Threats Tagged 'cwe-426'

Prior to version 0.32.0, the rtk tool (Rust Token Killer) improperly trusts project-local configuration files by automatically loading .rtk/filters.toml from the working directory without notifying the user. This allows an attacker to place a malicious filter file that modifies shell command outputs via regex-based filters, potentially suppressing or altering output such as file contents, diffs, or security scan results without detection. This vulnerability is fixed in version 0.32.0.

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.2, a local privilege escalation vulnerability exists in kitty's file transmission protocol where a child process running in the terminal can write to arbitrary files on the filesystem by exploiting a TOCTOU (Time-of-Check-Time-of-Use) race condition between symlink validation and file creation. The `os.open()` call used to create files does not use `O_NOFOLLOW`, allowing an attacker to create a symlink between the initial stat check and the actual file open, causing the write to follow the symlink to an arbitrary destination. Version 0.47.2 fixes the issue.

Microsoft Office Remote Code Execution Vulnerability

Microsoft Office Remote Code Execution Vulnerability

CVE-2026-48565 is a high-severity vulnerability in Microsoft Windows Narrator Braille involving an untrusted search path. This flaw allows a local authorized attacker to elevate privileges by exploiting how the application searches for resources. An official fix is available from Microsoft to address this issue.

CVE-2026-47648 is a high-severity vulnerability in Windows 10 Version 1607 involving an untrusted search path in Windows Storage. This flaw allows an authorized local attacker to elevate privileges. An official fix is available from Microsoft to address this issue.

Waves Central for macOS versions 13.0.9 through 16.5.5 contains a local privilege escalation vulnerability due to an untrusted search path. A trusted XPC client component allows dynamic library injection via the DYLD_INSERT_LIBRARIES environment variable. This enables a local attacker to execute arbitrary code with root privileges. The vulnerability is fixed in version 16.6.2.

An untrusted search path issue in the GlobalDatabasePlugin in the AWS Advanced Go Wrapper for Amazon Aurora PostgreSQL will allow a remote authenticated low-privilege actor to escalate privileges to those of another Amazon RDS user, including rds_superuser, via a crafted function created by the actor that runs when that user connects to the cluster through the affected wrapper. To remediate this issue, users should upgrade to the AWS Advanced Go Wrapper release 2026-05-26

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is asked for any URL path that resolves to a directory without an index file, DirPage walks upward through parent directories — past the configured server root — looking for a file named handler.lua to execute as the request handler. The loop terminates only after 100 ancestor steps or when filepath.Dir returns ., so on any absolute server-root path the search reaches the filesystem root (/ on Unix, drive letter on Windows). The first handler.lua it finds is loaded into the Lua interpreter with the full Algernon API exposed — including run3(), httpclient, os.execute, io.popen, PQ, MSSQL, raw filesystem access, and the userstate database. Any process that can write handler.lua anywhere in a parent directory of the server root obtains pre-authenticated remote code execution on the next HTTP request. This is reachable without authentication — the lookup happens before the permission check returns a hit (the perm system only gates URL prefixes, not the handler-resolution step), and any URL pointing at a directory without an index triggers the walk. On a fresh stock Algernon install the request GET / is enough. This vulnerability is fixed in 1.17.7.