A command injection vulnerability in Northern.tech CFEngine Enterprise and Community allows unauthenticated remote attackers to execute arbitrary commands on affected systems. The vulnerability stems from improper neutralization of special elements used in OS commands (CWE-77). Affected versions include all Enterprise and Community editions prior to 3.21.8, versions 3.24.0 through 3.24.2, and version 3.26 [truncated]
Northern.tech CFEngine Enterprise contains an incorrect access control vulnerability (CWE-284) affecting multiple versions prior to 3.21.8, 3.24.3, and 3.27.0. The vulnerability, published on 2026-05-14 and last modified on 2026-05-19, has a CVSS 3.1 score of 5.3 (Medium severity) with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network-based attack vector with low attack complexity, no pr [truncated]
A cross-site scripting (XSS) vulnerability exists in Northern.tech CFEngine Enterprise versions prior to 3.21.8, 3.24.3, and 3.27.0. The vulnerability, published on 2026-05-14 and last modified on 2026-05-19, allows attackers to inject malicious scripts into web pages viewed by other users. With a CVSS 3.1 score of 6.1 (MEDIUM severity), the attack vector is network-based with low attack complexity, requi [truncated]
