← back
CVE-2026-11853

CVE-2026-11853

CVSS 6.5 MEDIUMEPSS 0.3%CWE-59
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.5EPSS 0.3%KEV nãoPoC Patch
Lifecycle
Jun 10, 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Debusine is an integrated solution to build, distribute and maintain a Debian-based distribution. Debian source packages (.dsc) and upload artifacts (.changes) are manifest files that name the files that make up the artifact. The parser used to read these files in Debusine accepted arbitrary fully user-controlled paths. The mergeuploads task could be abused to create arbitrary symbolic links on a worker, overwriting any file that the worker user has access to.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Affected products
Debian · debusine

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://salsa.debian.org/freexian-team/debusine/-/commit/c24cdc49fb258714767546bdec5b09f8065d414ehttps://salsa.debian.org/freexian-team/debusine/-/merge_requests/3103https://salsa.debian.org/freexian-team/debusine/-/work_items/1484