CVE-2026-49268

A remote attacker can inject LDAP special characters into the Distinguished Name DN construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attacker to manipulate th...

EUVD-2026-37701

A remote attacker can inject LDAP special characters into the Distinguished Name DN construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attacker to manipulate th...

CVE-2026-49268 Apache Shiro: LDAP DN Injection in DefaultLdapRealm

A remote attacker can inject LDAP special characters into the Distinguished Name DN construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attacker to manipulate th...

PT-2026-48333

SubjectDnX509PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user. Affected versions: Spring Security 5.7....

CVE-2025-13392

Improper check for unusual or exceptional conditions vulnerability in SSO in Synology DiskStation Manager DSM before 7.2.2-72806-5 and 7.3.1-86003-1 7.2.1-69057 is not affected allows remote attackers to bypass authentication with prior knowledge of the distinguished name DN...

Security update for ovmf (important)

openSUSE security update: security update for ovmf ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20875-1 Rating: important References: bsc1261469 bsc1261476 bsc1261477 bsc1261478 Cross-References: CVE-2026-25833 CVE-2026-25834 CVE-2026-25835...

SUSE-SU-2026:22016-1 Security update for ovmf

This update for ovmf fixes the following issues: - CVE-2026-25833: mbedtls: buffer overflow in the x509inetptonipv6 function bsc1261476. - CVE-2026-25834: mbedtls: client accepts signature algorithm chosen by server even if not advertised in client hello bsc1261477. - CVE-2026-25835: mbedtls: no...

GHSA-PH86-P8F6-F9R2 Symfony Vulnerable to Identity Spoofing via Unanchored DN Regex in X509Authenticator

Description X509Authenticator implements client-certificate mTLS authentication: the web server validates the client's certificate against a trusted CA, then passes the certificate's Subject DN Distinguished Name: a string like CN=Alice,O=Example,[email protected] to Symfony via...

Symfony Vulnerable to Identity Spoofing via Unanchored DN Regex in X509Authenticator

Description X509Authenticator implements client-certificate mTLS authentication: the web server validates the client's certificate against a trusted CA, then passes the certificate's Subject DN Distinguished Name: a string like CN=Alice,O=Example,[email protected] to Symfony via...

CVE-2025-13392

Improper check for unusual or exceptional conditions vulnerability in SSO in Synology DiskStation Manager DSM before 7.2.2-72806-5 and 7.3.1-86003-1 7.2.1-69057 is not affected allows remote attackers to bypass authentication with prior knowledge of the distinguished name DN...

CVE-2025-13392

Improper check for unusual or exceptional conditions vulnerability in SSO in Synology DiskStation Manager DSM before 7.2.2-72806-5 and 7.3.1-86003-1 7.2.1-69057 is not affected allows remote attackers to bypass authentication with prior knowledge of the distinguished name DN...

EUVD-2025-209956

Improper check for unusual or exceptional conditions vulnerability in SSO in Synology DiskStation Manager DSM before 7.2.2-72806-5 and 7.3.1-86003-1 7.2.1-69057 is not affected allows remote attackers to bypass authentication with prior knowledge of the distinguished name DN...

CVE-2025-13392

Improper check for unusual or exceptional conditions vulnerability in SSO in Synology DiskStation Manager DSM before 7.2.2-72806-5 and 7.3.1-86003-1 7.2.1-69057 is not affected allows remote attackers to bypass authentication with prior knowledge of the distinguished name DN...

CVE-2025-13392

Summary : CVE-2025-13392 affects Synology DiskStation Manager (DSM) via an improper check in the SSO authentication flow, enabling remote authentication bypass with knowledge of a DN. Affected versions : DSM before 7.2.2-72806-5 and 7.3.1-86003-1 (7.2.1-69057 is not affected). Impact : local/remo...

PT-2026-44132

Description X509Authenticator implements client-certificate mTLS authentication: the web server validates the client's certificate against a trusted CA, then passes the certificate's Subject DN Distinguished Name: a string like CN=Alice,O=Example,[email protected] to Symfony via $...

CVE-2026-41919

CVE-2026-41919 is an LDAP Injection vulnerability in Apache OFBiz caused by improper neutralization of LDAP special elements in DN construction. The issue affects OFBiz versions before 24.09.06. Upgrading to 24.09.06 fixes the vulnerability. The CVE list also notes the potential impact as authent...

Unity Linux 20.1060e / 20.1070e Security Update: openldap (UTSA-2026-017568)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017568 advisory. A flaw was discovered in OpenLDAP before 2.4.57 leading in an assertion failure in slapd in the X.509 DN parsing in decode.c bernextelement, resulting in denial of...

Astra Linux – Vulnerability in the 389-DS-base

When binding against a DN during authentication, the response from 389-ds-base will differ depending on whether the DN exists or not. This can be exploited by an unauthenticated attacker to check the existence of an entry in the LDAP database...

CVE-2026-33609 LDAP DN injection

Incomplete escaping of LDAP queries when running with 8bit-dns enabled allows users to perform queries of internal domain subtrees...

CVE-2026-33609

CVE-2026-33609 describes incomplete escaping of LDAP queries when 8bit-dns is enabled, enabling LDAP DN injection that could allow queries into internal domain subtrees. The vulnerability is associated with network-level access (no user interaction required) and a base CVSS v3.1 score of 5.3 (MED...