These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-11853 is a vulnerability in Debusine, an integrated solution for building, distributing, and maintaining Debian-based distributions. The vulnerability allows for the creation of arbitrary symbolic links on a worker, potentially overwriting any file accessible to the worker user. This issue arises from the parser used to read Debian source packages (.dsc) and upload artifacts (.changes) accepting [truncated]
A medium-severity vulnerability was found in Debusine, an integrated solution for building, distributing, and maintaining Debian-based systems. The issue arises from the lack of proper permission checks in endpoints that manage relationships between artifacts. Specifically, the endpoints responsible for creating and deleting relationships between artifacts only require the ability to see the artifacts in [truncated]
CVE-2024-28085 is a low-severity local issue in util-linux wall where escape sequences passed via argv are not blocked, even though escape sequences from stdin are filtered. In environments where wall is installed with setgid tty permissions, that gap can allow terminal manipulation of other users’ sessions. The public record notes plausible scenarios that could contribute to account compromise, but the d [truncated]
CVE-2023-51385 is an OpenSSH client-side command injection issue published on 2023-12-18 and later updated in NVD on 2026-05-12. The problem affects OpenSSH versions before 9.6 when a user name or host name containing shell metacharacters is referenced through an expansion token in certain situations. The public example in the NVD description is an untrusted Git repository with a submodule that embeds a d [truncated]
CVE-2023-51384 is a medium-severity OpenSSH ssh-agent issue published on 2023-12-18. When destination constraints are added for PKCS#11-hosted private keys, ssh-agent may apply those constraints only to the first key returned by a token. That means later keys from the same token may not receive the intended destination restriction, reducing the protection those constraints are supposed to provide.
CVE-2019-11840 affects the amd64 implementation of golang.org/x/crypto's salsa20 code. After very large keystream generation, the implementation can begin producing incorrect output and then cycle back to previously generated keystream, which can undermine confidentiality in encryption use cases and predictability in CSPRNG use cases. The issue was publicly disclosed in 2019 and is fixed in the upstream c [truncated]
CVE-2016-5315 is a memory-safety issue in libtiff's setByteArray function that can trigger an out-of-bounds read when a crafted TIFF image is processed, resulting in denial of service. NVD assigns it CVSS 3.0 5.5 MEDIUM (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) and maps it to CWE-125.
CVE-2016-10244 is a FreeType font-parsing vulnerability in parse_charstrings that can read past heap memory when processing a crafted font missing a glyph name. NVD rates the issue HIGH and lists impact on confidentiality, integrity, and availability, although the CVSS vector also indicates user interaction is required. Systems that ingest untrusted fonts or ship bundled FreeType builds should prioritize patching.
CVE-2017-6500 affects ImageMagick 6.9.7 and is described as a heap-based buffer over-read triggered by a specially crafted sun file. NVD rates it Medium (CVSS 5.5) with local attack requirements and user interaction needed, and the primary impact is availability. If your environment processes untrusted image uploads or includes the affected ImageMagick build, this is worth patching and validating through [truncated]
CVE-2017-6499 is a denial-of-service issue in Magick++ for ImageMagick 6.9.7. According to NVD, a specially crafted file can create a nested exception that leads to a memory leak, which can exhaust resources and disrupt service availability. NVD rates the issue as CVSS 3.0 5.5 (Medium) with availability impact high. Debian references the issue in DSA-3808, and the ImageMagick project published a patch com [truncated]
CVE-2017-6498 is a denial-of-service issue in ImageMagick 6.9.7 affecting TGA file handling. According to the CVE and NVD record, incorrectly formed TGA files can trigger assertion failures during image processing, causing the application to stop or become unavailable. NVD classifies the issue as medium severity and notes a local, user-interaction-dependent attack path.
CVE-2017-5356 affects Irssi before 0.8.21. A remote attacker can trigger a denial of service by sending a string that includes the formatting sequence "%[" without a closing "]", which leads to an out-of-bounds read and a crash. The NVD CVSS vector rates the issue as high severity because it is network-reachable, requires no privileges or user interaction, and fully impacts availability.
