SB2026042825 - Fedora 42 update for nextcloud

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026042825

SB2026042825 - Fedora 42 update for nextcloud

Published: April 28, 2026

Security Bulletin ID SB2026042825
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 vulnerabilities.


1) Input validation error (CVE-ID: CVE-2026-2391)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due the arrayLimit option in qs does not enforce limits for comma-separated values when comma: true is enabled. A remote attacker can pass overly large string to the application and consume all available memory resources, leading to a denial of service condition.



2) Origin validation error (CVE-ID: CVE-2026-30964)

CWE-ID: CWE-346 - Origin Validation Error

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass exact origin validation.

The vulnerability exists due to an origin validation error in CheckAllowedOrigins when processing configured allowed origins and clientDataJSON.origin values. A remote attacker can supply a crafted origin value to bypass exact origin validation.

User interaction is required, and the issue affects deployments that use the allowed_origins feature.


3) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2026-32935)

CWE-ID: CWE-208 - Information Exposure Through Timing Discrepancy

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to observable timing discrepancy in AES-CBC unpadding when processing ciphertext in CBC mode. A remote attacker can send specially crafted ciphertext and measure response timing to disclose sensitive information.


4) Cross-site scripting (CVE-ID: CVE-2026-33916)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script code in a victim's browser.

The vulnerability exists due to improper neutralization of input during web page generation in resolvePartial() and invokePartial() in the Handlebars runtime when rendering a partial whose name is resolved through a polluted prototype chain. A remote attacker can pollute Object.prototype with a string value matching a partial reference to execute arbitrary script code in a victim's browser.

Exploitation requires a prototype pollution condition in the target application and user interaction to render a template that references the attacker-chosen partial name. The injected partial content is rendered without HTML escaping, which can result in reflected or stored cross-site scripting.


Remediation

Install update from vendor's website.

References