SB2026061916 - Fedora 42 update for nextcloud



SB2026061916 - Fedora 42 update for nextcloud

Published: June 19, 2026

Security Bulletin ID SB2026061916
CSH Severity
High
Patch available
YES
Number of vulnerabilities 12
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 50% Medium 42% Low 8%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 12 vulnerabilities.


1) Cross-site scripting (CVE-ID: CVE-2026-33916)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script code in a victim's browser.

The vulnerability exists due to improper neutralization of input during web page generation in resolvePartial() and invokePartial() in the Handlebars runtime when rendering a partial whose name is resolved through a polluted prototype chain. A remote attacker can pollute Object.prototype with a string value matching a partial reference to execute arbitrary script code in a victim's browser.

Exploitation requires a prototype pollution condition in the target application and user interaction to render a template that references the attacker-chosen partial name. The injected partial content is rendered without HTML escaping, which can result in reflected or stored cross-site scripting.


2) Code Injection (CVE-ID: CVE-2026-33937)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper control of code generation in Handlebars.compile() and the JavaScript code generator when processing a crafted pre-parsed AST object. A remote attacker can supply a crafted AST with a malicious NumberLiteral value to execute arbitrary code.

The issue affects cases where user-controlled JSON or other untrusted input is deserialized and passed directly to compile() as an AST object instead of a template string, and no user interaction is required.


3) Code Injection (CVE-ID: CVE-2026-33938)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to code injection through type confusion in the @partial-block handling and dynamic compilation fallback when processing a tampered @partial-block value during partial invocation. A remote attacker can overwrite @partial-block with a crafted Handlebars AST to execute arbitrary code.

The issue affects handlebars.js when templates can reach and mutate the data frame, and a subsequent {{> @partial-block}} causes the crafted AST to be compiled and executed in the server process.


4) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2026-33939)

CWE-ID: CWE-754 - Improper Check for Unusual or Exceptional Conditions

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper check for unusual or exceptional conditions in template compilation in lib/handlebars/compiler/javascript-compiler.js when processing user-supplied templates containing decorator syntax that references an unregistered decorator. A remote attacker can submit a specially crafted template to cause a denial of service.

The issue occurs because the compiled template invokes the result of lookupProperty(decorators, ...) as a function even when it is undefined, leading to an unhandled TypeError that can crash the Node.js process. It affects applications that compile user-supplied templates at request time.


5) Code Injection (CVE-ID: CVE-2026-33940)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper control of code generation caused by type confusion in dynamic partial handling in lib/handlebars/runtime.js when processing a dynamic partial lookup that returns a crafted object from the template context. A remote attacker can supply a crafted object as the looked-up dynamic partial value to execute arbitrary code.

The issue affects server-side rendering scenarios in which user-controlled context data can be returned by a dynamic partial lookup, such as {{> (lookup . "key")}}. Exploitation requires control over a value returned by the dynamic partial lookup.


6) Code Injection (CVE-ID: CVE-2026-33941)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a local user to execute arbitrary JavaScript code.

The vulnerability exists due to improper neutralization of user-controlled input in the Handlebars CLI precompiler when generating JavaScript output from template file names and CLI options. A local user can supply specially crafted template names or option values to execute arbitrary JavaScript code.

The issue affects bin/handlebars and lib/precompiler.js through multiple injection points involving template names, namespace values, CommonJS paths, and AMD paths, and the injected code executes when the generated bundle is loaded in Node.js or a browser. User interaction is required to load the generated bundle.


7) Code Injection (CVE-ID: CVE-2026-4800)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper control of code generation in _.template when processing untrusted options.imports key names. A remote attacker can supply crafted imports key names to execute arbitrary code.

Code execution occurs at template compilation time. If Object.prototype has been polluted by another vector, inherited polluted keys can also be copied into the imports object and passed to Function().


8) Resource exhaustion (CVE-ID: CVE-2026-39865)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the HTTP/2 session cleanup logic contains a state corruption bug. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


9) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2025-62718)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to conduct server-side request forgery and disclose sensitive information.

The vulnerability exists due to improper hostname normalization in NO_PROXY rule evaluation when processing attacker-controlled request URLs. A remote attacker can supply a crafted URL using forms such as localhost. or [::1] to conduct server-side request forgery and disclose sensitive information.

Applications that rely on NO_PROXY entries for loopback or internal services are affected.


10) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2026-40194)

CWE-ID: CWE-208 - Information Exposure Through Timing Discrepancy

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to disclose limited security-sensitive information via a timing side channel.

The vulnerability exists due to observable timing discrepancy in SSH2::get_binary_packet() in phpseclib/Net/SSH2.php when verifying received SSH packet HMAC values. A remote attacker can send specially crafted SSH packets to disclose limited security-sensitive information via a timing side channel.

The vulnerable code path is reached for non-AEAD cipher and MAC combinations, while AEAD cipher modes use a different authentication path.


11) HTTP response splitting (CVE-ID: CVE-2026-40175)

CWE-ID: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

CVSSv4: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform HTTP splitting attacks.

The vulnerability exists due to software does not correclty process CRLF character sequences. A remote attacker can send specially crafted request containing CRLF sequence and make the application to send a split HTTP response.

Successful exploitation of the vulnerability may allow an attacker perform cache poisoning attack.


12) HTTP response splitting (CVE-ID: CVE-2026-42035)

CWE-ID: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to inject arbitrary HTTP headers into outgoing requests.

The vulnerability exists due to improper neutralization of CRLF sequences in HTTP headers in lib/adapters/http.js when processing data payloads in HTTP requests after a polluted object prototype causes plain objects to be treated as FormData instances. A remote attacker can pollute Object.prototype so that an attacker-controlled getHeaders() function is invoked to inject arbitrary HTTP headers into outgoing requests.

Exploitation requires a prototype pollution primitive somewhere in the application's dependency chain and the application must use Axios to send requests with a data payload such as POST, PUT, or PATCH.


Remediation

Install update from vendor's website.