CVE-2017-5194 is a high-severity use-after-free in Irssi before 0.8.21. According to the NVD record, a remote attacker can trigger a denial of service by sending an invalid nick message, and the issue is classified as CWE-416. The practical takeaway is simple: if you run or package Irssi, make sure you are on 0.8.21 or later and apply the vendor and distribution advisories linked below.
CVE-2017-5193 is a remotely triggerable denial-of-service issue in Irssi versions before 0.8.21. A message without a nick can drive the nickcmp function into a NULL pointer dereference, crashing the client. The published record classifies this as a high-severity availability problem with no evidence in the corpus of data exposure or code execution.
CVE-2017-5946 is a critical directory traversal issue in rubyzip's Zip::File component. If an application accepts untrusted ZIP uploads and processes them with affected versions, a crafted archive can use "../" path substrings to write files outside the intended extraction location. NVD rates the issue 9.8 with network access, no privileges, and no user interaction, so services that handle user-supplied a [truncated]
CVE-2017-6310 is a high-severity memory-corruption issue in tnef versions before 1.4.13. According to NVD, four type confusions in file_add_mapi_attrs() can lead to attacker-controlled invalid read and write operations. The published CVSS 3.0 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating exploitation requires user interaction and can still have serious confidentiality, integrity, and availability impact.
CVE-2017-6309 is a memory-corruption vulnerability in tnef before 1.4.13. NVD describes two type confusions in parse_file() that can lead to attacker-controlled invalid read and write operations. The official severity is High (CVSS 7.8), but exploitation requires local access and user interaction, so the main risk is to systems that process untrusted TNEF content or that ship affected tnef packages.
CVE-2017-6308 is a memory-corruption issue in tnef versions before 1.4.13. According to NVD, several integer overflows in memory-allocation wrapper functions can lead to heap overflows, creating a high-risk exposure when processing untrusted TNEF content. The vulnerability was published on 2017-02-24 and is scored CVSS 7.8 (High).
CVE-2017-6307 is a high-severity memory corruption issue in tnef before 1.4.13. NVD describes two out-of-bounds writes in src/mapi_attr.c:mapi_attr_read(), with attacker-controlled input potentially leading to invalid read and write operations. The available references indicate that upstream and downstream maintainers issued fixes and advisories, so the main defensive priority is to identify affected vers [truncated]
CVE-2017-6306 is a directory traversal vulnerability in ytnef, affecting versions before 1.9.1. The flaw is tied to filename handling in settings.c (SanitizeFilename), where an attacker could influence path construction and potentially write files outside the intended directory. NVD rates the issue HIGH with a CVSS 3.0 vector of AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Public references include Debian, the up [truncated]
CVE-2017-6305 is a high-severity memory-safety issue in ytnef, described by NVD as an out-of-bounds read and write in versions before 1.9.1. The NVD record also ties the issue to Debian-packaged ytnef on Debian 8.0 and 9.0. Because the attack requires local execution conditions and user interaction, the most important defense is to move to a fixed ytnef release and ensure vendor updates are applied on aff [truncated]
CVE-2017-6304 affects ytnef and describes an out-of-bounds read in releases before 1.9.1. NVD rates the issue 7.8 (High) with local attack conditions and required user interaction, so systems that process untrusted input through ytnef should treat it as a serious patching priority.
CVE-2017-6303 is a high-severity memory-corruption issue in ytnef. NVD describes it as an invalid write and integer overflow in versions before 1.9.1, with affected CPEs for ytnef through 1.9 and Debian 8.0/9.0 packages. Because the attack surface includes user interaction and can impact confidentiality, integrity, and availability, systems that process TNEF content through ytnef should be prioritized for [truncated]
CVE-2017-6302 is an integer overflow in ytnef before 1.9.1. NVD rates the issue 7.8 HIGH with a local, low-privilege attack profile and high potential impact to confidentiality, integrity, and availability. The record ties the problem to a patch described as "5 of 9. Integer Overflow" and lists ytnef plus Debian 8.0/9.0 CPEs among the affected entries.
