Monthly
Setuptools prior to 83.0.0 fails to normalize Unicode filenames before matching them against MANIFEST.in exclusion patterns on macOS APFS and HFS+ filesystems, allowing files with NFD-normalized on-disk names to silently bypass NFC-encoded exclude, global-exclude, recursive-exclude, and prune directives and be packed into Python source distributions. Python package maintainers developing on macOS face a supply chain risk: sensitive files such as credentials, private keys, or environment configs that are correctly listed in MANIFEST.in for exclusion may still appear in tarballs published to PyPI or private registries. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Improper hostname normalization in Node.js TLS server-identity verification (fixed in v26.3.1) lets a TLS peer's hostname be evaluated without proper Unicode/case normalization, so identity checks may match a host they should reject. Rated High by the Node.js team (CVSS 7.7, scope-changed, confidentiality-only), it can cause a client to trust the wrong server and expose data carried over the connection. No public exploit identified at time of analysis; this was disclosed pre-NVD via the nodejs/node June 2026 security release and is not listed in CISA KEV.
Arbitrary DLL loading in SQLite's sqldiff.exe utility on Windows allows attackers to achieve code execution by abusing the Microsoft C runtime's Unicode-to-ANSI Best-Fit character conversion. Specially crafted Unicode characters in command-line arguments can be transformed into ASCII characters that sqldiff then parses as the '-L' option, loading an attacker-supplied DLL. Publicly available exploit research (Blackhat EU 2024 'WorstFit' presentation) demonstrates the technique, though no public exploit identified targeting sqldiff specifically and it is not listed in CISA KEV.
protobufjs versions 7.5.5 and earlier, and 8.0.0-8.0.1 accept overlong UTF-8 byte sequences in the minimal UTF-8 decoder used by non-Node and fallback decoding paths, allowing attackers to bypass byte-level filtering and decode strings containing characters that were not present in the raw protobuf binary input. This integrity issue affects applications that rely on pre-decoding byte validation before using protobuf strings in security-sensitive contexts. Patch versions 7.5.6 and 8.0.2 are available; Node.js Buffer-backed paths are not directly affected.
Text::Minify::XS versions from v0.3.0 before v0.7.8 for Perl have a heap overflow when processing some malformed UTF-8 characters. The minify functions mishandled some malformed UTF-8 characters, leading to heap corruption. Note that the minify_utf8 function is an alias for minnify.
The split utility in uutils coreutils corrupts output filenames when processing non-UTF-8 prefix or suffix inputs by converting invalid byte sequences to UTF-8 replacement characters, causing filename mismatches, collisions, and potential data misdirection. Affected versions prior to 0.8.0 on all platforms exhibit this behavior, which deviates from GNU split's byte-preservation semantics. Local authenticated users can trigger the vulnerability through crafted non-UTF-8 input, leading to integrity issues in automated workflows relying on predictable filename generation.
The ln utility in uutils coreutils fails to process source paths containing non-UTF-8 filename bytes when using target-directory forms, rejecting valid filenames that GNU ln handles correctly. This logic error affects automated scripts and system tasks on Unix filesystems where non-UTF-8 filenames are common, causing denial of service for those specific operations. SSVC classifies exploitation as possible (POC available) but not automatable, with partial technical impact.
The comm utility in uutils coreutils silently corrupts binary and non-UTF-8 encoded file output by replacing invalid UTF-8 byte sequences with the Unicode replacement character (U+FFFD), diverging from GNU comm's byte-preserving behavior. This affects any user comparing files with legacy encodings or binary content, resulting in data integrity loss. A proof-of-concept demonstrating the lossy conversion exists, and a patch is available.
In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.20, 10.0.2503.13, and 9.3.2411.127, a user who holds a role that contains the high-privilege capability `edit_user`could create a specially crafted username that includes a null byte or a non-UTF-8 percent-encoded byte due to improper input validation.<br><br>This could lead to inconsistent conversion of usernames into a proper format for storage and account management inconsistencies, such as being unable to edit or delete affected users.
Two-factor authentication bypass in SonicWall SMA1000 SSL-VPN allows remote attackers with valid SSLVPN credentials to circumvent TOTP requirements via Unicode encoding manipulation. Affects SMA1000 versions 12.5.0-02283 and 12.4.3-03245 and earlier. Requires high-privilege (PR:H) authenticated access but enables complete authentication bypass (CVSS 7.2). Low EPSS score (0.03%, 10th percentile) indicates minimal observed exploitation likelihood. No public exploit code identified at time of analysis.
