Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

CloudFoundry Foundation

Source -

CNA

BOS Name -

N/A

CNA CVEs -

2

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated ProductsRelated AssignersReports
2Vulnerabilities found
CVE-2026-41013
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-8.1||HIGH
EPSS-0.04% / 11.12%
||
7 Day CHG~0.00%
Published-01 Jun, 2026 | 17:36
Updated-04 Jun, 2026 | 17:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tenant-controlled comma smuggles arbitrary CIFS mount options

Input validation bypass in SMB volume mount handling in CloudFoundry Foundation diego-release allows low-privileged CF space developer to inject arbitrary kernel CIFS mount options via bypassing the mount-option allowlist, enabling privilege escalation and security control bypass on multi-tenant Diego cells. Affected versions: smb-volume-release: All versions prior to v3.60.0 CF Deployment: All versions prior to v56.0.0

Action-Not Available
Vendor-CloudFoundry Foundation
Product-smb-volume-releaseCF Deployment
CWE ID-CWE-88
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CVE-2026-22726
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-5||MEDIUM
EPSS-0.05% / 15.40%
||
7 Day CHG+0.01%
Published-30 Apr, 2026 | 23:17
Updated-04 May, 2026 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Route Services Firewall Bypass

Route Services can be leveraged to send app traffic to network destinations outside of an app's configured egress rules. As a result, a malicious developer with access to Cloudfoundry could configure a route-service that would allow it to send requests to HTTP services on internal networks reachable by the Gorouter, which may not have previously had direct access from outside networks, or from the application. Routing release: affected from v0.118.0 through v0.371.0 (inclusive); upgrade to v0.372.0 or greater. CF Deployment: affected from v0.0.2 through v54.14.0 (inclusive); upgrade to v55.0.0 or greater (includes routing_release v0.372.0).

Action-Not Available
Vendor-CloudFoundry FoundationCloud Foundry
Product-cf-deploymentrouting_releaseCF DeploymentRouting release
CWE ID-CWE-923
Improper Restriction of Communication Channel to Intended Endpoints