Refine your search
3 vulnerabilities found for by Dropbox
CVE-2026-28809 (GCVE-0-2026-28809)
Vulnerability from cvelistv5
Published
2026-03-23 10:09
Modified
2026-04-07 14:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Summary
XML External Entity (XXE) vulnerability in esaml (and its forks) allows an attacker to cause the system to read local files and incorporate their contents into processed SAML documents, and potentially perform SSRF via crafted SAML messages.
esaml parses attacker-controlled SAML messages using xmerl_scan:string/2 before signature verification without disabling XML entity expansion. On Erlang/OTP versions before 27, Xmerl allows entities by default, enabling pre-signature XXE attacks. An attacker can cause the host to read local files (e.g., Kubernetes-mounted secrets) into the SAML document. If the attacker is not a trusted SAML SP, signature verification will fail and the document is discarded, but file contents may still be exposed through logs or error messages.
This issue affects all versions of esaml, including forks by arekinath, handnot2, and dropbox. Users running on Erlang/OTP 27 or later are not affected due to Xmerl defaulting to entities disabled.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28809",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-23T15:07:17.488260Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T15:52:46.187Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:dropbox:esaml:*:*:*:*:*:*:*:*",
"cpe:2.3:a:arekinath:esaml:*:*:*:*:*:*:*:*",
"cpe:2.3:a:handnot2:esaml:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"packageName": "esaml",
"packageURL": "pkg:hex/esaml",
"product": "esaml",
"vendor": "dropbox"
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:arekinath:esaml:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"packageName": "arekinath/esaml",
"packageURL": "pkg:github/arekinath/esaml",
"product": "esaml",
"repo": "https://github.com/arekinath/esaml.git",
"vendor": "arekinath"
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:handnot2:esaml:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"packageName": "handnot2/esaml",
"packageURL": "pkg:github/handnot2/esaml",
"product": "esaml",
"repo": "https://github.com/handnot2/esaml.git",
"vendor": "handnot2"
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:dropbox:esaml:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"packageName": "dropbox/esaml",
"packageURL": "pkg:github/dropbox/esaml",
"product": "esaml",
"repo": "https://github.com/dropbox/esaml.git",
"vendor": "dropbox"
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:jump-app:esaml:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"packageName": "Jump-App/esaml",
"packageURL": "pkg:github/Jump-App/esaml",
"product": "esaml",
"repo": "https://github.com/Jump-App/esaml.git",
"vendor": "Jump-App",
"versions": [
{
"lessThan": "bab85efde7c136911402a881ca55173759467a26",
"status": "affected",
"version": "0",
"versionType": "git"
},
{
"status": "unaffected",
"version": "bab85efde7c136911402a881ca55173759467a26",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The application must use esaml to process SAML messages and run on Erlang/OTP versions before 27. Starting with OTP 27, \u003ctt\u003exmerl_scan\u003c/tt\u003e disables entity expansion by default, which mitigates this vulnerability."
}
],
"value": "The application must use esaml to process SAML messages and run on Erlang/OTP versions before 27. Starting with OTP 27, xmerl_scan disables entity expansion by default, which mitigates this vulnerability."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dropbox:esaml:*:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:arekinath:esaml:*:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:handnot2:esaml:*:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jump-app:esaml:*:*:*:*:*:*:*:*",
"versionEndExcluding": "bab85efde7c136911402a881ca55173759467a26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bryan Lynch"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "XML External Entity (XXE) vulnerability in esaml (and its forks) allows an attacker to cause the system to read local files and incorporate their contents into processed SAML documents, and potentially perform SSRF via crafted SAML messages.\u003cp\u003eesaml parses attacker-controlled SAML messages using \u003ctt\u003exmerl_scan:string/2\u003c/tt\u003e before signature verification without disabling XML entity expansion. On Erlang/OTP versions before 27, Xmerl allows entities by default, enabling pre-signature XXE attacks. An attacker can cause the host to read local files (e.g., Kubernetes-mounted secrets) into the SAML document. If the attacker is not a trusted SAML SP, signature verification will fail and the document is discarded, but file contents may still be exposed through logs or error messages.\u003c/p\u003e\u003cp\u003eThis issue affects all versions of esaml, including forks by arekinath, handnot2, and dropbox. Users running on Erlang/OTP 27 or later are not affected due to Xmerl defaulting to entities disabled.\u003c/p\u003e"
}
],
"value": "XML External Entity (XXE) vulnerability in esaml (and its forks) allows an attacker to cause the system to read local files and incorporate their contents into processed SAML documents, and potentially perform SSRF via crafted SAML messages.\n\nesaml parses attacker-controlled SAML messages using xmerl_scan:string/2 before signature verification without disabling XML entity expansion. On Erlang/OTP versions before 27, Xmerl allows entities by default, enabling pre-signature XXE attacks. An attacker can cause the host to read local files (e.g., Kubernetes-mounted secrets) into the SAML document. If the attacker is not a trusted SAML SP, signature verification will fail and the document is discarded, but file contents may still be exposed through logs or error messages.\n\nThis issue affects all versions of esaml, including forks by arekinath, handnot2, and dropbox. Users running on Erlang/OTP 27 or later are not affected due to Xmerl defaulting to entities disabled."
}
],
"impacts": [
{
"capecId": "CAPEC-201",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-201 Serialized Data External Linking"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:38:07.406Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"third-party-advisory",
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-28809.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-28809"
},
{
"tags": [
"patch"
],
"url": "https://github.com/Jump-App/esaml/commit/bab85efde7c136911402a881ca55173759467a26"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "XXE in esaml SAML library allows local file read and potential SSRF",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to Erlang/OTP 27 or later. Starting with OTP 27, \u003ctt\u003exmerl_scan\u003c/tt\u003e disables entity expansion by default, which mitigates this vulnerability without changes to esaml."
}
],
"value": "Upgrade to Erlang/OTP 27 or later. Starting with OTP 27, xmerl_scan disables entity expansion by default, which mitigates this vulnerability without changes to esaml."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-28809",
"datePublished": "2026-03-23T10:09:29.233Z",
"dateReserved": "2026-03-03T14:40:00.590Z",
"dateUpdated": "2026-04-07T14:38:07.406Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-5924 (GCVE-0-2024-5924)
Vulnerability from cvelistv5
Published
2024-06-13 19:40
Modified
2024-08-01 21:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-693 - Protection Mechanism Failure
Summary
Dropbox Desktop Folder Sharing Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of Dropbox Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the handling of shared folders. When syncing files from a shared folder belonging to an untrusted account, the Dropbox desktop application does not apply the Mark-of-the-Web to the local files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. Was ZDI-CAN-23991.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Dropbox | Dropbox Desktop |
Version: 198.4.7615 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:dropbox:dropbox:198.4.7615:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dropbox",
"vendor": "dropbox",
"versions": [
{
"status": "affected",
"version": "198.4.7615"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5924",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-24T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T03:55:24.677Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:25:03.164Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ZDI-24-677",
"tags": [
"x_research-advisory",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-677/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Dropbox Desktop",
"vendor": "Dropbox",
"versions": [
{
"status": "affected",
"version": "198.4.7615"
}
]
}
],
"dateAssigned": "2024-06-12T19:05:13.665Z",
"datePublic": "2024-06-13T19:39:24.542Z",
"descriptions": [
{
"lang": "en",
"value": "Dropbox Desktop Folder Sharing Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of Dropbox Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of shared folders. When syncing files from a shared folder belonging to an untrusted account, the Dropbox desktop application does not apply the Mark-of-the-Web to the local files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. Was ZDI-CAN-23991."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-13T19:40:13.179Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-24-677",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-677/"
}
],
"source": {
"lang": "en",
"value": "Peter Girnus (@gothburz)"
},
"title": "Dropbox Desktop Folder Sharing Mark-of-the-Web Bypass Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2024-5924",
"datePublished": "2024-06-13T19:40:13.179Z",
"dateReserved": "2024-06-12T19:05:13.638Z",
"dateUpdated": "2024-08-01T21:25:03.164Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-4768 (GCVE-0-2022-4768)
Vulnerability from cvelistv5
Published
2022-12-27 22:33
Modified
2024-08-03 01:48
Severity ?
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
6.3 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
6.3 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
VLAI Severity ?
EPSS score ?
CWE
- CWE-74 - Injection
Summary
A vulnerability was found in Dropbox merou. It has been classified as critical. Affected is the function add_public_key of the file grouper/public_key.py of the component SSH Public Key Handler. The manipulation of the argument public_key_str leads to injection. It is possible to launch the attack remotely. The name of the patch is d93087973afa26bc0a2d0a5eb5c0fde748bdd107. It is recommended to apply a patch to fix this issue. VDB-216906 is the identifier assigned to this vulnerability.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:48:40.389Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.216906"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.216906"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://github.com/dropbox/merou/pull/673"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/dropbox/merou/commit/d93087973afa26bc0a2d0a5eb5c0fde748bdd107"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"modules": [
"SSH Public Key Handler"
],
"product": "merou",
"vendor": "Dropbox",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Dropbox merou. It has been classified as critical. Affected is the function add_public_key of the file grouper/public_key.py of the component SSH Public Key Handler. The manipulation of the argument public_key_str leads to injection. It is possible to launch the attack remotely. The name of the patch is d93087973afa26bc0a2d0a5eb5c0fde748bdd107. It is recommended to apply a patch to fix this issue. VDB-216906 is the identifier assigned to this vulnerability."
},
{
"lang": "de",
"value": "Es wurde eine kritische Schwachstelle in Dropbox merou ausgemacht. Hiervon betroffen ist die Funktion add_public_key der Datei grouper/public_key.py der Komponente SSH Public Key Handler. Durch Manipulieren des Arguments public_key_str mit unbekannten Daten kann eine injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Patch wird als d93087973afa26bc0a2d0a5eb5c0fde748bdd107 bezeichnet. Als bestm\u00f6gliche Massnahme wird Patching empfohlen."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-27T22:33:35.180Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.216906"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.216906"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/dropbox/merou/pull/673"
},
{
"tags": [
"patch"
],
"url": "https://github.com/dropbox/merou/commit/d93087973afa26bc0a2d0a5eb5c0fde748bdd107"
}
],
"timeline": [
{
"lang": "en",
"time": "2022-12-27T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2022-12-27T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2022-12-27T23:38:30.000Z",
"value": "VulDB last update"
}
],
"title": "Dropbox merou SSH Public Key public_key.py add_public_key injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2022-4768",
"datePublished": "2022-12-27T22:33:35.180Z",
"dateReserved": "2022-12-27T22:32:12.688Z",
"dateUpdated": "2024-08-03T01:48:40.389Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}