Search CVE reports

1 – 10 of 21 results

Detailed view

Sort by:

CVE-2024-39331

Medium priority

Some fixes available 5 of 24

In Emacs before 29.4, org-link-expand-abbrev in lisp/ol.el expands a %(...) link abbrev even when it specifies an unsafe function, such as shell-command-to-string. This affects Org Mode before 9.7.5.

6 affected packages

emacs, emacs24, emacs25, org-mode, xemacs21, xemacs21-packages

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
emacs	Fixed	Fixed	Fixed	—	—
emacs24	Not in release	Not in release	Not in release	—	Fixed
emacs25	Not in release	Not in release	Not in release	Fixed	—
org-mode	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation
xemacs21	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation
xemacs21-packages	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation

CVE-2024-30205

Medium priority

Some fixes available 4 of 23

In Emacs before 29.3, Org mode considers contents of remote files to be trusted. This affects Org Mode before 9.6.23.

6 affected packages

emacs, emacs24, emacs25, org-mode, xemacs21, xemacs21-packages

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
emacs	Not affected	Fixed	Fixed	—	—
emacs24	Not in release	Not in release	Not in release	—	Fixed
emacs25	Not in release	Not in release	Not in release	Fixed	—
org-mode	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation
xemacs21	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation
xemacs21-packages	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation

CVE-2024-30204

Medium priority

Some fixes available 4 of 17

In Emacs before 29.3, LaTeX preview is enabled by default for e-mail attachments.

5 affected packages

emacs, emacs24, emacs25, xemacs21, xemacs21-packages

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
emacs	Not affected	Fixed	Fixed	—	—
emacs24	Not in release	Not in release	Not in release	—	Fixed
emacs25	Not in release	Not in release	Not in release	Fixed	—
xemacs21	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation
xemacs21-packages	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation

CVE-2024-30203

Medium priority

Some fixes available 4 of 17

In Emacs before 29.3, Gnus treats inline MIME contents as trusted.

5 affected packages

emacs, emacs24, emacs25, xemacs21, xemacs21-packages

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
emacs	Not affected	Fixed	Fixed	—	—
emacs24	Not in release	Not in release	Not in release	—	Fixed
emacs25	Not in release	Not in release	Not in release	Fixed	—
xemacs21	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation
xemacs21-packages	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation

CVE-2024-30202

Medium priority

Needs evaluation

In Emacs before 29.3, arbitrary Lisp code is evaluated as part of turning on Org mode. This affects Org Mode before 9.6.23.

6 affected packages

emacs, emacs24, emacs25, org-mode, xemacs21, xemacs21-packages

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
emacs	Needs evaluation	Needs evaluation	Needs evaluation	—	—
emacs24	Not in release	Not in release	Not in release	—	Needs evaluation
emacs25	Not in release	Not in release	Not in release	Needs evaluation	—
org-mode	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation
xemacs21	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation
xemacs21-packages	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation

A flaw was found in the Emacs text editor. Processing a specially crafted org-mode code with the "org-babel-execute:latex" function in ob-latex.el can result in arbitrary command execution. This CVE exists because of...

6 affected packages

emacs, emacs23, emacs24, emacs25, xemacs21, xemacs21-packages

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
emacs	—	Not affected	Not affected	Not in release	Ignored
emacs23	—	Not in release	Not in release	Not in release	Not in release
emacs24	—	Not in release	Not in release	Not in release	Not affected
emacs25	—	Not in release	Not in release	Not affected	Not in release
xemacs21	—	Not affected	Not affected	Not affected	Not affected
xemacs21-packages	—	Not affected	Not affected	Not affected	Not affected

CVE-2023-28617

Medium priority

Some fixes available 4 of 31

org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 for GNU Emacs allows attackers to execute arbitrary commands via a file name or directory name that contains shell metacharacters.

7 affected packages

emacs, emacs23, emacs24, emacs25, org-mode...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
emacs	Not affected	Fixed	Fixed	Not in release	Ignored
emacs23	—	Not in release	Not in release	Not in release	Not in release
emacs24	—	Not in release	Not in release	Not in release	Fixed
emacs25	—	Not in release	Not in release	Fixed	Not in release
org-mode	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation
xemacs21	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation
xemacs21-packages	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation

CVE-2023-27986

Medium priority

Needs evaluation

emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to Emacs Lisp code injections through a crafted mailto: URI with unescaped double-quote characters. It is fixed in 29.0.90.

6 affected packages

emacs, emacs23, emacs24, emacs25, xemacs21, xemacs21-packages

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
emacs	Not affected	Not affected	Not affected	Not in release	Ignored
emacs23	—	Not in release	Not in release	Not in release	Not in release
emacs24	—	Not in release	Not in release	Not in release	Not affected
emacs25	—	Not in release	Not in release	Not affected	Not in release
xemacs21	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation
xemacs21-packages	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation

CVE-2023-27985

Medium priority

Needs evaluation

emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to shell command injections through a crafted mailto: URI. This is related to lack of compliance with the Desktop Entry Specification. It is fixed in 29.0.90

6 affected packages

emacs, emacs23, emacs24, emacs25, xemacs21, xemacs21-packages

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
emacs	Not affected	Not affected	Not affected	Not in release	Ignored
emacs23	—	Not in release	Not in release	Not in release	Not in release
emacs24	—	Not in release	Not in release	Not in release	Not affected
emacs25	—	Not in release	Not in release	Not affected	Not in release
xemacs21	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation
xemacs21-packages	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation

CVE-2022-48339

Medium priority

Some fixes available 4 of 21

An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not...

6 affected packages

emacs, emacs23, emacs24, emacs25, xemacs21, xemacs21-packages

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
emacs	Not affected	Fixed	Fixed	Not in release	Ignored
emacs23	—	Not in release	Not in release	Not in release	Not in release
emacs24	—	Not in release	Not in release	Not in release	Fixed
emacs25	—	Not in release	Not in release	Fixed	Not in release
xemacs21	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation
xemacs21-packages	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation

Export to JSON

Results by page: