{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39958", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T22:40:33.822Z", "datePublished": "2026-04-09T16:28:18.758Z", "dateUpdated": "2026-04-13T20:08:17.849Z"}, "containers": {"cna": {"title": "oma-topic: name Field in Topic Manifests (topic.json) May Allow CRLF Injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-93", "lang": "en", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 5.2, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/AOSC-Dev/oma/security/advisories/GHSA-86jc-7r6q-cr3f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/AOSC-Dev/oma/security/advisories/GHSA-86jc-7r6q-cr3f"}, {"name": "https://github.com/AOSC-Dev/oma/pull/733", "tags": ["x_refsource_MISC"], "url": "https://github.com/AOSC-Dev/oma/pull/733"}, {"name": "https://github.com/AOSC-Dev/oma/commit/b361c0f219bbf91a684610c76210f71f093dbc18", "tags": ["x_refsource_MISC"], "url": "https://github.com/AOSC-Dev/oma/commit/b361c0f219bbf91a684610c76210f71f093dbc18"}, {"name": "https://github.com/AOSC-Dev/oma/releases/tag/v1.25.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/AOSC-Dev/oma/releases/tag/v1.25.2"}], "affected": [{"vendor": "AOSC-Dev", "product": "oma", "versions": [{"version": "< 1.25.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T16:28:18.758Z"}, "descriptions": [{"lang": "en", "value": "oma is a package manager for AOSC OS. Prior to 1.25.2, oma-topics is responsible for fetching metadata for testing repositories (topics) named \"Topic Manifests\" ({mirror}/debs/manifest/topics.json) from remote repository servers, registering them as APT source entries. However, the name field in said metadata were not checked for transliteration. In this case, a malicious party may supply a malformed Topic Manifest, which may cause malicious APT source entries to be added to /etc/apt/sources.list.d/atm.list as oma-topics finishes fetching and registering metadata. This vulnerability is fixed in 1.25.2."}], "source": {"advisory": "GHSA-86jc-7r6q-cr3f", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T20:07:48.795530Z", "id": "CVE-2026-39958", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T20:08:17.849Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39958", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T20:07:48.795530Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T20:08:13.125Z"}}], "cna": {"title": "oma-topic: name Field in Topic Manifests (topic.json) May Allow CRLF Injection", "source": {"advisory": "GHSA-86jc-7r6q-cr3f", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.2, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H", "userInteraction": "PASSIVE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "AOSC-Dev", "product": "oma", "versions": [{"status": "affected", "version": "< 1.25.1"}]}], "references": [{"url": "https://github.com/AOSC-Dev/oma/security/advisories/GHSA-86jc-7r6q-cr3f", "name": "https://github.com/AOSC-Dev/oma/security/advisories/GHSA-86jc-7r6q-cr3f", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/AOSC-Dev/oma/pull/733", "name": "https://github.com/AOSC-Dev/oma/pull/733", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/AOSC-Dev/oma/commit/b361c0f219bbf91a684610c76210f71f093dbc18", "name": "https://github.com/AOSC-Dev/oma/commit/b361c0f219bbf91a684610c76210f71f093dbc18", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/AOSC-Dev/oma/releases/tag/v1.25.2", "name": "https://github.com/AOSC-Dev/oma/releases/tag/v1.25.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "oma is a package manager for AOSC OS. Prior to 1.25.2, oma-topics is responsible for fetching metadata for testing repositories (topics) named \"Topic Manifests\" ({mirror}/debs/manifest/topics.json) from remote repository servers, registering them as APT source entries. However, the name field in said metadata were not checked for transliteration. In this case, a malicious party may supply a malformed Topic Manifest, which may cause malicious APT source entries to be added to /etc/apt/sources.list.d/atm.list as oma-topics finishes fetching and registering metadata. This vulnerability is fixed in 1.25.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-93", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T16:28:18.758Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39958", "state": "PUBLISHED", "dateUpdated": "2026-04-13T20:08:17.849Z", "dateReserved": "2026-04-07T22:40:33.822Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-09T16:28:18.758Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "oma is a package manager for AOSC OS. Prior to 1.25.2, oma-topics is responsible for fetching metadata for testing repositories (topics) named \"Topic Manifests\" ({mirror}/debs/manifest/topics.json) from remote repository servers, registering them as APT source entries. However, the name field in said metadata were not checked for transliteration. In this case, a malicious party may supply a malformed Topic Manifest, which may cause malicious APT source entries to be added to /etc/apt/sources.list.d/atm.list as oma-topics finishes fetching and registering metadata. This vulnerability is fixed in 1.25.2."}], "id": "CVE-2026-39958", "lastModified": "2026-04-16T14:42:01.147", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.2, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-09T17:16:30.257", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/AOSC-Dev/oma/commit/b361c0f219bbf91a684610c76210f71f093dbc18"}, {"source": "security-advisories@github.com", "url": "https://github.com/AOSC-Dev/oma/pull/733"}, {"source": "security-advisories@github.com", "url": "https://github.com/AOSC-Dev/oma/releases/tag/v1.25.2"}, {"source": "security-advisories@github.com", "url": "https://github.com/AOSC-Dev/oma/security/advisories/GHSA-86jc-7r6q-cr3f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-93"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.25.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "oma", "source": "cna", "vendor": "AOSC-Dev"}, "product": "oma", "vendor": "aosc-dev"}], "analysis": {"en": {"generated_at": "2026-04-09T19:22:39.795612+00:00", "value": {"mitigation_remediation": ["Update to oma version 1.25.2 or later.", "Remove any manually added rogue APT source entries from /etc/apt/sources.list.d/atm.list.", "If immediate update is not possible, limit oma\u2011topics to trusted repositories or manually validate the 'name' field in Topic Manifests before registration."], "summary": {"action": "Patch Now", "impact": "APT source injection via CRLF injection"}, "threat_synthesis": {"affected_systems": "Affected systems are machines running the oma package manager for AOSC OS, specifically the oma\u2011topics component, with any version prior to 1.25.2. This includes AOSC OS installations that automatically fetch Topic Manifests from remote repositories. Version 1.25.2 and later contain the fix.", "description_and_impact": "The vulnerability arises from the omission of validation on the 'name' field inside Topic Manifests (topic.json). A crafted value containing CRLF characters allows an attacker to inject new lines that are interpreted as separate configuration entries when oma\u2011topics registers the manifest. This results in malicious APT source entries being added to /etc/apt/sources.list.d/atm.list, pointing to attacker\u2011controlled repositories. When those repositories are later used, the system can download and install arbitrary packages, providing a path to code execution. The weakness corresponds to CWE\u201193, incorrect handling of untrusted data that can lead to HTTP response splitting.", "risk_and_exploitability": "The CVSS base score of 5.2 indicates a medium severity vulnerability. EPSS data is not publicly available, and the flaw is not listed in the CISA KEV catalog, implying it has not yet been exploited at scale. Exploitation requires control or influence over a remote repository hosting a Topic Manifest; an attacker can trigger oma\u2011topics to fetch a malicious manifest and cause rogue APT source entries to be written. Given the need for environment control and the moderate score, the overall risk is considered moderate, with a realistic chance of exploitation if an attacker can host or manipulate a repository used by the affected systems."}}}}, "created": "2026-04-10T08:52:59.938324+00:00", "updated": "2026-04-10T09:32:11.860271+00:00", "vendors": ["aosc-dev", "aosc-dev$PRODUCT$oma"]}