Multiple Flaws in Proxmox VE and Mail Gateway Enable XSS, DoS, and Privilege Escalation
Researchers disclosed three vulnerabilities affecting Proxmox Virtual Environment (PVE) and Proxmox Mail Gateway (PMG), including a post-authentication reflected XSS in PVE’s API Inspector, a CRLF injection flaw in HTTP error handling, and a post-authentication SSRF plus arbitrary file-read issue shared across both products. The XSS bug, tracked as CVE-2022-31358, could let an authenticated attacker run JavaScript in a logged-in administrator’s browser and potentially abuse exposed web UI functions to execute actions on the host. The CRLF injection issue could be exploited in Chromium-based browsers to inject headers and trigger a client-side denial of service by forcing oversized cookie headers that lock users out of the web interface.
The most serious finding was a bug chain in PVE and PMG that allowed low-privileged authenticated users to abuse SSRF and arbitrary file read; in PMG, attackers could also access backup archives containing the authentication private key, forge valid tickets, and escalate privileges to root@pam. MITRE assigned CVE-2022-35507 and CVE-2022-35508 to the latter flaws. Proxmox addressed the XSS in pve-http-server 4.1-2 and patched the CRLF injection and SSRF-related issues in pve-http-server 4.1-3.
Timeline
Dec 2, 2022
STAR Labs publicly discloses multiple Proxmox VE and PMG vulnerabilities
STAR Labs published technical details on three vulnerabilities affecting Proxmox VE and Proxmox Mail Gateway, including reflected XSS, CRLF injection, and an SSRF plus arbitrary file-read chain. The disclosure explained how low-privileged authenticated users could abuse the issues, including a PMG privilege-escalation path via readable backup files.
Dec 2, 2022
MITRE assigns CVEs to the Proxmox and PMG vulnerabilities
MITRE assigned CVE-2022-31358 to the reflected XSS issue and later assigned CVE-2022-35507 and CVE-2022-35508 to the remaining CRLF injection and SSRF/file-read vulnerabilities. These identifiers formalized tracking for the three disclosed bugs.
Dec 2, 2022
Proxmox patches CRLF injection and SSRF/file-read issues in 4.1-3
Proxmox released pve-http-server version 4.1-3 to address a CRLF injection flaw in HTTP error handling and a post-authentication SSRF plus arbitrary file-read bug affecting Proxmox VE and Proxmox Mail Gateway. In PMG, the file-read issue could expose backup archives containing authentication keys, enabling privilege escalation to root@pam.
Dec 2, 2022
Proxmox patches reflected XSS in pve-http-server 4.1-2
Proxmox fixed a post-authentication reflected XSS issue in the Proxmox VE API Inspector in pve-http-server version 4.1-2. The flaw could allow JavaScript execution in an authenticated administrator's browser and potentially lead to host-level actions through the web UI.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
Multiple Vulnerabilities Disclosed in Proxmox Virtual Environment
German CERT published two advisories affecting **Proxmox Virtual Environment (PVE)**, including one issue that can lead to **information disclosure** and a later notice covering **multiple vulnerabilities** in the virtualization platform. The advisories, `2026-1012` and `2026-1243`, indicate that organizations running Proxmox should review exposed management infrastructure and assess whether sensitive data or administrative functions could be affected. The notices provide limited public detail, but the combination of an information disclosure flaw and additional unspecified weaknesses raises concern for enterprises using Proxmox to host virtual machines and manage clustered infrastructure. Security teams should identify all PVE deployments, monitor vendor and CERT updates for affected versions and patches, and prioritize remediation or compensating controls on internet-reachable or business-critical systems.
