Linuxserver
Products
1- 4 CVEs
Recent CVEs
4| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-51358 | Cri | 0.67 | 9.8 | 0.39 | Nov 5, 2024 | An issue in Linux Server Heimdall v.2.6.1 allows a remote attacker to execute arbitrary code via a crafted script to the Add new application. | ||
| CVE-2023-51803 | Cri | 0.57 | 9.8 | 0.00 | Apr 1, 2024 | LinuxServer.io Heimdall before 2.5.7 does not prevent use of icons that have non-image data such as the "<?php ?>" substring. | ||
| CVE-2025-50578 | 0.00 | — | 0.02 | Jul 30, 2025 | LinuxServer.io heimdall 2.6.3-ls307 contains a vulnerability in how it handles user-supplied HTTP headers, specifically `X-Forwarded-Host` and `Referer`. An unauthenticated remote attacker can manipulate these headers to perform Host Header Injection and Open Redirect attacks. This allows the loading of external resources from attacker-controlled domains and unintended redirection of users, potentially enabling phishing, UI redress, and session theft. The vulnerability exists due to insufficient validation and trust of untrusted input, affecting the integrity and trustworthiness of the application. | |||
| CVE-2025-54597 | 0.00 | — | 0.01 | Jul 27, 2025 | LinuxServer.io Heimdall before 2.7.3 allows XSS via the q parameter. |
- risk 0.67cvss 9.8epss 0.39
An issue in Linux Server Heimdall v.2.6.1 allows a remote attacker to execute arbitrary code via a crafted script to the Add new application.
- risk 0.57cvss 9.8epss 0.00
LinuxServer.io Heimdall before 2.5.7 does not prevent use of icons that have non-image data such as the "<?php ?>" substring.
- CVE-2025-50578Jul 30, 2025risk 0.00cvss —epss 0.02
LinuxServer.io heimdall 2.6.3-ls307 contains a vulnerability in how it handles user-supplied HTTP headers, specifically `X-Forwarded-Host` and `Referer`. An unauthenticated remote attacker can manipulate these headers to perform Host Header Injection and Open Redirect attacks. This allows the loading of external resources from attacker-controlled domains and unintended redirection of users, potentially enabling phishing, UI redress, and session theft. The vulnerability exists due to insufficient validation and trust of untrusted input, affecting the integrity and trustworthiness of the application.
- CVE-2025-54597Jul 27, 2025risk 0.00cvss —epss 0.01
LinuxServer.io Heimdall before 2.7.3 allows XSS via the q parameter.