VYPR
Vendor

Oscal Compass

Products
1
CVEs
5
Across products
5
Status
Private

Products

1

Recent CVEs

5
  • CVE-2026-46439higMay 28, 2026
    risk 0.39cvss epss 0.00

    A High severity Server-Side Template Injection (SSTI) vulnerability exists in the `trestle author jinja` command. The command recursively evaluates rendered templates, allowing an attacker to achieve arbitrary command execution with privileges of the running process by injecting…

  • CVE-2026-46345higMay 28, 2026
    risk 0.39cvss epss 0.00

    **Relevant Products/Components:** * `trestle/core/commands/author/jinja.py` * `trestle author jinja` --- ## Detailed Description: The `-o/--output` argument in `trestle author jinja` allows writing files outside the intended workspace. The application does not properly…

  • CVE-2026-45725higMay 27, 2026
    risk 0.39cvss epss 0.00

    ## Summary The compliance-trestle library's remote fetching cache mechanism (HTTPSFetcher and SFTPFetcher) constructs the local cache file path from the URL path component without sanitizing path traversal sequences (`../`). When a remote OSCAL profile references a URL with…

  • CVE-2026-46380May 28, 2026
    risk 0.00cvss epss 0.00

    A source code audit led to the discovery of three significant security vulnerabilities in the trestle/core/remote/cache.py module. **Finding 1 (Critical): SSRF (CWE-918)** The HTTPSFetcher._do_fetch() method passes a user-supplied URL directly to requests.get() without…

  • CVE-2026-45774May 28, 2026
    risk 0.00cvss epss 0.00

    ## Summary The compliance-trestle library's profile import mechanism resolves `trestle://` URIs and relative file paths by joining them with `trestle_root` and calling `.resolve()`, but performs **no boundary check** to ensure the resolved path stays within the trestle…