Skip to main content

Savane

5 CVEs product

Monthly

CVE-2026-56355 LOW Monitor

Information disclosure in GNU Savane's file-serving layer (frontend/php/file.php) allows network-accessible, unauthenticated remote attackers to bypass file authorization controls by supplying untrusted user-controlled data that the application incorrectly treats as authoritative in its access decision logic. Affected installations span Savane 3.14 through 3.17, confirmed by EUVD-2026-38135 and acknowledged via an FSF public statement. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the AC:H CVSS rating suggests non-trivial exploitation rather than a trivially automated mass-scan scenario.

Information Disclosure Savane
NVD VulDB
CVSS 3.1
3.7
EPSS
0.3%
CVE-2024-29399 HIGH POC This Week

An issue was discovered in GNU Savane v.3.13 and before, allows a remote attacker to execute arbitrary code and escalate privileges via a crafted file to the upload.php component. Rated high severity (CVSS 7.6), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP RCE Savane
NVD GitHub
CVSS 3.1
7.6
EPSS
0.9%
CVE-2024-27632 HIGH POC This Week

An issue in GNU Savane v.3.12 and before allows a remote attacker to escalate privileges via the form_id in the form_header() function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Savane
NVD GitHub
CVSS 3.1
8.8
EPSS
1.3%
CVE-2024-27631 MEDIUM POC PATCH This Month

Cross Site Request Forgery vulnerability in GNU Savane v.3.12 and before allows a remote attacker to escalate privileges via siteadmin/usergroup.php. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP CSRF Savane
NVD GitHub
CVSS 3.1
6.0
EPSS
0.4%
CVE-2024-27630 HIGH POC This Week

Insecure Direct Object Reference (IDOR) in GNU Savane v.3.12 and before allows a remote attacker to delete arbitrary files via crafted input to the trackers_data_delete_file function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Savane
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
EPSS 0% CVSS 3.7
LOW Monitor

Information disclosure in GNU Savane's file-serving layer (frontend/php/file.php) allows network-accessible, unauthenticated remote attackers to bypass file authorization controls by supplying untrusted user-controlled data that the application incorrectly treats as authoritative in its access decision logic. Affected installations span Savane 3.14 through 3.17, confirmed by EUVD-2026-38135 and acknowledged via an FSF public statement. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the AC:H CVSS rating suggests non-trivial exploitation rather than a trivially automated mass-scan scenario.

Information Disclosure Savane
NVD VulDB
EPSS 1% CVSS 7.6
HIGH POC This Week

An issue was discovered in GNU Savane v.3.13 and before, allows a remote attacker to execute arbitrary code and escalate privileges via a crafted file to the upload.php component. Rated high severity (CVSS 7.6), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP RCE +1
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

An issue in GNU Savane v.3.12 and before allows a remote attacker to escalate privileges via the form_id in the form_header() function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Savane
NVD GitHub
EPSS 0% CVSS 6.0
MEDIUM POC PATCH This Month

Cross Site Request Forgery vulnerability in GNU Savane v.3.12 and before allows a remote attacker to escalate privileges via siteadmin/usergroup.php. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP CSRF Savane
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

Insecure Direct Object Reference (IDOR) in GNU Savane v.3.12 and before allows a remote attacker to delete arbitrary files via crafted input to the trackers_data_delete_file function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Savane
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy