cvelistv5 - cve-2026-24137

CVE-2026-24137 (GCVE-0-2026-24137)

Vulnerability from cvelistv5

Published

2026-01-23 00:04

Modified

2026-01-23 19:55

Severity ?

5.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Summary

sigstore framework is a common go library shared across sigstore services and clients. In versions 1.10.3 and below, the legacy TUF client (pkg/tuf/client.go) supports caching target files to disk. It constructs a filesystem path by joining a cache base directory with a target name sourced from signed target metadata; however, it does not validate that the resulting path stays within the cache base directory. A malicious TUF repository can trigger arbitrary file overwriting, limited to the permissions that the calling process has. Note that this should only affect clients that are directly using the TUF client in sigstore/sigstore or are using an older version of Cosign. Public Sigstore deployment users are unaffected, as TUF metadata is validated by a quorum of trusted collaborators. This issue has been fixed in version 1.10.4. As a workaround, users can disable disk caching for the legacy client by setting SIGSTORE_NO_CACHE=true in the environment, migrate to https://github.com/sigstore/sigstore-go/tree/main/pkg/tuf, or upgrade to the latest sigstore/sigstore release.

References

URL

Tags

	https://github.com/sigstore/sigstore/security/advisories/GHSA-fcv2-xgw5-pqxf	x_refsource_CONFIRM
	https://github.com/sigstore/sigstore/commit/8ec410a2993ea78083aecf0e473a85453039496e	x_refsource_MISC
	https://github.com/sigstore/sigstore/releases/tag/v1.10.4	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	sigstore	sigstore	Version: < 1.10.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-24137",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-23T19:55:31.439546Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-23T19:55:42.582Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "sigstore",
          "vendor": "sigstore",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.10.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "sigstore framework is a common go library shared across sigstore services and clients. In versions 1.10.3 and below, the legacy TUF client (pkg/tuf/client.go) supports caching target files to disk. It constructs a filesystem path by joining a cache base directory with a target name sourced from signed target metadata; however, it does not validate that the resulting path stays within the cache base directory. A malicious TUF repository can trigger arbitrary file overwriting, limited to the permissions that the calling process has. Note that this should only affect clients that are directly using the TUF client in sigstore/sigstore or are using an older version of Cosign. Public Sigstore deployment users are unaffected, as TUF metadata is validated by a quorum of trusted collaborators. This issue has been fixed in version 1.10.4. As a workaround, users can disable disk caching for the legacy client by setting SIGSTORE_NO_CACHE=true in the environment, migrate to https://github.com/sigstore/sigstore-go/tree/main/pkg/tuf, or upgrade to the latest sigstore/sigstore release."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-23T00:04:19.046Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/sigstore/sigstore/security/advisories/GHSA-fcv2-xgw5-pqxf",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/sigstore/sigstore/security/advisories/GHSA-fcv2-xgw5-pqxf"
        },
        {
          "name": "https://github.com/sigstore/sigstore/commit/8ec410a2993ea78083aecf0e473a85453039496e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/sigstore/sigstore/commit/8ec410a2993ea78083aecf0e473a85453039496e"
        },
        {
          "name": "https://github.com/sigstore/sigstore/releases/tag/v1.10.4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/sigstore/sigstore/releases/tag/v1.10.4"
        }
      ],
      "source": {
        "advisory": "GHSA-fcv2-xgw5-pqxf",
        "discovery": "UNKNOWN"
      },
      "title": "sigstore legacy TUF client allows for arbitrary file writes with target cache path traversal"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-24137",
    "datePublished": "2026-01-23T00:04:19.046Z",
    "dateReserved": "2026-01-21T18:38:22.474Z",
    "dateUpdated": "2026-01-23T19:55:42.582Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"sigstore legacy TUF client allows for arbitrary file writes with target cache path traversal\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-22\", \"lang\": \"en\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"NONE\", \"baseScore\": 5.8, \"baseSeverity\": \"MEDIUM\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"scope\": \"CHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/sigstore/sigstore/security/advisories/GHSA-fcv2-xgw5-pqxf\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/sigstore/sigstore/security/advisories/GHSA-fcv2-xgw5-pqxf\"}, {\"name\": \"https://github.com/sigstore/sigstore/commit/8ec410a2993ea78083aecf0e473a85453039496e\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/sigstore/sigstore/commit/8ec410a2993ea78083aecf0e473a85453039496e\"}, {\"name\": \"https://github.com/sigstore/sigstore/releases/tag/v1.10.4\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/sigstore/sigstore/releases/tag/v1.10.4\"}], \"affected\": [{\"vendor\": \"sigstore\", \"product\": \"sigstore\", \"versions\": [{\"version\": \"\u003c 1.10.4\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-01-23T00:04:19.046Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"sigstore framework is a common go library shared across sigstore services and clients. In versions 1.10.3 and below, the legacy TUF client (pkg/tuf/client.go) supports caching target files to disk. It constructs a filesystem path by joining a cache base directory with a target name sourced from signed target metadata; however, it does not validate that the resulting path stays within the cache base directory. A malicious TUF repository can trigger arbitrary file overwriting, limited to the permissions that the calling process has. Note that this should only affect clients that are directly using the TUF client in sigstore/sigstore or are using an older version of Cosign. Public Sigstore deployment users are unaffected, as TUF metadata is validated by a quorum of trusted collaborators. This issue has been fixed in version 1.10.4. As a workaround, users can disable disk caching for the legacy client by setting SIGSTORE_NO_CACHE=true in the environment, migrate to https://github.com/sigstore/sigstore-go/tree/main/pkg/tuf, or upgrade to the latest sigstore/sigstore release.\"}], \"source\": {\"advisory\": \"GHSA-fcv2-xgw5-pqxf\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-24137\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-23T19:55:31.439546Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-23T19:55:38.860Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-24137\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2026-01-21T18:38:22.474Z\", \"datePublished\": \"2026-01-23T00:04:19.046Z\", \"dateUpdated\": \"2026-01-23T19:55:42.582Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

CERTFR-2026-AVI-0315

Vulnerability from certfr_avis

De multiples vulnérabilités ont été découvertes dans les produits VMware. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
VMware	Tanzu Platform	Elastic Application Runtime for VMware Tanzu Platform versions antérieures à 10.3.6
VMware	N/A	.NET Core Buildpack versions antérieures à 2.4.86
VMware	N/A	Go Buildpack versions antérieures à 1.10.75
VMware	Tanzu Platform	Tanzu Data Flow on Tanzu Platform versions antérieures à 2.0.4
VMware	Tanzu Platform	Elastic Application Runtime for VMware Tanzu Platform versions antérieures à 6.0.26+LTS-T
VMware	Tanzu Platform	Extended App Support for Tanzu Platform versions antérieures à 1.0.17
VMware	Tanzu Platform	Elastic Application Runtime for VMware Tanzu Platform versions antérieures à 10.2.9+LTS-T
VMware	N/A	Binary Buildpack versions antérieures à 1.1.61
VMware	N/A	VMware Harbor Registry versions antérieures à 2.14.3

References

Title

Publication Time

Tags

Bulletin de sécurité VMware 37197	2026-03-18	vendor-advisory
Bulletin de sécurité VMware 37202	2026-03-18	vendor-advisory
Bulletin de sécurité VMware 37200	2026-03-18	vendor-advisory
Bulletin de sécurité VMware 37209	2026-03-18	vendor-advisory
Bulletin de sécurité VMware 37198	2026-03-18	vendor-advisory
Bulletin de sécurité VMware 37208	2026-03-18	vendor-advisory
Bulletin de sécurité VMware 37206	2026-03-18	vendor-advisory
Bulletin de sécurité VMware 37204	2026-03-18	vendor-advisory
Bulletin de sécurité VMware 37203	2026-03-18	vendor-advisory
Bulletin de sécurité VMware 37207	2026-03-18	vendor-advisory
Bulletin de sécurité VMware 37199	2026-03-18	vendor-advisory
Bulletin de sécurité VMware 37210	2026-03-18	vendor-advisory
Bulletin de sécurité VMware 37205	2026-03-18	vendor-advisory
Bulletin de sécurité VMware 37201	2026-03-18	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Elastic Application Runtime for VMware Tanzu Platform versions ant\u00e9rieures \u00e0 10.3.6",
      "product": {
        "name": "Tanzu Platform",
        "vendor": {
          "name": "VMware",
          "scada": false
        }
      }
    },
    {
      "description": ".NET Core Buildpack versions ant\u00e9rieures \u00e0 2.4.86",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "VMware",
          "scada": false
        }
      }
    },
    {
      "description": "Go Buildpack versions ant\u00e9rieures \u00e0 1.10.75",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "VMware",
          "scada": false
        }
      }
    },
    {
      "description": "Tanzu Data Flow on Tanzu Platform versions ant\u00e9rieures \u00e0 2.0.4",
      "product": {
        "name": "Tanzu Platform",
        "vendor": {
          "name": "VMware",
          "scada": false
        }
      }
    },
    {
      "description": "Elastic Application Runtime for VMware Tanzu Platform versions ant\u00e9rieures \u00e0 6.0.26+LTS-T",
      "product": {
        "name": "Tanzu Platform",
        "vendor": {
          "name": "VMware",
          "scada": false
        }
      }
    },
    {
      "description": "Extended App Support for Tanzu Platform versions ant\u00e9rieures \u00e0 1.0.17",
      "product": {
        "name": "Tanzu Platform",
        "vendor": {
          "name": "VMware",
          "scada": false
        }
      }
    },
    {
      "description": "Elastic Application Runtime for VMware Tanzu Platform versions ant\u00e9rieures \u00e0 10.2.9+LTS-T",
      "product": {
        "name": "Tanzu Platform",
        "vendor": {
          "name": "VMware",
          "scada": false
        }
      }
    },
    {
      "description": "Binary Buildpack versions ant\u00e9rieures \u00e0 1.1.61",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "VMware",
          "scada": false
        }
      }
    },
    {
      "description": "VMware Harbor Registry versions ant\u00e9rieures \u00e0 2.14.3",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "VMware",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2025-61730",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-61730"
    },
    {
      "name": "CVE-2026-21933",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-21933"
    },
    {
      "name": "CVE-2025-31115",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-31115"
    },
    {
      "name": "CVE-2025-58183",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-58183"
    },
    {
      "name": "CVE-2026-21932",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-21932"
    },
    {
      "name": "CVE-2025-15282",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-15282"
    },
    {
      "name": "CVE-2026-21637",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-21637"
    },
    {
      "name": "CVE-2024-3220",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-3220"
    },
    {
