47 matches found
EUVD-2026-19416
Kedro is a toolbox for production-ready data science. Prior to 1.3.0, the getversionedpath method in kedro/io/core.py constructs filesystem paths by directly interpolating user-supplied version strings without sanitization. Because version strings are used as path components, traversal sequences...
GHSA-6326-W46W-PPJW Kedro: Path Traversal in versioned dataset loading via unsanitized version string
Impact The getversionedpath method in kedro/io/core.py constructs filesystem paths by directly interpolating user-supplied version strings without sanitization. Because version strings are used as path components, traversal sequences such as ../ are preserved and can escape the intended versioned...
Kedro: Path Traversal in versioned dataset loading via unsanitized version string
Impact The getversionedpath method in kedro/io/core.py constructs filesystem paths by directly interpolating user-supplied version strings without sanitization. Because version strings are used as path components, traversal sequences such as ../ are preserved and can escape the intended versioned...
Directory Traversal
Overview kedro is a Kedro helps you build production-ready data and analytics pipelines Affected versions of this package are vulnerable to Directory Traversal due to unsanitized version strings in versioned dataset path construction. The AbstractVersionedDataset.getversionedpath logic used durin...
OESA-2026-1698 golang security update
The Go Programming Language. Security Fixes: The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large...
CLSA-2026-1772124479 golang: Fix of 7 CVEs
Update to Go 1.25.7 - CVE-2025-61726: fixed DoS due to memory exhaustion flaw in net/url parameter parsing - CVE-2025-61732: fixed RCE via code smuggling flaw in cgo comment parsing - CVE-2025-68121: fixed security bypass in TLS where session resumption could ignore revoked or expired client...
CVE-2025-68119
A flaw was found in Golang's cmd/go module. This vulnerability allows a local attacker to achieve local code execution by downloading and building modules with specially crafted malicious version strings. On systems with Mercurial hg installed, this can occur when downloading modules from...
Google Go Code Execution Vulnerability (CNVD-2026-10650)
Google Go is a static strongly typed, compiled, concatenated, and garbage-collected programming language from Google. A code execution vulnerability exists in Google Go due to an insecure construction of external VCS commands when handling untrusted module sources or malicious version strings in...
CVE-2025-68119
Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial hg installed, downloading modules from non-standard sources e.g., custom domains can cause unexpected code execution due to how external VCS commands are constructed. This iss...
AZL-75639 CVE-2025-68119 affecting package msft-golang for versions less than 1.24.12-1
Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial hg installed, downloading modules from non-standard sources e.g., custom domains can cause unexpected code execution due to how external VCS commands are constructed. This iss...
CVE-2025-68119
Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial hg installed, downloading modules from non-standard sources e.g., custom domains can cause unexpected code execution due to how external VCS commands are constructed. This iss...
AZL-75698 CVE-2025-68119 affecting package golang for versions less than 1.24.12-1
Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial hg installed, downloading modules from non-standard sources e.g., custom domains can cause unexpected code execution due to how external VCS commands are constructed. This iss...
AZL-78939 CVE-2025-68119 affecting package golang 1.25.7-1
Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial hg installed, downloading modules from non-standard sources e.g., custom domains can cause unexpected code execution due to how external VCS commands are constructed. This iss...
AZL-75728 CVE-2025-68119 affecting package golang for versions less than 1.25.6-1
Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial hg installed, downloading modules from non-standard sources e.g., custom domains can cause unexpected code execution due to how external VCS commands are constructed. This iss...
UBUNTU-CVE-2025-68119
Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial hg installed, downloading modules from non-standard sources e.g., custom domains can cause unexpected code execution due to how external VCS commands are constructed. This iss...
EUVD-2025-206446
Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial hg installed, downloading modules from non-standard sources e.g., custom domains can cause unexpected code execution due to how external VCS commands are constructed. This iss...
CVE-2025-68119
Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial hg installed, downloading modules from non-standard sources e.g., custom domains can cause unexpected code execution due to how external VCS commands are constructed. This iss...
CVE-2025-68119
CVE-2025-68119 describes local code execution and arbitrary-file writes when downloading/building modules with malicious version strings in environments where external VCS tools are present. Specifically: on systems with Mercurial (hg), downloading modules from non-standard sources (e.g., custom ...
CVE-2025-68119 Unexpected code execution when invoking toolchain in cmd/go
Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial hg installed, downloading modules from non-standard sources e.g., custom domains can cause unexpected code execution due to how external VCS commands are constructed. This iss...
CVE-2025-68119
Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial hg installed, downloading modules from non-standard sources e.g., custom domains can cause unexpected code execution due to how external VCS commands are constructed. This iss...