CVE-2026-6265
published 2026-04-27CVE-2026-6265: Insecure preserved inherited permissions vulnerability in Cerberus FTP Server on Windows allows Privilege Escalation.This issue has been resolved in Cerberus…
PriorityP353high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.26%
17.3th percentile
Insecure preserved inherited permissions vulnerability in Cerberus FTP Server on Windows allows Privilege Escalation.This issue has been resolved in Cerberus FTP Server: 2026.1
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cerberus | cerberus_ftp_server | <= 2025.4.2 | — |
| cerberusftp | ftp_server | < 2026.1 | 2026.1 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.3HIGHCVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
ghsa·2026-06-19
CVE-2026-9679 [MEDIUM] CWE-93 undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
## Impact
undici's cookie parser in `parseSetCookie` percent-decodes cookie values via `qsUnescape`, turning encoded sequences like `%0D%0A`, `%00`, `%3B`, and `%3D` into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do not decode either.
Applications that parse a `Set-Cookie` header and then forward the parsed value into a response header (proxies, middleware, SSR frameworks) become vulnerable to HTTP response header injection: an attacker-controlled upstream can inject arbitrary `Set-Cookie`, `Location`, or `Cache-Control` headers into the application's downstream response, enabling session fixation, open redirect, or cache poisoning.
Affected applications are those t
GHSA
undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching
ghsa·2026-06-19
CVE-2026-11525 [LOW] CWE-183 undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching
undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching
## Impact
When undici parses a `Set-Cookie` header, it accepts any `SameSite` attribute value that contains `Strict`, `Lax`, or `None` as a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently mapped to one of the three standard tokens:
- `SameSite=NoneOfYourBusiness` is parsed as `None`, the most permissive setting.
- `SameSite=StrictLax` is parsed as `Lax`, a downgrade from `Strict`.
Affected applications are those that consume `Set-Cookie` headers from server responses (for example via undici's `fetch` or proxy code paths) and then forward or rely on the parsed `sameSite` attribute. A malicious or non-compliant server can coerce the co
GHSA
hono: AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice
ghsa·2026-06-16
CVE-2026-54287 [MEDIUM] CWE-116 hono: AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice
hono: AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice
### Summary
On AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple `Set-Cookie` headers into one comma-separated value. Because commas also appear inside cookie attributes (for example `Expires` dates), clients cannot split the value back into individual cookies and silently drop or misparse them.
### Details
Per RFC 6265, each cookie must be its own `Set-Cookie` header line, and commas may appear inside attribute values. Joining cookies with `", "` collides with those commas, producing a value that clients cannot reliably split. Only ALB single-header mode and VPC Lattice v2 are affected; API Gateway v1/v2 and ALB with mul
VulDB
Cerberus FTP Server up to 2025.4.2/2026.0 on Windows insecure preserved inherited permissions
vuldb·2026-04-27·CVSS 7.3
CVE-2026-6265 [HIGH] Cerberus FTP Server up to 2025.4.2/2026.0 on Windows insecure preserved inherited permissions
A vulnerability labeled as problematic has been found in Cerberus FTP Server up to 2025.4.2/2026.0 on Windows. This affects an unknown function. The manipulation results in insecure preserved inherited permissions.
This vulnerability is identified as CVE-2026-6265. The attack is only possible with local access. There is not any exploit available.
The affected component should be upgraded.
GHSA
GHSA-55jc-jj35-fw6c: Insecure preserved inherited permissions vulnerability in Cerberus FTP Server on Windows allows Privilege Escalation
ghsa_unreviewed·2026-04-27
CVE-2026-6265 [HIGH] CWE-278 GHSA-55jc-jj35-fw6c: Insecure preserved inherited permissions vulnerability in Cerberus FTP Server on Windows allows Privilege Escalation
Insecure preserved inherited permissions vulnerability in Cerberus FTP Server on Windows allows Privilege Escalation.This issue has been resolved in Cerberus FTP Server: 2026.1
Red Hat
undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header
vendor_redhat·2026-06-17·CVSS 3.7
CVE-2026-11525 [LOW] CWE-1286 undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header
undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header
Impact:
When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently mapped to one of the three standard tokens. For example, SameSite=NoneOfYourBusiness is parsed as None (the most permissive setting), and SameSite=StrictLax is parsed as Lax (a downgrade from Strict).
Affected applications are those that consume Set-Cookie headers from server responses (for example via undici's fetch or proxy code paths) and then forward or rely on the parsed sameSite attribute. A malicious or non-compliant server can coerce the consumer's view
Red Hat
kernel: bonding: annotate data-races around slave->last_rx
vendor_redhat·2026-02-18·CVSS 4.7
CVE-2026-23212 [MEDIUM] CWE-367 kernel: bonding: annotate data-races around slave->last_rx
kernel: bonding: annotate data-races around slave->last_rx
In the Linux kernel, the following vulnerability has been resolved:
bonding: annotate data-races around slave->last_rx
slave->last_rx and slave->target_last_arp_rx[...] can be read and written
locklessly. Add READ_ONCE() and WRITE_ONCE() annotations.
syzbot reported:
BUG: KCSAN: data-race in bond_rcv_validate / bond_rcv_validate
write to 0xffff888149f0d428 of 8 bytes by interrupt on cpu 1:
bond_rcv_validate+0x202/0x7a0 drivers/net/bonding/bond_main.c:3335
bond_handle_frame+0xde/0x5e0 drivers/net/bonding/bond_main.c:1533
__netif_receive_skb_core+0x5b1/0x1950 net/core/dev.c:6039
__netif_receive_skb_one_core net/core/dev.c:6150 [inline]
__netif_receive_skb+0x59/0x270 net/core/dev.c:6265
netif_receive_skb_internal net/core/dev.c:6351
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-11525 undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header
bugzilla·2026-06-17
CVE-2026-11525 [LOW] CVE-2026-11525 undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header
CVE-2026-11525 undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header
Impact:
When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently mapped to one of the three standard tokens. For example, SameSite=NoneOfYourBusiness is parsed as None (the most permissive setting), and SameSite=StrictLax is parsed as Lax (a downgrade from Strict).
Affected applications are those that consume Set-Cookie headers from server responses (for example via undici's fetch or proxy code paths) and then forward or rely on the parsed sameSite attribute. A malicious or non-compliant server can coerce the
Bugzilla
CVE-2026-9679 undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
bugzilla·2026-06-17
CVE-2026-9679 [MEDIUM] CVE-2026-9679 undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
CVE-2026-9679 undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
Impact:
undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do not decode either.
Applications that parse a Set-Cookie header and then forward the parsed value into a response header (proxies, middleware, SSR frameworks) become vulnerable to HTTP response header injection: an attacker-controlled upstream can inject arbitrary Set-Cookie, Location, or Cache-Control headers into the application's downstream response, enabling session fixation, open redirect, or cache poisoning.
Affected applications are those th
2026-04-27
Published