      "name": "CVE-2025-22872",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-22872"
    },
    {
      "name": "CVE-2025-66614",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-66614"
    },
    {
      "name": "CVE-2026-1965",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-1965"
    },
    {
      "name": "CVE-2025-12084",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-12084"
    },
    {
      "name": "CVE-2025-27219",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-27219"
    },
    {
      "name": "CVE-2024-47611",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-47611"
    },
    {
      "name": "CVE-2026-1642",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-1642"
    },
    {
      "name": "CVE-2026-27138",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-27138"
    },
    {
      "name": "CVE-2025-11468",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-11468"
    },
    {
      "name": "CVE-2025-6069",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-6069"
    },
    {
      "name": "CVE-2025-69419",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-69419"
    },
    {
      "name": "CVE-2026-3783",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-3783"
    },
    {
      "name": "CVE-2025-6075",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-6075"
    },
    {
      "name": "CVE-2026-23831",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-23831"
    },
    {
      "name": "CVE-2026-22701",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-22701"
    },
    {
      "name": "CVE-2025-58185",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-58185"
    },
    {
      "name": "CVE-2025-61731",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-61731"
    },
    {
      "name": "CVE-2026-27137",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-27137"
    },
    {
      "name": "CVE-2025-13837",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-13837"
    },
    {
      "name": "CVE-2025-15367",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-15367"
    },
    {
      "name": "CVE-2026-2006",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-2006"
    },
    {
      "name": "CVE-2025-55130",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-55130"
    },
    {
      "name": "CVE-2025-55131",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-55131"
    },
    {
      "name": "CVE-2026-2005",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-2005"
    },
    {
      "name": "CVE-2025-50106",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-50106"
    },
    {
      "name": "CVE-2025-59465",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-59465"
    },
    {
      "name": "CVE-2025-29923",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-29923"
    },
    {
      "name": "CVE-2025-8291",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-8291"
    },
    {
      "name": "CVE-2026-22795",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-22795"
    },
    {
      "name": "CVE-2025-61727",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-61727"
    },
    {
      "name": "CVE-2026-21925",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-21925"
    },
    {
      "name": "CVE-2025-30754",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-30754"
    },
    {
      "name": "CVE-2025-53859",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-53859"
    },
    {
      "name": "CVE-2025-47910",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-47910"
    },
    {
      "name": "CVE-2026-1703",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-1703"
    },
    {
      "name": "CVE-2026-27142",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-27142"
    },
    {
      "name": "CVE-2025-8194",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-8194"
    },
    {
      "name": "CVE-2025-69421",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-69421"
    },
    {
      "name": "CVE-2025-12781",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-12781"
    },
    {
      "name": "CVE-2025-58188",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-58188"
    },
    {
      "name": "CVE-2026-26958",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-26958"
    },
    {
      "name": "CVE-2023-38037",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-38037"
    },
    {
      "name": "CVE-2026-25934",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-25934"
    },
    {
      "name": "CVE-2026-22796",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-22796"
    },
    {
      "name": "CVE-2025-61724",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-61724"
    },
    {
      "name": "CVE-2023-28120",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-28120"
    },
    {
      "name": "CVE-2025-61732",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-61732"
    },
    {
      "name": "CVE-2025-61723",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-61723"
    },
    {
      "name": "CVE-2025-55132",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-55132"
    },
    {
      "name": "CVE-2026-22702",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-22702"
    },
    {
      "name": "CVE-2026-25679",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-25679"
    },
    {
      "name": "CVE-2025-14017",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-14017"
    },
    {
      "name": "CVE-2026-3805",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-3805"
    },
    {
      "name": "CVE-2025-13836",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-13836"
    },
    {
      "name": "CVE-2026-1229",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-1229"
    },
    {
      "name": "CVE-2025-61725",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-61725"
    },
    {
      "name": "CVE-2025-27220",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-27220"
    },
    {
      "name": "CVE-2025-55163",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-55163"
    },
    {
      "name": "CVE-2025-15366",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-15366"
    },
    {
      "name": "CVE-2025-13462",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-13462"
    },
    {
      "name": "CVE-2026-0865",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-0865"
    },
    {
      "name": "CVE-2025-50059",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-50059"
    },
    {
      "name": "CVE-2026-24117",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-24117"
    },
    {
      "name": "CVE-2025-47912",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-47912"
    },
    {
      "name": "CVE-2025-68160",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-68160"
    },
    {
      "name": "CVE-2025-54410",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-54410"
    },
    {
      "name": "CVE-2025-67735",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-67735"
    },
    {
      "name": "CVE-2025-61728",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-61728"
    },
    {
      "name": "CVE-2025-58186",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-58186"
    },
    {
      "name": "CVE-2025-13034",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-13034"
    },
    {
      "name": "CVE-2025-8869",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-8869"
    },
    {
      "name": "CVE-2025-58187",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-58187"
    },
    {
      "name": "CVE-2025-14524",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-14524"
    },
    {
      "name": "CVE-2026-2297",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-2297"
    },
    {
      "name": "CVE-2025-58181",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-58181"
    },
    {
      "name": "CVE-2025-47914",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-47914"
    },
    {
      "name": "CVE-2025-69418",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-69418"
    },
    {
      "name": "CVE-2025-59466",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-59466"
    },
    {
      "name": "CVE-2026-1299",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-1299"
    },
    {
      "name": "CVE-2025-58189",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-58189"
    },
    {
      "name": "CVE-2026-21945",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-21945"
    },
    {
      "name": "CVE-2025-22870",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-22870"
    },
    {
      "name": "CVE-2025-24358",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-24358"
    },
    {
      "name": "CVE-2025-30749",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-30749"
    },
    {
      "name": "CVE-2025-61748",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-61748"
    },
    {
      "name": "CVE-2026-27139",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-27139"
    },
    {
      "name": "CVE-2026-24733",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-24733"
    },
    {
      "name": "CVE-2025-66564",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-66564"
    },
    {
      "name": "CVE-2026-2003",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-2003"
    },
    {
      "name": "CVE-2025-15079",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-15079"
    },
    {
      "name": "CVE-2025-68121",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-68121"
    },
    {
      "name": "CVE-2025-14819",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-14819"
    },
    {
