Search CVE reports
1 – 10 of 18 results
CVE-2023-2491
Medium priorityA flaw was found in the Emacs text editor. Processing a specially crafted org-mode code with the "org-babel-execute:latex" function in ob-latex.el can result in arbitrary command execution. This CVE exists because of...
6 affected packages
emacs, emacs23, emacs24, emacs25, xemacs21, xemacs21-packages
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| emacs | — | Not affected | Not affected | Not in release | Ignored |
| emacs23 | — | Not in release | Not in release | Not in release | Not in release |
| emacs24 | — | Not in release | Not in release | Not in release | Not affected |
| emacs25 | — | Not in release | Not in release | Not affected | Not in release |
| xemacs21 | — | Not affected | Not affected | Not affected | Not affected |
| xemacs21-packages | — | Not affected | Not affected | Not affected | Not affected |
CVE-2023-28617
Medium prioritySome fixes available 4 of 34
org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 for GNU Emacs allows attackers to execute arbitrary commands via a file name or directory name that contains shell metacharacters.
7 affected packages
emacs, emacs23, emacs24, emacs25, org-mode...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| emacs | Not affected | Fixed | Fixed | Not in release | Ignored |
| emacs23 | — | Not in release | Not in release | Not in release | Not in release |
| emacs24 | — | Not in release | Not in release | Not in release | Fixed |
| emacs25 | — | Not in release | Not in release | Fixed | Not in release |
| org-mode | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| xemacs21 | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| xemacs21-packages | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
CVE-2023-27986
Medium priorityemacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to Emacs Lisp code injections through a crafted mailto: URI with unescaped double-quote characters. It is fixed in 29.0.90.
6 affected packages
emacs, emacs23, emacs24, emacs25, xemacs21, xemacs21-packages
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| emacs | Not affected | Not affected | Not affected | Not in release | Ignored |
| emacs23 | — | Not in release | Not in release | Not in release | Not in release |
| emacs24 | — | Not in release | Not in release | Not in release | Not affected |
| emacs25 | — | Not in release | Not in release | Not affected | Not in release |
| xemacs21 | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| xemacs21-packages | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
CVE-2023-27985
Medium priorityemacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to shell command injections through a crafted mailto: URI. This is related to lack of compliance with the Desktop Entry Specification. It is fixed in 29.0.90
6 affected packages
emacs, emacs23, emacs24, emacs25, xemacs21, xemacs21-packages
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| emacs | Not affected | Not affected | Not affected | Not in release | Ignored |
| emacs23 | — | Not in release | Not in release | Not in release | Not in release |
| emacs24 | — | Not in release | Not in release | Not in release | Not affected |
| emacs25 | — | Not in release | Not in release | Not affected | Not in release |
| xemacs21 | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| xemacs21-packages | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
CVE-2022-48339
Medium prioritySome fixes available 4 of 23
An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not...
6 affected packages
emacs, emacs23, emacs24, emacs25, xemacs21, xemacs21-packages
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| emacs | Not affected | Fixed | Fixed | Not in release | Ignored |
| emacs23 | — | Not in release | Not in release | Not in release | Not in release |
| emacs24 | — | Not in release | Not in release | Not in release | Fixed |
| emacs25 | — | Not in release | Not in release | Fixed | Not in release |
| xemacs21 | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| xemacs21-packages | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
CVE-2022-48338
Medium prioritySome fixes available 1 of 20
An issue was discovered in GNU Emacs through 28.2. In ruby-mode.el, the ruby-find-library-file function has a local command injection vulnerability. The ruby-find-library-file function is an interactive function, and bound to C-c...
6 affected packages
emacs, emacs23, emacs24, emacs25, xemacs21, xemacs21-packages
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| emacs | Not affected | Fixed | Not affected | Not in release | Ignored |
| emacs23 | — | Not in release | Not in release | Not in release | Not in release |
| emacs24 | — | Not in release | Not in release | Not in release | Not affected |
| emacs25 | — | Not in release | Not in release | Not affected | Not in release |
| xemacs21 | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| xemacs21-packages | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
CVE-2022-48337
Medium prioritySome fixes available 4 of 23
GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the etags program. For...
6 affected packages
emacs, emacs23, emacs24, emacs25, xemacs21, xemacs21-packages
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| emacs | Not affected | Fixed | Fixed | Not in release | Ignored |
| emacs23 | — | Not in release | Not in release | Not in release | Not in release |
| emacs24 | — | Not in release | Not in release | Not in release | Fixed |
| emacs25 | — | Not in release | Not in release | Fixed | Not in release |
| xemacs21 | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| xemacs21-packages | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
CVE-2022-45939
Medium prioritySome fixes available 4 of 23
GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program. For...
6 affected packages
emacs, emacs23, emacs24, emacs25, xemacs21, xemacs21-packages
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| emacs | Not affected | Fixed | Fixed | Not in release | Ignored |
| emacs23 | — | Not in release | Not in release | Not in release | Not in release |
| emacs24 | — | Not in release | Not in release | Not in release | Fixed |
| emacs25 | — | Not in release | Not in release | Fixed | Not in release |
| xemacs21 | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| xemacs21-packages | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
CVE-2017-1000383
Low priorityGNU Emacs version 25.3.1 (and other versions most likely) ignores umask when creating a backup save file ("[ORIGINAL_FILENAME]~") resulting in files that may be world readable or otherwise accessible in ways not intended by the...
3 affected packages
emacs23, emacs24, emacs25
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| emacs23 | — | — | — | Not in release | Not in release |
| emacs24 | — | — | — | Not in release | Ignored |
| emacs25 | — | — | — | Ignored | Not in release |
CVE-2017-14482
Medium prioritySome fixes available 3 of 4
GNU Emacs before 25.3 allows remote attackers to execute arbitrary code via email with crafted "Content-Type: text/enriched" data containing an x-display XML element that specifies execution of shell commands, related to an unsafe...
3 affected packages
emacs23, emacs24, emacs25
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| emacs23 | — | — | — | Not in release | Not in release |
| emacs24 | — | — | — | Not in release | Fixed |
| emacs25 | — | — | — | Not affected | Not in release |