git: 5e37c9914a10 - main - security/vuxml: Document net/rclone vulnerability
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 29 Jun 2026 13:07:23 UTC
The branch main has been updated by nxjoseph:
URL: https://cgit.FreeBSD.org/ports/commit/?id=5e37c9914a103ed5eeadc6c63b21c282caff18a9
commit 5e37c9914a103ed5eeadc6c63b21c282caff18a9
Author: Yusuf Yaman <nxjoseph@FreeBSD.org>
AuthorDate: 2026-06-29 13:06:48 +0000
Commit: Yusuf Yaman <nxjoseph@FreeBSD.org>
CommitDate: 2026-06-29 13:07:14 +0000
security/vuxml: Document net/rclone vulnerability
PR: 296192
Approved by: osa, vvd (Mentors, implicit)
---
security/vuxml/vuln/2026.xml | 35 +++++++++++++++++++++++++++++++++++
1 file changed, 35 insertions(+)
diff --git a/security/vuxml/vuln/2026.xml b/security/vuxml/vuln/2026.xml
index ffa29fb74d42..7c2914f4502e 100644
--- a/security/vuxml/vuln/2026.xml
+++ b/security/vuxml/vuln/2026.xml
@@ -1,3 +1,38 @@
+ <vuln vid="0f3342e3-73ba-11f1-910d-3c7c3fba4204">
+ <topic>rclone -- Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation</topic>
+ <affects>
+ <package>
+ <name>rclone</name>
+ <range><ge>1.46.0</ge><lt>1.74.3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p><a href="https://github.com/rclone/rclone/security/advisories/GHSA-qw24-gh76-8rvv">https://github.com/rclone/rclone/security/advisories/GHSA-qw24-gh76-8rvv</a> reports:</p>
+ <blockquote cite="https://github.com/rclone/rclone/security/advisories/GHSA-qw24-gh76-8rvv">
+ <p>Rclone is a command-line program to sync files and directories to
+and from different cloud storage providers.<br/>From 1.46.0 until 1.74.3, rclone rcd --rc-serve accepts unauthenticated GET and HEAD
+requests to paths of the form: /[remote:path]/object.<br/>The remote
+value is parsed from the URL and passed to normal backend initialization.
+Inline remote configuration can set backend options that execute
+local commands during initialization.<br/>As a result, a single
+unauthenticated GET or HEAD request can execute a command as the
+rclone process user.</p>
+ <p>Thanks to <a href="https://github.com/ncw">Nick Craig-Wood</a> for reporting this vulnerability.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2026-49980</cvename>
+ <url>https://cveawg.mitre.org/api/cve/CVE-2026-49980</url>
+ <url>https://github.com/rclone/rclone/security/advisories/GHSA-qw24-gh76-8rvv</url>
+ </references>
+ <dates>
+ <discovery>2026-06-24</discovery>
+ <entry>2026-06-29</entry>
+ </dates>
+ </vuln>
+
<vuln vid="a8614190-73b4-11f1-910d-3c7c3fba4204">
<topic>PowerDNS -- vulnerabilities</topic>
<affects>