Savane
Monthly
Information disclosure in GNU Savane's file-serving layer (frontend/php/file.php) allows network-accessible, unauthenticated remote attackers to bypass file authorization controls by supplying untrusted user-controlled data that the application incorrectly treats as authoritative in its access decision logic. Affected installations span Savane 3.14 through 3.17, confirmed by EUVD-2026-38135 and acknowledged via an FSF public statement. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the AC:H CVSS rating suggests non-trivial exploitation rather than a trivially automated mass-scan scenario.
An issue was discovered in GNU Savane v.3.13 and before, allows a remote attacker to execute arbitrary code and escalate privileges via a crafted file to the upload.php component. Rated high severity (CVSS 7.6), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
An issue in GNU Savane v.3.12 and before allows a remote attacker to escalate privileges via the form_id in the form_header() function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Cross Site Request Forgery vulnerability in GNU Savane v.3.12 and before allows a remote attacker to escalate privileges via siteadmin/usergroup.php. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Insecure Direct Object Reference (IDOR) in GNU Savane v.3.12 and before allows a remote attacker to delete arbitrary files via crafted input to the trackers_data_delete_file function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Information disclosure in GNU Savane's file-serving layer (frontend/php/file.php) allows network-accessible, unauthenticated remote attackers to bypass file authorization controls by supplying untrusted user-controlled data that the application incorrectly treats as authoritative in its access decision logic. Affected installations span Savane 3.14 through 3.17, confirmed by EUVD-2026-38135 and acknowledged via an FSF public statement. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the AC:H CVSS rating suggests non-trivial exploitation rather than a trivially automated mass-scan scenario.
An issue was discovered in GNU Savane v.3.13 and before, allows a remote attacker to execute arbitrary code and escalate privileges via a crafted file to the upload.php component. Rated high severity (CVSS 7.6), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
An issue in GNU Savane v.3.12 and before allows a remote attacker to escalate privileges via the form_id in the form_header() function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Cross Site Request Forgery vulnerability in GNU Savane v.3.12 and before allows a remote attacker to escalate privileges via siteadmin/usergroup.php. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Insecure Direct Object Reference (IDOR) in GNU Savane v.3.12 and before allows a remote attacker to delete arbitrary files via crafted input to the trackers_data_delete_file function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.