Setuptools prior to 83.0.0 fails to normalize Unicode filenames before matching them against MANIFEST.in exclusion patterns on macOS APFS and HFS+ filesystems, allowing files with NFD-normalized on-disk names to silently bypass NFC-encoded exclude, global-exclude, recursive-exclude, and prune directives and be packed into Python source distributions. Python package maintainers developing on macOS face a supply chain risk: sensitive files such as credentials, private keys, or environment configs that are correctly listed in MANIFEST.in for exclusion may still appear in tarballs published to PyPI or private registries. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Improper hostname normalization in Node.js TLS server-identity verification (fixed in v26.3.1) lets a TLS peer's hostname be evaluated without proper Unicode/case normalization, so identity checks may match a host they should reject. Rated High by the Node.js team (CVSS 7.7, scope-changed, confidentiality-only), it can cause a client to trust the wrong server and expose data carried over the connection. No public exploit identified at time of analysis; this was disclosed pre-NVD via the nodejs/node June 2026 security release and is not listed in CISA KEV.
Arbitrary DLL loading in SQLite's sqldiff.exe utility on Windows allows attackers to achieve code execution by abusing the Microsoft C runtime's Unicode-to-ANSI Best-Fit character conversion. Specially crafted Unicode characters in command-line arguments can be transformed into ASCII characters that sqldiff then parses as the '-L' option, loading an attacker-supplied DLL. Publicly available exploit research (Blackhat EU 2024 'WorstFit' presentation) demonstrates the technique, though no public exploit identified targeting sqldiff specifically and it is not listed in CISA KEV.
protobufjs versions 7.5.5 and earlier, and 8.0.0-8.0.1 accept overlong UTF-8 byte sequences in the minimal UTF-8 decoder used by non-Node and fallback decoding paths, allowing attackers to bypass byte-level filtering and decode strings containing characters that were not present in the raw protobuf binary input. This integrity issue affects applications that rely on pre-decoding byte validation before using protobuf strings in security-sensitive contexts. Patch versions 7.5.6 and 8.0.2 are available; Node.js Buffer-backed paths are not directly affected.
Text::Minify::XS versions from v0.3.0 before v0.7.8 for Perl have a heap overflow when processing some malformed UTF-8 characters. The minify functions mishandled some malformed UTF-8 characters, leading to heap corruption. Note that the minify_utf8 function is an alias for minnify.
The split utility in uutils coreutils corrupts output filenames when processing non-UTF-8 prefix or suffix inputs by converting invalid byte sequences to UTF-8 replacement characters, causing filename mismatches, collisions, and potential data misdirection. Affected versions prior to 0.8.0 on all platforms exhibit this behavior, which deviates from GNU split's byte-preservation semantics. Local authenticated users can trigger the vulnerability through crafted non-UTF-8 input, leading to integrity issues in automated workflows relying on predictable filename generation.
The ln utility in uutils coreutils fails to process source paths containing non-UTF-8 filename bytes when using target-directory forms, rejecting valid filenames that GNU ln handles correctly. This logic error affects automated scripts and system tasks on Unix filesystems where non-UTF-8 filenames are common, causing denial of service for those specific operations. SSVC classifies exploitation as possible (POC available) but not automatable, with partial technical impact.
The comm utility in uutils coreutils silently corrupts binary and non-UTF-8 encoded file output by replacing invalid UTF-8 byte sequences with the Unicode replacement character (U+FFFD), diverging from GNU comm's byte-preserving behavior. This affects any user comparing files with legacy encodings or binary content, resulting in data integrity loss. A proof-of-concept demonstrating the lossy conversion exists, and a patch is available.
In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.20, 10.0.2503.13, and 9.3.2411.127, a user who holds a role that contains the high-privilege capability `edit_user`could create a specially crafted username that includes a null byte or a non-UTF-8 percent-encoded byte due to improper input validation.<br><br>This could lead to inconsistent conversion of usernames into a proper format for storage and account management inconsistencies, such as being unable to edit or delete affected users.
Two-factor authentication bypass in SonicWall SMA1000 SSL-VPN allows remote attackers with valid SSLVPN credentials to circumvent TOTP requirements via Unicode encoding manipulation. Affects SMA1000 versions 12.5.0-02283 and 12.4.3-03245 and earlier. Requires high-privilege (PR:H) authenticated access but enables complete authentication bypass (CVSS 7.2). Low EPSS score (0.03%, 10th percentile) indicates minimal observed exploitation likelihood. No public exploit code identified at time of analysis.