CVE-2026-6901
Untrusted Search Path vulnerability in B&R Industrial Automation GmbH APROL. This issue affects APROL: before R 4.4-01P5.
CVSS
7.7
High
EPSS
0.1%
p2
KEV
—
Exploit Today
1
0-100
Published: Jul 6, 2026 · Last modified: Jul 6, 2026 · CWE-426
0.1%EPSS · 30 days0.1%
2026-07-072026-07-16
Untrusted Search Path vulnerability in B&R Industrial Automation GmbH APROL. This issue affects APROL: before R 4.4-01P5.
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-444779.9 CRI38.3%
——11CloudNativePG is a platform designed to manage PostgreSQL databases within Kubernetes environments. Prior to 1.29.1 and 1.28.3, the CloudNativePG metrics exporter opens its PostgreSQL connection as the postgres superuser via the pod-local Unix socket, then demotes the session with SET ROLE pg_monitor. SET ROLE changes only current_user; session_user remains postgres. Any SQL expression evaluated inside the scrape session can invoke RESET ROLE to recover real superuser privileges, then use COPY ... TO PROGRAM to spawn an OS-level subprocess as the postgres user inside the primary pod. The READ ONLY transaction flag does not block this; it gates writes to database state, not external processes. This vulnerability is fixed in 1.29.1 and 1.28.3.2dCVE-2021-366667.8 HIG36.6%
——11An issue was discovered in Druva 6.9.0 for MacOS, allows attackers to gain escalated local privileges via the inSyncDecommission.8dCVE-2026-491457.5 HIG25.0%
——8App::Ack versions through 3.10.0 for Perl read arbitrary files via --files-from in a project .ackrc.
ack searches up the directory hierarchy from the current directory for a project .ackrc and loads its options. The project-source option blocklist in App::Ack::ConfigLoader does not include --files-from, so a project .ackrc can set it to a path whose listed files ack then reads and searches. Version 3.10.0 added --follow to the blocklist; --files-from remains accepted.
A project .ackrc committed to an untrusted repository can make ack read files outside the project and print their matching lines.8dCVE-2021-33057.8 HIG24.6%
——7Beijing Feishu Technology Co., Ltd Feishu v3.40.3 was discovered to contain an untrusted search path vulnerability.8dCVE-2026-570976.4 MED16.1%
——5Untrusted search path in Microsoft XML allows an unauthorized attacker to bypass a security feature with a physical attack.2dCVE-2026-398837.0 HIG12.4%
——4OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. This vulnerability is fixed in 1.43.0.2d