all users employing path-based authorization (especially `grpc/authz`) upgrade as soon as the patch is available in a tagged release. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: #### 1. Use a Validating Interceptor (Recommended Mitigation) Add an "outermost" interceptor to your server that validates the path before any other authorization logic runs: ```go func pathValidationInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) { if info.FullMethod == "" || info.FullMethod[0] != '/' { return nil, status.Errorf(codes.Unimplemented, "malformed method name") } return handler(ctx, req) } // Ensure this is the FIRST interceptor in your chain s := grpc.NewServer( grpc.ChainUnaryInterceptor(pathValidationInterceptor, authzInterceptor), ) ``` #### 2. Infrastructure-Level Normalization If your gRPC server is behind a reverse proxy or load balancer (such as Envoy, NGINX, or an L7 Cloud Load Balancer), ensure it is configured to enforce strict HTTP/2 compliance for pseudo-headers and reject or normalize requests where the `:path` header does not start with a leading slash. #### 3. Policy Hardening Switch to a "default deny" posture in your authorization policies (explicitly listing all allowed paths and denying everything else) to reduce the risk of bypasses via malformed inputs. |
CVE-2026-33186
GHSA-p77j-4mvh-x3m3 |
| VCID-nqrd-gp43-g7dw | RClone: Unauthenticated operations/fsinfo allows attacker-controlled backend instantiation and local command execution ### Summary The RC endpoint `operations/fsinfo` is exposed without `AuthRequired: true` and accepts attacker-controlled `fs` input. Because `rc.GetFs(...)` supports inline backend definitions, an unauthenticated attacker can instantiate an attacker-controlled backend on demand. For the WebDAV backend, `bearer_token_command` is executed during backend initialization, making single-request unauthenticated local command execution possible on reachable RC deployments without global HTTP authentication. ### Preconditions Preconditions for this vulnerability are: - The rclone remote control API **must** be enabled, either by the `--rc` flag or by running the `rclone rcd` server - The remote control API **must** be reachable by the attacker - by default rclone only serves the rc to localhost unless the `--rc-addr` flag is in use - The rc must have been deployed **without** global RC HTTP authentication - so not using `--rc-user`/`--rc-pass`/`--rc-htpasswd`/etc ### Details The root cause consists of the following pieces: 1. `operations/fsinfo` is not protected with `AuthRequired: true` 2. `operations/fsinfo` calls `rc.GetFs(...)` on attacker-controlled input 3. `rc.GetFs(...)` supports inline backend creation through object-valued `fs` 4. WebDAV backend initialization executes `bearer_token_command` Relevant code paths: - [`fs/operations/rc.go`](https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/operations/rc.go) - `operations/fsinfo` is registered without `AuthRequired: true` - `rcFsInfo()` calls `rc.GetFs(ctx, in)` - [`fs/rc/cache.go`](https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/cache.go) - `GetFs()` / `GetFsNamed()` can parse an object-valued `fs` - `getConfigMap()` converts attacker-controlled JSON into a backend config string - [`backend/webdav/webdav.go`](https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/backend/webdav/webdav.go) - `bearer_token_command` is a supported backend option - `NewFs(...)` calls `fetchAndSetBearerToken()` when `bearer_token_command` is set - `fetchBearerToken()` invokes `exec.Command(...)` This creates a practical single-request unauthenticated command-execution primitive on reachable RC servers without global HTTP authentication. This was alidated on: - current `master` as of 2026-04-14: `bf55d5e6d37fd86164a87782191f9e1ffcaafa82` - latest public release tested locally: `v1.73.4` This was also validated on a public amd64 Ubuntu host controlled by the tester, using direct host execution (not containerized PoC execution). ### PoC #### Minimal single-request form PoC Start a vulnerable RC server: ```bash rclone rcd --rc-addr 127.0.0.1:5572 ``` No `--rc-user`, no `--rc-pass`, no `--rc-htpasswd`. Then send a single request: ```bash curl -sS -X POST http://127.0.0.1:5572/operations/fsinfo \ --data-urlencode "fs=:webdav,url='http://127.0.0.1/',vendor=other,bearer_token_command='/usr/bin/touch /tmp/rclone_fsinfo_rce_poc_marker':" ``` Expected