1 weeks ago
Multiple Unrelated Critical Vulnerabilities Disclosed in October 2025
A series of critical and high-severity vulnerabilities affecting a diverse set of software products were publicly disclosed in October 2025. Epsilon RH by Grupo Castilla was found to have a SQL injection vulnerability (CVE-2025-41028) that allows attackers to manipulate the database by sending crafted POST requests to the 'sEstadoUsr' parameter in the '/epsilonnetws/WSAvisos.asmx' endpoint. Lanscope Endpoint Manager (CVE-2025-61932) was reported to have an improper origin verification flaw, enabling attackers to execute arbitrary code via specially crafted packets, though remote exploitation is not possible. Galaxy Software Services Vitals ESP Forum Module (CVE-2025-31342) was discovered to allow remote authenticated users to upload dangerous files, leading to arbitrary command execution. Fsas Technologies Inc.'s ETERNUS SF (CVE-2025-62577) contains incorrect default permissions, allowing low-privileged users to obtain database credentials and potentially escalate privileges to execute OS commands as an administrator. Excellent Infotek's Document Management System (CVE-2025-11948) is vulnerable to unauthenticated arbitrary file upload, enabling attackers to deploy web shells and execute code on the server. Vvveb CMS up to version 1.0.5 is susceptible to authenticated code injection via its Code Editor, allowing attackers to modify files and achieve remote code execution. The Theme Editor plugin for WordPress (CVE-2025-9890) is vulnerable to cross-site request forgery, which can be exploited to achieve remote code execution if an administrator is tricked into clicking a malicious link. The PPOM plugin for WooCommerce (CVE-2025-11391) allows unauthenticated arbitrary file uploads, posing a severe risk to affected e-commerce sites. The Appointments plugin for WordPress (CVE-2017-20206) and the Flickr Gallery plugin (CVE-2017-20207) both suffer from unauthenticated PHP object injection vulnerabilities, which have been actively exploited to create backdoors using the WP_Theme() class. RegistrationMagic (CVE-2017-20208) is also affected by a PHP object injection flaw, allowing attackers to fetch and install remote files. Finally, BLU-IC2 and BLU-IC4 devices (CVE-2025-11925) have an API that returns an incorrect Content-Type header, potentially enabling HTML/JavaScript injection in responses. Each of these vulnerabilities presents a significant risk, with several allowing remote code execution, privilege escalation, or the installation of persistent backdoors. The affected products span web applications, content management systems, endpoint management tools, and specialized enterprise software. Security teams are advised to review the specific advisories, apply patches or mitigations where available, and monitor for signs of exploitation, as several vulnerabilities have been reported as actively exploited in the wild. The diversity and severity of these disclosures underscore the ongoing need for rigorous vulnerability management and timely response to public advisories.
1 months ago
Multiple Critical Vulnerability Disclosures Across Gogs, Jinjava, and Kubernetes Local Path Provisioner
Several **high-severity vulnerability disclosures** were published across widely used developer and infrastructure components, with impacts ranging from **remote code execution (RCE)** to **account takeover** and **arbitrary host file writes**. In *Gogs* (self-hosted Git service), three CVEs were reported: **CVE-2025-64111** (CVSS 9.3) enables RCE by bypassing checks in `UpdateRepoFile` to modify `.git/config` via the API (described as an insufficient fix for an earlier issue); **CVE-2025-64175** (CVSS 7.7) allows a **cross-account 2FA recovery-code bypass** in versions `0.13.3` and earlier if an attacker already has a victim’s username/password; and **CVE-2026-24135** (CVSS 7.2) is a wiki rename path traversal that can delete arbitrary files by manipulating `old_title`. Separately, *Jinjava* (HubSpot CMS template engine) disclosed **CVE-2026-25526** (CVSS 9.8), a sandbox escape chain that permits arbitrary Java code execution by abusing `ForTag` iteration behavior (Bean ELResolver restriction bypass) and `ObjectMapper`-based JSON deserialization to instantiate disallowed classes. A critical Kubernetes storage issue was also disclosed in *Kubernetes Local Path Provisioner*: **CVE-2025-62878** (CVSS 10.0) allows directory traversal via the `parameters.pathPattern` setting, enabling a user who can create storage resources to provision volumes in arbitrary host locations (e.g., `/etc`) and potentially overwrite sensitive files on cluster nodes. In parallel to these product flaws, separate research reported widespread **exposure of Git metadata** on the public internet—approximately **4.96 million** IPs with accessible `.git` directories and **250,000+** exposing `.git/config` files that may contain deployment credentials—highlighting a common, high-impact misconfiguration pattern that can enable source code reconstruction and secret theft. Active exploitation activity was reported for *Ivanti Endpoint Manager Mobile (EPMM)* involving **CVE-2026-1281** and **CVE-2026-1340**, where attackers were observed dropping `/mifs/403.jsp` and using a Base64-delivered Java class loader designed for delayed, in-memory activation rather than immediate interactive webshell use.
1 months ago