Skip to main content

CWE-69

Improper Handling of Windows ::DATA Alternate Data Stream

3 CVEs Avg CVSS 7.1 MITRE
0
CRITICAL
2
HIGH
1
MEDIUM
0
LOW
1
POC
0
KEV

Monthly

CVE-2026-52792 Go HIGH PATCH GHSA This Week

Source-code disclosure in the Algernon web/application server (Go, xyproto/algernon, tested at v1.17.8) lets an unauthenticated remote client retrieve the raw source of any public-path server-side script on Windows hosts by appending an NTFS-equivalent suffix (::$DATA, a trailing dot, or a trailing space) to the URL. Because filepath.Ext() does an exact suffix match, these forms are not recognized as .lua/.tl/.po2/.amber/.frm and fall through to the raw-file branch, while NTFS canonicalizes the name back to the real script, exposing embedded database credentials and the SetCookieSecret value used to forge session cookies. Publicly available exploit code exists (full PoC in the GitHub advisory); no public exploit identified as actively exploited and this is not in CISA KEV.

PostgreSQL Apple Microsoft Information Disclosure
NVD GitHub
CVE-2025-3941 MEDIUM This Month

Improper Handling of Windows ::DATA Alternate Data Stream vulnerability in Tridium Niagara Framework on Windows, Tridium Niagara Enterprise Security on Windows allows Input Data Manipulation.14.2,. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Microsoft Information Disclosure Niagara Niagara Enterprise Security Windows
NVD
CVSS 3.1
5.4
EPSS
0.4%
CVE-2024-43033 HIGH POC This Week

JPress through 5.1.1 on Windows has an arbitrary file upload vulnerability that could cause arbitrary code execution via ::$DATA to AttachmentController, such as a .jsp::$DATA file to. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE Microsoft Jpress
NVD GitHub
CVSS 3.1
8.8
EPSS
1.0%
HIGH PATCH This Week

Source-code disclosure in the Algernon web/application server (Go, xyproto/algernon, tested at v1.17.8) lets an unauthenticated remote client retrieve the raw source of any public-path server-side script on Windows hosts by appending an NTFS-equivalent suffix (::$DATA, a trailing dot, or a trailing space) to the URL. Because filepath.Ext() does an exact suffix match, these forms are not recognized as .lua/.tl/.po2/.amber/.frm and fall through to the raw-file branch, while NTFS canonicalizes the name back to the real script, exposing embedded database credentials and the SetCookieSecret value used to forge session cookies. Publicly available exploit code exists (full PoC in the GitHub advisory); no public exploit identified as actively exploited and this is not in CISA KEV.

PostgreSQL Apple Microsoft +1
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

Improper Handling of Windows ::DATA Alternate Data Stream vulnerability in Tridium Niagara Framework on Windows, Tridium Niagara Enterprise Security on Windows allows Input Data Manipulation.14.2,. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Microsoft Information Disclosure Niagara +2
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

JPress through 5.1.1 on Windows has an arbitrary file upload vulnerability that could cause arbitrary code execution via ::$DATA to AttachmentController, such as a .jsp::$DATA file to. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE Microsoft +1
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy