Skip to main content

Debusine EUVDEUVD-2026-35999

| CVE-2026-11853 MEDIUM
Improper Link Resolution Before File Access (CWE-59)
2026-06-10 debian GHSA-29fv-9q46-q5g2
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 10, 2026 - 19:30 vuln.today
CVSS changed
Jun 10, 2026 - 19:22 NVD
6.5 (MEDIUM)
Patch available
Jun 10, 2026 - 11:01 EUVD
CVE Published
Jun 10, 2026 - 09:10 nvd
UNKNOWN (no severity yet)

DescriptionNVD

Debusine is an integrated solution to build, distribute and maintain a Debian-based distribution. Debian source packages (.dsc) and upload artifacts (.changes) are manifest files that name the files that make up the artifact. The parser used to read these files in Debusine accepted arbitrary fully user-controlled paths. The mergeuploads task could be abused to create arbitrary symbolic links on a worker, overwriting any file that the worker user has access to.

AnalysisAI

Arbitrary symlink creation in Debusine's mergeuploads task allows remote unauthenticated attackers to overwrite files accessible to the worker process. Affected versions 0.12.0 through 0.14.8 fail to sanitize fully user-controlled paths embedded in Debian manifest files (.dsc and .changes), enabling path traversal via CWE-59 link-following. Despite a CVSS network-accessible, no-auth vector, real-world risk is bounded by deployment context - exploitation requires the ability to submit packages to a Debusine instance. No public exploit identified at time of analysis and EPSS sits at 0.02% (4th percentile).

Technical ContextAI

Debusine is a Freexian-maintained platform for building, distributing, and maintaining Debian-based distributions. It processes Debian source package manifests (.dsc) and upload artifacts (.changes), which are structured text files listing constituent file paths. The vulnerability is rooted in CWE-59 (Improper Link Resolution Before File Access): the manifest parser accepted arbitrary, fully user-controlled file paths without canonicalization or containment checks. The mergeuploads task - responsible for combining upload artifacts on worker nodes - consumed these unsanitized paths and could be directed to create symbolic links pointing to arbitrary filesystem locations. The affected component is confirmed by CPE cpe:2.3:a:debian:debusine:*:*:*:*:*:*:*:* covering versions 0.12.0 through 0.14.8.

RemediationAI

Upgrade Debusine to version 0.14.9 or later, which includes the fix introduced in commit c24cdc49fb258714767546bdec5b09f8065d414e and merged via merge request !3103 at https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3103. The upstream fix is available from the vendor; a tagged patched release version is confirmed by the EUVD affected-versions range ending at 0.14.9. If immediate upgrade is not possible, operators should restrict who can submit .dsc and .changes files to the Debusine instance to trusted, authenticated parties only - this limits the attack surface since exploitation requires submitting crafted manifest files. Additionally, consider running worker processes under a dedicated low-privilege account to reduce the impact radius of any successful symlink overwrite. Neither workaround eliminates the underlying path traversal; they are compensating controls only until the patch is applied.

Share

EUVD-2026-35999 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy