CVE-2026-39958 | AOSC oma up to 1.25.0 topics.json Name crlf injection (GHSA-86jc-7r6q-cr3f)
VulDBArchived Apr 09, 2026✓ Full text saved
A vulnerability has been found in AOSC oma up to 1.25.0 and classified as problematic . Impacted is an unknown function of the file {mirror}/debs/manifest/topics.json . Performing a manipulation of the argument Name results in crlf injection. This vulnerability is known as CVE-2026-39958 . Remote exploitation of the attack is possible. No exploit is available. The affected component should be upgraded.
Full text archived locally
✦ AI Summary· Claude Sonnet
VDB-356626 · CVE-2026-39958 · GHSA-86JC-7R6Q-CR3F
AOSC OMA UP TO 1.25.0 TOPICS.JSON NAME CRLF INJECTION
HISTORYDIFFRELATEJSONXMLCTI
CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score
6.3 $0-$5k 0.70+
Summaryinfo
A vulnerability was found in AOSC oma up to 1.25.0 and classified as problematic. The affected element is an unknown function of the file {mirror}/debs/manifest/topics.json. Executing a manipulation of the argument Name can lead to crlf injection. This vulnerability is handled as CVE-2026-39958. The attack can be executed remotely. There is not any exploit available. It is suggested to upgrade the affected component.
Detailsinfo
A vulnerability classified as critical was found in AOSC oma up to 1.25.0. This vulnerability affects an unknown code of the file {mirror}/debs/manifest/topics.json. The manipulation of the argument name with an unknown input leads to a crlf injection vulnerability. The CWE definition for the vulnerability is CWE-93. The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:
oma is a package manager for AOSC OS. Prior to 1.25.2, oma-topics is responsible for fetching metadata for testing repositories (topics) named "Topic Manifests" ({mirror}/debs/manifest/topics.json) from remote repository servers, registering them as APT source entries. However, the name field in said metadata were not checked for transliteration. In this case, a malicious party may supply a malformed Topic Manifest, which may cause malicious APT source entries to be added to /etc/apt/sources.list.d/atm.list as oma-topics finishes fetching and registering metadata. This vulnerability is fixed in 1.25.2.
The advisory is available at github.com. This vulnerability was named CVE-2026-39958 since 04/08/2026. The exploitation appears to be difficult. The attack can be initiated remotely. The exploitation needs additional levels of successful authentication. Technical details are known, but there is no available exploit.
By approaching the search of inurl:{mirror}/debs/manifest/topics.json it is possible to find vulnerable targets with Google Hacking.
Upgrading to version 1.25.1 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying the patch b361c0f219bbf91a684610c76210f71f093dbc18 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.
Productinfo
Vendor
AOSC
Name
oma
Version
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
1.10
1.11
1.12
1.13
1.14
1.15
1.16
1.17
1.18
1.19
1.20
1.21
1.22
1.23
1.24
1.25.0
License
open-source
CPE 2.3info
🔒
🔒
🔒
CPE 2.2info
🔒
🔒
🔒
CVSSv4info
VulDB Vector: 🔒
VulDB Reliability: 🔍
CNA CVSS-B Score: 🔒
CNA CVSS-BT Score: 🔒
CNA Vector: 🔒
CVSSv3info
VulDB Meta Base Score: 6.6
VulDB Meta Temp Score: 6.3
VulDB Base Score: 6.6
VulDB Temp Score: 6.3
VulDB Vector: 🔒
VulDB Reliability: 🔍
CVSSv2info
Vector Complexity Authentication Confidentiality Integrity Availability
Unlock Unlock Unlock Unlock Unlock Unlock
Unlock Unlock Unlock Unlock Unlock Unlock
Unlock Unlock Unlock Unlock Unlock Unlock
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploitinginfo
Class: Crlf injection
CWE: CWE-93 / CWE-74 / CWE-707
CAPEC: 🔒
ATT&CK: 🔒
Physical: No
Local: No
Remote: Yes
Availability: 🔒
Status: Not defined
Google Hack: 🔒
Price Prediction: 🔍
Current Price Estimation: 🔒
0-Day Unlock Unlock Unlock Unlock
Today Unlock Unlock Unlock Unlock
Threat Intelligenceinfo
Interest: 🔍
Active Actors: 🔍
Active APT Groups: 🔍
Countermeasuresinfo
Recommended: Upgrade
Status: 🔍
0-Day Time: 🔒
Upgrade: oma 1.25.1
Patch: b361c0f219bbf91a684610c76210f71f093dbc18
Timelineinfo
04/08/2026 CVE reserved
04/09/2026 +1 days Advisory disclosed
04/09/2026 +0 days VulDB entry created
04/09/2026 +0 days VulDB entry last update
Sourcesinfo
Advisory: GHSA-86jc-7r6q-cr3f
Status: Confirmed
CVE: CVE-2026-39958 (🔒)
GCVE (CVE): GCVE-0-2026-39958
GCVE (VulDB): GCVE-100-356626
Entryinfo
Created: 04/09/2026 19:43
Changes: 04/09/2026 19:43 (72)
Complete: 🔍
Cache ID: 99:C9C:101
Discussion
No comments yet. Languages: en.
Please log in to comment.
◂ PreviousOverviewNext ▸