VYPR

rpm package

opensuse/emacs&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/emacs&distro=openSUSE%20Tumbleweed

Vulnerabilities (18)

  • CVE-2026-6861MedApr 22, 2026
    affected < 30.2-8.1fixed 30.2-8.1

    A flaw was found in GNU Emacs. This vulnerability, a memory corruption issue, occurs when Emacs processes specially crafted SVG (Scalable Vector Graphics) CSS (Cascading Style Sheets) data. A local user could exploit this by convincing a victim to open a malicious SVG file, which

  • CVE-2025-1244HigFeb 12, 2025
    affected < 29.4-14.1fixed 29.4-14.1

    A command injection flaw was found in the text editor Emacs. It could allow a remote, unauthenticated attacker to execute arbitrary shell commands on a vulnerable system. Exploitation is possible by tricking users into visiting a specially crafted website or an HTTP URL with a re

  • CVE-2024-53920Nov 27, 2024
    affected < 29.4-11.1fixed 29.4-11.1

    In elisp-mode.el in GNU Emacs before 30.1, a user who chooses to invoke elisp-completion-at-point (for code completion) on untrusted Emacs Lisp source code can trigger unsafe Lisp macro expansion that allows attackers to execute arbitrary code. (This unsafe expansion also occurs

  • CVE-2024-39331Jun 23, 2024
    affected < 29.4-2.1fixed 29.4-2.1

    In Emacs before 29.4, org-link-expand-abbrev in lisp/ol.el expands a %(...) link abbrev even when it specifies an unsafe function, such as shell-command-to-string. This affects Org Mode before 9.7.5.

  • CVE-2023-27986Mar 9, 2023
    affected < 28.2-3.1fixed 28.2-3.1

    emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to Emacs Lisp code injections through a crafted mailto: URI with unescaped double-quote characters. It is fixed in 29.0.90.

  • CVE-2023-27985Mar 9, 2023
    affected < 28.2-3.1fixed 28.2-3.1

    emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to shell command injections through a crafted mailto: URI. This is related to lack of compliance with the Desktop Entry Specification. It is fixed in 29.0.90

  • CVE-2022-48339Feb 20, 2023
    affected < 28.2-2.1fixed 28.2-2.1

    An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not escaped. If a file name or directory name contains

  • CVE-2022-48338Feb 20, 2023
    affected < 28.2-2.1fixed 28.2-2.1

    An issue was discovered in GNU Emacs through 28.2. In ruby-mode.el, the ruby-find-library-file function has a local command injection vulnerability. The ruby-find-library-file function is an interactive function, and bound to C-c C-f. Inside the function, the external command gem

  • CVE-2022-48337Feb 20, 2023
    affected < 28.2-2.1fixed 28.2-2.1

    GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the etags program. For example, a victim may use the "etags -u *" command (s

  • CVE-2022-45939Nov 28, 2022
    affected < 28.2-1.1fixed 28.2-1.1

    GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program. For example, a victim may use the "ctags *" command (sugg

  • CVE-2014-9483HigAug 28, 2017
    affected < 25.1-1.1fixed 25.1-1.1

    Emacs 24.4 allows remote attackers to bypass security restrictions.

  • CVE-2017-7476CriMay 2, 2017
    affected < 27.2-6.2fixed 27.2-6.2

    Gnulib before 2017-04-26 has a heap-based buffer overflow with the TZ environment variable. The error is in the save_abbr function in time_rz.c.

  • CVE-2014-3424May 8, 2014
    affected < 25.1-1.1fixed 25.1-1.1

    lisp/net/tramp-sh.el in GNU Emacs 24.3 and earlier allows local users to overwrite arbitrary files via a symlink attack on a /tmp/tramp.##### temporary file.

  • CVE-2014-3423May 8, 2014
    affected < 25.1-1.1fixed 25.1-1.1

    lisp/net/browse-url.el in GNU Emacs 24.3 and earlier allows local users to overwrite arbitrary files via a symlink attack on a /tmp/Mosaic.##### temporary file.

  • CVE-2014-3422May 8, 2014
    affected < 25.1-1.1fixed 25.1-1.1

    lisp/emacs-lisp/find-gc.el in GNU Emacs 24.3 and earlier allows local users to overwrite arbitrary files via a symlink attack on a temporary file under /tmp/esrc/.

  • CVE-2014-3421May 8, 2014
    affected < 25.1-1.1fixed 25.1-1.1

    lisp/gnus/gnus-fun.el in GNU Emacs 24.3 and earlier allows local users to overwrite arbitrary files via a symlink attack on the /tmp/gnus.face.ppm temporary file.

  • CVE-2012-0035Jan 19, 2012
    affected < 25.1-1.1fixed 25.1-1.1

    Untrusted search path vulnerability in EDE in CEDET before 1.0.1, as used in GNU Emacs before 23.4 and other products, allows local users to gain privileges via a crafted Lisp expression in a Project.ede file in the directory, or a parent directory, of an opened file.

  • CVE-2007-5795Nov 2, 2007
    affected < 27.2-6.2fixed 27.2-6.2

    The hack-local-variables function in Emacs before 22.2, when enable-local-variables is set to :safe, does not properly search lists of unsafe or risky variables, which might allow user-assisted attackers to bypass intended restrictions and modify critical program variables via a