CVE-2017-6301 is a high-severity out-of-bounds read in ytnef, the TNEF parsing utility. NVD classifies it as CWE-125 with a CVSS 3.0 score of 7.8, and the attack conditions require local access plus user interaction, but the impact can still be high across confidentiality, integrity, and availability. Because the supplied source corpus shows a version-boundary mismatch between the CVE description and NVD [truncated]
CVE-2017-6300 is a high-severity buffer overflow in ytnef, fixed before version 1.9.1. The issue is associated with the version field handling in lib/tnef-types.h and is classified by NVD as CWE-119. Because the CVSS vector includes user interaction, defenders should treat this as a dangerous parsing flaw that can be triggered when a user processes untrusted TNEF content.
CVE-2017-6299 is a medium-severity denial-of-service issue in ytnef before 1.9.1. NVD describes it as an infinite loop in the TNEFFillMapi function in lib/ytnef.c, with a CVSS 3.0 vector of AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The supplied references show coordinated remediation through upstream patch discussion and vendor advisories, including Debian and X41.
CVE-2017-6298 affects ytnef before 1.9.1 and is described as a null pointer dereference caused by an unchecked calloc return value (CWE-476). The NVD record assigns CVSS v3.0 7.8 High and indicates local attack conditions with required user interaction. Organizations using ytnef directly or through downstream packages should prioritize updating to a fixed release.
CVE-2016-1245 is a critical memory-corruption flaw in Quagga’s zebra daemon. While processing IPv6 Neighbor Discovery traffic, the code relied on BUFSIZ as if it were a safe match for message size; because BUFSIZ is system-dependent, that assumption could lead to a stack-based buffer overflow and high-impact compromise or disruption.
CVE-2017-6014 is a high-severity availability flaw in Wireshark’s STANAG 4607 parser. A crafted or malformed capture file can cause an infinite loop when a packet header’s size field is null, so the parser never advances its read offset and repeatedly processes the same zero-length packet until memory is exhausted. The NVD record maps affected Wireshark versions up to 2.2.4 and cites CWE-835.
CVE-2016-9955 affects SimpleSAMLphp before 1.14.11. The issue is in the SimpleSAML_XML_Validator class constructor and stems from improper conversion of return values to boolean. According to the official descriptions, that flaw may let a remote attacker spoof signatures on SAML 1 responses or cause denial of service through memory consumption. NVD rates the issue MEDIUM with a CVSS v3.0 score of 6.3.
CVE-2016-8692 is a denial-of-service vulnerability in JasPer’s JPEG 2000 decoder path. A crafted BMP image with an abnormal YRsiz value can trigger a divide-by-zero in jpc_dec_process_siz, causing the imginfo command to crash. The issue is tracked as CWE-369 and affects JasPer versions before 1.900.4.
CVE-2016-8691 affects JasPer before 1.900.4 and can crash the imginfo command when it processes a crafted BMP image with a malicious XRsiz value. The issue is a denial of service only: the supplied NVD record classifies the weakness as CWE-369 and the CVSS impact as availability loss, not code execution or data theft.
CVE-2016-8684 affects GraphicsMagick 1.3.25 when a crafted image triggers MagickMalloc in magick/memory.c to fail, leading to a truncation/error path described by NVD as a memory-safety issue (CWE-119). The CVE record was published on 2017-02-15, while the supplied references show patch and advisory activity in 2016 across upstream, distro, and community sources. NVD rates the issue CVSS 7.8 High.
CVE-2016-8683 covers a flaw in GraphicsMagick 1.3.25’s ReadPCXImage function for PCX files. A crafted image can trigger a memory allocation failure and a file truncation error, which NVD classifies under CWE-119 and scores as high severity. The CVE text describes remote attacker impact, while the NVD CVSS vector indicates local access with user interaction is required; either way, the issue is security-re [truncated]
CVE-2016-8682 describes a memory-safety flaw in GraphicsMagick 1.3.25: the ReadSCTImage function in coders/sct.c can read out of bounds when it processes a crafted SCT header. The published impact is denial of service, and NVD rates the issue High with a network attack vector, no privileges, and no user interaction. Public advisories and patch references were circulating in 2016, while the CVE record was [truncated]
CVE-2015-8979 is a remotely triggerable memory-safety flaw in dcmtk’s storescp service that can crash the DICOM listener with a segmentation fault. NVD rates it HIGH because it is network-accessible, requires no authentication, and can be triggered by sending a long string to TCP port 4242.
CVE-2017-5991 is a high-severity denial-of-service issue in Artifex MuPDF. The vulnerable code path is in pdf_run_xobject within pdf-op-run.c, where a NULL pointer dereference can occur during a Fitz painting operation. NVD rates the issue 7.5/HIGH with no confidentiality or integrity impact and availability impact only. The CVE record says versions 1.11 and later are not affected.
CVE-2017-5847 is a remotely triggerable denial-of-service issue in GStreamer's ASF demuxer code. The vulnerable function, gst_asf_demux_process_ext_content_desc in gst/asfdemux/gstasfdemux.c, can read past the bounds of heap memory while processing extended content descriptors. NVD rates the issue as high availability impact with network access and no authentication or user interaction required (CVSS 3.1: [truncated]
CVE-2016-9532 is a file-processing flaw in LibTIFF’s tiffcrop utility. A crafted TIFF file can trigger an integer overflow in writeBufferToSeparateStrips, leading to an out-of-bounds read and a denial-of-service condition. The NVD record lists the issue as medium severity and indicates user interaction is required to process the malicious file.
CVE-2016-7798 is a high-severity weakness in the Ruby openssl gem and related Debian packages that ship it. According to NVD, when AES-GCM is used and the IV is set before the key, the library can reuse the same IV, which undermines the protection that GCM is meant to provide. The issue was publicly disclosed through mailing list discussion and a patch reference in 2016, and the CVE was published on 2017-01-30.
CVE-2017-5612 is a cross-site scripting issue in WordPress’ admin posts list table. According to the NVD record, a crafted excerpt could inject arbitrary web script or HTML into the posts list view, and the vulnerable WordPress range extends through 4.7.1. WordPress 4.7.2 is the cited security release that addressed the issue.
CVE-2017-5610 is a WordPress core information-disclosure issue in Press This. Before WordPress 4.7.2, the taxonomy-assignment user interface in wp-admin/includes/class-wp-press-this.php did not properly restrict visibility, allowing remote attackers to read terms they should not have been able to access. NVD rates the issue CVSS 5.3 (medium) with network access, no privileges, and no user interaction requ [truncated]
CVE-2016-9453 is an out-of-bounds write flaw in LibTIFF's t2p_readwrite_pdf_image_tile function. The issue can lead to a crash and, according to the CVE description, may also permit arbitrary code execution when processing a crafted JPEG file with a TIFFTAG_JPEGTABLES value of length one. NVD rates the issue HIGH with CVSS 7.8 and lists a local, user-interactive attack vector.
CVE-2015-8971 is a command-execution issue in Terminology 0.7.0. According to the NVD record, crafted escape sequences can alter the window title and then be written back to the terminal in a way that allows arbitrary command execution. The issue is rated HIGH by NVD and is tied to both the Terminology application and Debian Linux 8.0 package metadata in the CVE record.
CVE-2016-7906 is a denial-of-service flaw in ImageMagick’s magick/attribute.c caused by a use-after-free. In practical terms, a crafted file can trigger a crash when it is processed by a vulnerable build. NVD assigns a medium severity score (CVSS 5.5) and records a vector that requires user interaction, so the main risk is availability loss in systems that accept untrusted image content.