|
871
|
4.4 |
MEDIUM
Local
|
uutils
|
coreutils
|
The comm utility in uutils coreutils incorrectly consumes data from non-regular file inputs before performing comparison operations. The are_files_identical function opens and reads from both input p…
Update
|
CWE-20
Improper Input Validation
|
CVE-2026-35347
|
2026-04-27 21:28 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
872
|
7.7 |
HIGH
Local
|
uutils
|
coreutils
|
A vulnerability in the rm utility of uutils coreutils allows a bypass of the --preserve-root protection. The implementation uses a path-string check rather than comparing device and inode numbers to …
Update
|
CWE-59
Link Following
|
CVE-2026-35349
|
2026-04-27 21:28 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
873
|
4.2 |
MEDIUM
Local
|
uutils
|
coreutils
|
The mv utility in uutils coreutils fails to preserve file ownership during moves across different filesystem boundaries. The utility falls back to a copy-and-delete routine that creates the destinati…
Update
|
CWE-281
Improper Preservation of Permissions
|
CVE-2026-35351
|
2026-04-27 21:28 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
874
|
3.3 |
LOW
Local
|
uutils
|
coreutils
|
The mkdir utility in uutils coreutils incorrectly applies permissions when using the -m flag by creating a directory with umask-derived permissions (typically 0755) before subsequently changing them …
Update
|
CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
|
CVE-2026-35353
|
2026-04-27 21:27 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
875
|
6.3 |
MEDIUM
Local
|
uutils
|
coreutils
|
The install utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file installation. The implementation unlinks an existing destination file and t…
Update
|
CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
|
CVE-2026-35355
|
2026-04-27 21:27 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
876
|
6.3 |
MEDIUM
Local
|
uutils
|
coreutils
|
A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the install utility of uutils coreutils when using the -D flag. The command creates parent directories and subsequently performs a seco…
Update
|
CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
|
CVE-2026-35356
|
2026-04-27 21:27 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
877
|
4.4 |
MEDIUM
Local
|
uutils
|
coreutils
|
The mknod utility in uutils coreutils fails to handle security labels atomically by creating device nodes before setting the SELinux context. If labeling fails, the utility attempts cleanup using std…
Update
|
CWE-281
CWE-459
Improper Preservation of Permissions
Incomplete Cleanup
|
CVE-2026-35361
|
2026-04-27 21:27 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
878
|
3.6 |
LOW
Local
|
uutils
|
coreutils
|
The safe_traversal module in uutils coreutils, which provides protection against Time-of-Check to Time-of-Use (TOCTOU) symlink races using file-descriptor-relative syscalls, is incorrectly limited to…
Update
|
CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
|
CVE-2026-35362
|
2026-04-27 21:26 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
879
|
4.3 |
MEDIUM
Network
|
apache
|
airflow
|
The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment …
Update
|
CWE-1220
Insufficient Granularity of Access Control
|
CVE-2026-40690
|
2026-04-27 21:24 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
880
|
4.3 |
MEDIUM
Network
|
apache
|
airflow
|
The authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop (HITL) and TaskInstance records: a logged-in Airflow user with read access to at least one DAG…
Update
|
CWE-1220
Insufficient Granularity of Access Control
|
CVE-2026-38743
|
2026-04-27 21:24 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