result: - HTTP 200 JSON response from `operations/fsinfo` - `/tmp/rclone_fsinfo_rce_poc_marker` is created on the host ### Impact This is effectively a single-request unauthenticated command-execution vulnerability on reachable RC deployments without global HTTP authentication. In practice, command execution in the rclone process context can lead to higher-impact outcomes such as local file read, file write, or shell access, depending on the deployed environment. #### Testing performed This was successfully reproduced: - on a local test environment - on a public amd64 Ubuntu host controlled by the tester On the public host it was confirmed: - the unauthenticated `operations/fsinfo` exploit worked - command execution occurred on the host - the issue was reproducible through direct host execution |
CVE-2026-41179
GHSA-jfwf-28xr-xw6q |
| VCID-pcez-y67t-8yg3 | net/url: Incorrect parsing of IPv6 host literals in net/url |
CVE-2026-25679
|
| VCID-s176-xcrb-e3ea |
CVE-2026-27143
|
|
| VCID-svbs-h3y5-wfbn |
CVE-2026-32289
|
|
| VCID-t19m-gs1u-rbfp |
CVE-2026-27144
|
|
| VCID-tf52-aa91-4kf3 |
CVE-2026-32280
|
|
| VCID-tmb1-tq9e-puhd |
CVE-2026-32282
|
|
| VCID-vw1r-8zev-ykf4 |
CVE-2026-32283
|
|
| VCID-x5ub-bfb7-nbbr | crypto/x509: Incorrect enforcement of email constraints in crypto/x509 |
CVE-2026-27137
|
| VCID-yj5c-4wbb-gbcx | Go Images vulnerable to an out-of-memory error via a crafted TIFF file A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error. |
CVE-2026-33809
GHSA-44p7-9xx4-hf2g |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-28T15:57:56.305376+00:00 | Alpine Linux Importer | Fixing | VCID-t19m-gs1u-rbfp | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-28T15:57:54.596632+00:00 | Alpine Linux Importer | Fixing | VCID-91yp-p6st-8ucd | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-28T15:57:54.026380+00:00 | Alpine Linux Importer | Fixing | VCID-x5ub-bfb7-nbbr | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-28T15:57:53.223260+00:00 | Alpine Linux Importer | Fixing | VCID-8s5d-1byz-8fhz | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-28T15:57:51.975929+00:00 | Alpine Linux Importer | Fixing | VCID-ju53-xpej-3qca | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-28T15:57:51.765422+00:00 | Alpine Linux Importer | Fixing | VCID-6gj4-t3v3-gyhp | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-28T15:57:49.811834+00:00 | Alpine Linux Importer | Fixing | VCID-tf52-aa91-4kf3 | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-28T15:57:49.478628+00:00 | Alpine Linux Importer | Fixing | VCID-245f-jhkn-w3ck | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-28T15:57:49.209269+00:00 | Alpine Linux Importer | Fixing | VCID-gtys-5r5h-p7ht | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-28T15:57:48.905343+00:00 | Alpine Linux Importer | Fixing | VCID-vw1r-8zev-ykf4 | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-28T15:57:47.973460+00:00 | Alpine Linux Importer | Fixing | VCID-yj5c-4wbb-gbcx | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-28T15:57:47.679215+00:00 | Alpine Linux Importer | Fixing | VCID-nqrd-gp43-g7dw | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-28T15:57:47.584975+00:00 | Alpine Linux Importer | Fixing | VCID-svbs-h3y5-wfbn | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-28T15:57:47.469371+00:00 | Alpine Linux Importer | Fixing | VCID-tmb1-tq9e-puhd | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-28T15:57:47.230733+00:00 | Alpine Linux Importer | Fixing | VCID-s176-xcrb-e3ea | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-28T15:57:47.099213+00:00 | Alpine Linux Importer | Fixing | VCID-mhf1-8kyt-pbbx | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-28T15:57:46.240126+00:00 | Alpine Linux Importer | Fixing | VCID-6a6z-bq7m-c3gf | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-28T15:57:46.062641+00:00 | Alpine Linux Importer | Fixing | VCID-h4tn-wydf-mydg | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-28T15:57:44.859808+00:00 | Alpine Linux Importer | Fixing | VCID-dp1t-v58b-43du | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-28T15:57:44.705621+00:00 | Alpine Linux Importer | Fixing | VCID-82wq-13vf-ufb2 | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-28T15:57:44.172053+00:00 | Alpine Linux Importer | Fixing | VCID-pcez-y67t-8yg3 | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |