Inclusion of Functionality from Untrusted Control Sphere in Netatalk - #VU132264
Published: May 25, 2026
Vulnerability identifier: #VU132264
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-829
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Netatalk
Affected software:
Netatalk
Netatalk
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code during the image build process and inject code into published container images.
The vulnerability exists due to inclusion of functionality from an untrusted control sphere in distrib/docker/webmin_module.Dockerfile when downloading and executing a setup script from the mutable upstream master branch during the Docker image build. A remote privileged user can compromise the upstream repository or the script delivery path to inject code into published container images.
The downloaded script is executed as root during the build, and the resulting content is baked into published netatalk/webmin images.
Remediation
Install security update from vendor's website.