Medium
CVE-2026-33553
Northern.tech CFEngine Enterprise 3.24.3 before 3.24.4 and 3.27.0 before 3.27.1 allows XSS.
Tag: CFEngine
All CVEs associated with "CFEngine". Page 1/1 • 20 CVEs.
About “CFEngine”
A curated feed of “CFEngine”-related CVEs appears below. We currently track 20 CVEs for this tag (all time). In the last 365 days, 4 were published. Average CVSS is 6.0 (all time; 6.2 over 365d), and 30% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection'), CWE-284 - Improper Access Control.
In our taxonomy this topic maps to a LOW impact class. Config management tools have broad privileges. Patch servers and agents, use least privilege, sign artifacts, and audit playbooks and modules. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.
Support & lifecycle: cfengine
This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.
| Cycle | Release | Latest | EOL | LTS |
|---|---|---|---|---|
| 3.27 | 3.27.1 | - | LTS | |
| 3.26 | 3.26.0 | Expired | ||
| 3.25 | 3.25.0 | Expired | ||
| 3.24 | 3.24.4 | LTS | ||
| 3.23 | 3.23.0 | Expired | ||
| 3.22 | 3.22.0 | Expired | ||
| 3.21 | 3.21.8 | Expired | LTS | |
| 3.20 | 3.20.0 | Expired | ||
| 3.19 | 3.19.0 | Expired | ||
| 3.18 | 3.18.8 | Expired | LTS | |
| 3.17 | 3.17.0 | Expired | ||
| 3.16 | 3.16.0 | Expired | ||
| 3.15 | 3.15.7 | Expired | LTS |
Maintained Soon (≤ 180 days) Expired
Subscribe lifecycle: RSS · RSS (expired) · ICS
Subscribe CVEs: RSS for “CFEngine” · RSS (High+Critical only)
CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).
CVSS ≥ 0.0
2026-06-02
2026-05-14
High
CVE-2026-24712
Northern.tech CFEngine Enterprise and Community before 3.21.8, 3.24.3, and 3.27.0 allows Command injection.
Medium
CVE-2026-24711
Northern.tech CFEngine Enterprise before 3.21.8, 3.24.3, and 3.27.0 has Incorrect Access Control.
Medium
CVE-2026-24710
Northern.tech CFEngine Enterprise before 3.21.8, 3.24.3, and 3.27.0 allows XSS.
2025-01-21
Medium
CVE-2024-55958
Northern.tech CFEngine Enterprise Mission Portal 3.24.0, 3.21.5, and below allows XSS. The fixed versions are 3.24.1 and 3.21.6.
2023-11-14
High
CVE-2023-45684
Northern.tech CFEngine Enterprise before 3.21.3 allows SQL Injection. The fixed versions are 3.18.6 and 3.21.3. The earliest affected version is 3.6.0. The issue is in the Mission Portal login page i…
2023-04-26
Medium
CVE-2023-26560
Northern.tech CFEngine Enterprise before 3.21.1 allows a subset of authenticated users to leverage the Scheduled Reports feature to read arbitrary files and potentially discover credentials.
2022-03-10
Medium
CVE-2021-44216
Northern.tech CFEngine Enterprise before 3.15.5 and 3.18.x before 3.18.1 has Insecure Permissions that may allow unauthorized local users to access the Apache and Mission Portal log files.
Medium
CVE-2021-44215
Northern.tech CFEngine Enterprise 3.15.4 before 3.15.5 has Insecure Permissions that may allow unauthorized local users to have an unspecified impact.
2021-10-27
Medium
CVE-2021-38379
The Hub in CFEngine Enterprise 3.6.7 through 3.18.0 has Insecure Permissions that allow local Information Disclosure.
Medium
CVE-2021-36756
CFEngine Enterprise 3.15.0 through 3.15.4 has Missing SSL Certificate Validation.
2020-04-16
Medium
CVE-2019-19394
Northern.tech CFEngine Enterprise before 3.10.7, 3.11.x and 3.12.x before 3.12.3, 3.13.x, and 3.14.x allows XSS. This is fixed in 3.10.7, 3.12.3, and 3.15.0.
2019-06-06
High
CVE-2019-9929
Northern.tech CFEngine Enterprise 3.12.1 has Insecure Permissions.
2005-10-05
Low
CVE-2005-2960
cfengine 1.6.5 and 2.1.16 allows local users to overwrite arbitrary files via a symlink attack on temporary files used by vicf.in, a different vulnerability than CVE-2005-3137.
Low
CVE-2005-3137
The (1) cfmailfilter and (2) cfcron.in files for cfengine 1.6.5 allow local users to overwrite arbitrary files via a symlink attack on temporary files, a different vulnerability than CVE-2005-2960.
2004-08-09
Critical
CVE-2004-1701
Heap-based buffer overflow in the AuthenticationDialogue function in cfservd for Cfengine 2.0.0 to 2.1.7p1 allows remote attackers to execute arbitrary code via a long SAUTH command during RSA authen…
Medium
CVE-2004-1702
The AuthenticationDialogue function in cfservd for Cfengine 2.0.0 to 2.1.7p1 does not properly check the return value of the ReceiveTransaction function, which leads to a failed malloc call and trigg…
2003-11-17
High
CVE-2003-0849
Buffer overflow in net.c for cfengine 2.x before 2.0.8 allows remote attackers to execute arbitrary code via certain packets with modified length values, which is trusted by the ReceiveTransaction fu…
2000-12-19
Critical
CVE-2000-0947
Format string vulnerability in cfd daemon in GNU CFEngine before 1.6.0a11 allows attackers to execute arbitrary commands via format characters in the CAUTH command.
1999-02-16
Low
CVE-1999-0374
Debian GNU/Linux cfengine package is susceptible to a symlink attack.