CVE-2026-8990

A user with physical access to a smartphone can bypass authentication mechanism of Kidsview mobile application and grant himself full access to the device owner's account by interacting with application's push notification. This issue was fixed in version 4.4.3...

CVE-2026-8990

The CVE-2026-8990 entry affects the Kidsview mobile application. A user with physical access can bypass the app’s authentication by interacting with push notifications, granting full access to the device owner’s account. Affected behavior is an authentication bypass via the notification channel, ...

CVE-2026-44076

Insufficient sanitization of volume paths in Netatalk 3.1.0 through 4.4.2 allows a local privileged user to inject OS commands and execute arbitrary code via a crafted volume path...

CVE-2026-44066

Multiple heap out-of-bounds reads in the Spotlight RPC unmarshalling code in Netatalk 3.1.0 through 4.4.2 allow a remote authenticated attacker to obtain sensitive information or cause a minor service disruption...

CVE-2026-44060

An integer underflow in dsiwriteinit in Netatalk 1.5.0 through 4.4.2 allows a remote unauthenticated attacker to cause a denial of service via a crafted DSI write request...

CVE-2026-44050

A heap-based buffer overflow in the CNID daemon commrcv function in Netatalk 2.0.0 through 4.4.2 allows a remote authenticated attacker to execute arbitrary code with escalated privileges or cause a denial of service...

CVE-2026-44048

A stack-based buffer overflow via UCS-2 type confusion in convertcharset in Netatalk 2.0.4 through 4.4.2 allows a remote authenticated attacker to execute arbitrary code or cause a denial of service...

CVE-2026-44051

An improper link resolution vulnerability in Netatalk 3.0.2 through 4.4.2 allows a remote authenticated attacker to read arbitrary files or overwrite arbitrary files via attacker-controlled symlink creation...

CVE-2026-44076 Shell injection via volume path

Insufficient sanitization of volume paths in Netatalk 3.1.0 through 4.4.2 allows a local privileged user to inject OS commands and execute arbitrary code via a crafted volume path...

CVE-2026-44076

CVE-2026-44076 affects Netatalk versions 3.1.0 through 4.4.2, with shell injection via volume path. The issue arises from insufficient sanitization of volume paths and is fixed in 4.4.3. Impact is described as local, with potential for arbitrary code execution by a local privileged user through a...

CVE-2026-44066

CVE-2026-44066 affects Netatalk 3.1.0 through 4.4.2, where heap out-of-bounds reads occur during Spotlight RPC unmarshalling. The issue is fixed in Netatalk 4.4.3. Debian and Alpine advisories describe remote exposure leading to information disclosure or minor service disruption, with the vulnera...

EUVD-2026-31240

An out-of-bounds read in ASP session ID handling in Netatalk 1.3 through 4.4.2 allows an adjacent network attacker to obtain limited information or cause a denial of service via a crafted ASP request...

CVE-2026-44064 ASP session ID out-of-bounds access

An out-of-bounds read in ASP session ID handling in Netatalk 1.3 through 4.4.2 allows an adjacent network attacker to obtain limited information or cause a denial of service via a crafted ASP request...

CVE-2026-44064

Netatalk contains an out-of-bounds access in the ASP session ID handling (affecting 1.3 through 4.4.2). This could allow information disclosure or DoS; CVE-2026-44064 is fixed in 4.4.3. Affected: Netatalk 1.3–4.4.2. Root cause: out-of-bounds read in ASP session ID handling. Remediation: upgrade t...

CVE-2026-44062

In Netatalk (versions 2.0.4–4.4.2) a missing o_len bounds check in pull_charset_flags() enables out-of-bounds processing; fixed in 4.4.3 (per NVD). Debian advisory groups the CVE under a security update and recommends upgrading to a secure netatalk package; apply vendor-provided patches (e.g., De...

CVE-2026-44060 Integer underflow in dsi_writeinit() leads to denial of service

An integer underflow in dsiwriteinit in Netatalk 1.5.0 through 4.4.2 allows a remote unauthenticated attacker to cause a denial of service via a crafted DSI write request...

EUVD-2026-31237

An integer underflow in dsiwriteinit in Netatalk 1.5.0 through 4.4.2 allows a remote unauthenticated attacker to cause a denial of service via a crafted DSI write request...

CVE-2026-44055

Netatalk 3.1.4–4.4.2 contains a bitwise OR/logic bug that permits shell injection. The issue affects Netatalk’s AFP implementation and can lead to remote command execution (high impact). Fixed in version 4.4.3. Affected: Netatalk 3.1.4–4.4.2; Remediation: upgrade to 4.4.3 or later. Exploitation s...

EUVD-2026-31230

A logic error involving bitwise OR operations in Netatalk 3.1.4 through 4.4.2 allows a remote authenticated attacker to inject OS commands and execute arbitrary code...

CVE-2026-44054 Predictable afpd session token

Netatalk 2.0.0 through 4.4.2 generates AFP session tokens derived from predictable process IDs, which allows a remote authenticated attacker to cause a denial of service by exploiting the reconnect mechanism...