Description
Improper neutralization of CRLF sequences ('CRLF injection') vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus Update allows Authentication Bypass.

This issue affects Pardus Update: from 0.6.3 before 0.6.4.
Published: 2026-04-29
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of CRLF sequences ('CRLF injection') in TUBITAK BILGEM Software Technologies Research Institute Pardus Update allows an attacker to bypass authentication by sending crafted input that the system mishandles. This permits authentication without valid credentials and grants unrestricted access to the system.

Affected Systems

TUBITAK BILGEM Software Technologies Research Institute Pardus Update is affected, with vulnerable releases including 0.6.3 and earlier.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity vulnerability, and the EPSS score of <1% shows exploitation probability is low but not zero. The vulnerability could be exploited remotely if the authentication component is exposed over a network, or locally if the attacker can influence input to the affected process; this attack vector is inferred rather than explicitly stated. The vulnerability is not listed in the CISA KEV catalog, though it remains a serious risk for affected installations.

Generated by OpenCVE AI on May 4, 2026 at 15:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Pardus Update version later than 0.6.4 if a vendor release is available.
  • Enforce strict input validation to reject or sanitize CRLF sequences before reaching the authentication component.
  • Monitor authentication logs for unauthorized access and perform a security audit of input handling.

Generated by OpenCVE AI on May 4, 2026 at 15:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of CRLF sequences ('CRLF injection') vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus Update allows Authentication Bypass. This issue affects Pardus Update: from <=0.6.4 before 0.6.5. Improper neutralization of CRLF sequences ('CRLF injection') vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus Update allows Authentication Bypass. This issue affects Pardus Update: from 0.6.3 before 0.6.4.

Mon, 04 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description Improper neutralization of CRLF sequences ('CRLF injection') vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus allows Authentication Bypass. This issue affects Pardus: from <=0.6.4 before 0.8.0. Improper neutralization of CRLF sequences ('CRLF injection') vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus Update allows Authentication Bypass. This issue affects Pardus Update: from <=0.6.4 before 0.6.5.

Thu, 30 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Tubitak Bilgem Software Technologies Research Institute
Tubitak Bilgem Software Technologies Research Institute pardus
Vendors & Products Tubitak Bilgem Software Technologies Research Institute
Tubitak Bilgem Software Technologies Research Institute pardus

Wed, 29 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 29 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description Improper neutralization of CRLF sequences ('CRLF injection') vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus allows Authentication Bypass. This issue affects Pardus: from <=0.6.4 before 0.8.0.
Title Authorization Bypass in TUBITAK BILGEM's Pardus Update
Weaknesses CWE-93
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Tubitak Bilgem Software Technologies Research Institute Pardus
cve-icon MITRE

Status: PUBLISHED

Assigner: TR-CERT

Published:

Updated: 2026-05-04T13:33:55.193Z

Reserved: 2026-03-30T11:35:18.026Z

Link: CVE-2026-5140

cve-icon Vulnrichment

Updated: 2026-04-29T14:04:30.772Z

cve-icon NVD

Status : Deferred

Published: 2026-04-29T14:16:19.777

Modified: 2026-05-04T14:16:35.190

Link: CVE-2026-5140

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T16:00:04Z

Weaknesses