Known Vulnerabilities for products from Mercurial
Listed below are 19 of the newest known vulnerabilities associated with the vendor "Mercurial".
These CVEs are retrieved based on exact matches on listed vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed vendor information are still displayed.
Data on known vulnerable products is also displayed based on information from known CPEs, each product links to its respective vulnerability page.
Known Vulnerabilities
| CVE | Shortened Description | Severity | Publish Date | Last Modified |
|---|---|---|---|---|
| CVE-2026-33435 json | Not Provided | 2026-04-15 | 2026-04-15 | |
| CVE-2019-3902 json | A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-chec... | 5.9 - MEDIUM | 2019-04-22 | 2020-07-31 |
| CVE-2018-1000132 json | Mercurial version 4.5 and earlier contains a Incorrect Access Control (CWE-285) vulnerability in Protocol server that can res... | 9.1 - CRITICAL | 2018-03-14 | 2020-07-31 |
| CVE-2018-17983 json | cext/manifest.c in Mercurial before 4.7.2 has an out-of-bounds read during parsing of a malformed manifest entry. | 9.1 - CRITICAL | 2018-10-04 | 2018-12-13 |
| CVE-2018-13348 json | The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least... | 7.5 - HIGH | 2018-07-06 | 2020-07-31 |
| CVE-2018-13347 json | mpatch.c in Mercurial before 4.6.1 mishandles integer addition and subtraction, aka OVE-20180430-0002. | 9.8 - CRITICAL | 2018-07-06 | 2020-07-31 |
| CVE-2018-13346 json | The mpatch_apply function in mpatch.c in Mercurial before 4.6.1 incorrectly proceeds in cases where the fragment start is pas... | 7.5 - HIGH | 2018-07-06 | 2020-07-31 |
| CVE-2017-1000116 json | Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ssh, leading to possible shell-injection attacks. | 9.8 - CRITICAL | 2017-10-05 | 2019-10-03 |
| CVE-2017-1000115 json | Mercurial prior to version 4.3 is vulnerable to a missing symlink check that can malicious repositories to modify files outsi... | 7.5 - HIGH | 2017-10-05 | 2019-05-10 |
| CVE-2017-17458 json | In Mercurial before 4.4.1, it is possible that a specially malformed repository can cause Git subrepositories to run arbitrar... | 9.8 - CRITICAL | 2017-12-07 | 2020-07-31 |
| CVE-2017-9462 json | In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequent... | 8.8 - HIGH | 2017-06-06 | 2020-02-05 |
| CVE-2016-3630 json | The binary delta decoder in Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a (1) clone, (2) pus... | 8.8 - HIGH | 2016-04-13 | 2023-06-21 |
| CVE-2016-3105 json | The convert extension in Mercurial before 3.8 might allow context-dependent attackers to execute arbitrary code via a crafted... | 8.8 - HIGH | 2016-05-09 | 2017-07-01 |
| CVE-2016-3069 json | Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted name when converting a Git repository. | 8.8 - HIGH | 2016-04-13 | 2018-10-30 |
| CVE-2016-3068 json | Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted git ext:: URL when cloning a subreposi... | 8.8 - HIGH | 2016-04-13 | 2018-10-30 |
| CVE-2014-9462 json | The _validaterepo function in sshpeer in Mercurial before 3.2.4 allows remote attackers to execute arbitrary commands via a c... | 7.5 - HIGH | 2015-03-31 | 2018-10-30 |
| CVE-2014-9390 json | Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; M... | 9.8 - CRITICAL | 2020-02-12 | 2021-05-17 |
| CVE-2010-4237 json | Mercurial before 1.6.4 fails to verify the Common Name field of SSL certificates which allows remote attackers who acquire a ... | 5.9 - MEDIUM | 2019-10-29 | 2019-10-31 |
| CVE-2008-4297 json | Mercurial before 1.0.2 does not enforce the allowpull permission setting for a pull operation from hgweb, which allows remote... | 5 - MEDIUM | 2008-09-27 | 2018-10-11 |
| CVE-2008-2942 json | Directory traversal vulnerability in patch.py in Mercurial 1.0.1 allows user-assisted attackers to modify arbitrary files via... | 6.8 - MEDIUM | 2008-06-30 | 2018-10-11 |
Known software with vulnerabilities from Mercurial
| Type | Vendor | Product | Version |
|---|---|---|---|
| Application | Mercurial | Mercurial | 1.6.0 |