      "name": "CVE-2025-61726",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-61726"
    },
    {
      "name": "CVE-2025-47909",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-47909"
    },
    {
      "name": "CVE-2026-2004",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-2004"
    },
    {
      "name": "CVE-2026-0672",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-0672"
    },
    {
      "name": "CVE-2026-24137",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-24137"
    },
    {
      "name": "CVE-2017-8806",
      "url": "https://www.cve.org/CVERecord?id=CVE-2017-8806"
    },
    {
      "name": "CVE-2025-53057",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-53057"
    },
    {
      "name": "CVE-2023-22796",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-22796"
    },
    {
      "name": "CVE-2025-68119",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-68119"
    },
    {
      "name": "CVE-2025-53066",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-53066"
    },
    {
      "name": "CVE-2025-69420",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-69420"
    },
    {
      "name": "CVE-2025-47273",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-47273"
    },
    {
      "name": "CVE-2025-15224",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-15224"
    },
    {
      "name": "CVE-2026-1225",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-1225"
    },
    {
      "name": "CVE-2026-22703",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-22703"
    },
    {
      "name": "CVE-2025-61729",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-61729"
    },
    {
      "name": "CVE-2024-6345",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-6345"
    },
    {
      "name": "CVE-2026-3784",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-3784"
    }
  ],
  "initial_release_date": "2026-03-18T00:00:00",
  "last_revision_date": "2026-03-18T00:00:00",
  "links": [],
  "reference": "CERTFR-2026-AVI-0315",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2026-03-18T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits VMware. Elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits VMware",
  "vendor_advisories": [
    {
      "published_at": "2026-03-18",
      "title": "Bulletin de s\u00e9curit\u00e9 VMware 37197",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37197"
    },
    {
      "published_at": "2026-03-18",
      "title": "Bulletin de s\u00e9curit\u00e9 VMware 37202",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37202"
    },
    {
      "published_at": "2026-03-18",
      "title": "Bulletin de s\u00e9curit\u00e9 VMware 37200",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37200"
    },
    {
      "published_at": "2026-03-18",
      "title": "Bulletin de s\u00e9curit\u00e9 VMware 37209",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37209"
    },
    {
      "published_at": "2026-03-18",
      "title": "Bulletin de s\u00e9curit\u00e9 VMware 37198",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37198"
    },
    {
      "published_at": "2026-03-18",
      "title": "Bulletin de s\u00e9curit\u00e9 VMware 37208",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37208"
    },
    {
      "published_at": "2026-03-18",
      "title": "Bulletin de s\u00e9curit\u00e9 VMware 37206",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37206"
    },
    {
      "published_at": "2026-03-18",
      "title": "Bulletin de s\u00e9curit\u00e9 VMware 37204",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37204"
    },
    {
      "published_at": "2026-03-18",
      "title": "Bulletin de s\u00e9curit\u00e9 VMware 37203",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37203"
    },
    {
      "published_at": "2026-03-18",
      "title": "Bulletin de s\u00e9curit\u00e9 VMware 37207",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37207"
    },
    {
      "published_at": "2026-03-18",
      "title": "Bulletin de s\u00e9curit\u00e9 VMware 37199",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37199"
    },
    {
      "published_at": "2026-03-18",
      "title": "Bulletin de s\u00e9curit\u00e9 VMware 37210",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37210"
    },
    {
      "published_at": "2026-03-18",
      "title": "Bulletin de s\u00e9curit\u00e9 VMware 37205",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37205"
    },
    {
      "published_at": "2026-03-18",
      "title": "Bulletin de s\u00e9curit\u00e9 VMware 37201",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37201"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2026-24137 (GCVE-0-2026-24137)

Vulnerability from cvelistv5

CERTFR-2026-AVI-0315

Vulnerability from certfr_avis

Solutions

Tags

Sightings

Nomenclature