Every CVE whose affected-product data names Samba Rsync, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (24)
CVE-2024-12084 — CVSS 9.8 (critical): A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum…
CVE-2017-15994 — CVSS 9.8 (critical): rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to bypass intended…
CVE-2017-16548 — CVSS 9.8 (critical): The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing '\0' character in an xattr name…
CVE-2017-17434 — CVSS 9.8 (critical): The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does not check for fnamecmp filenames in the daemon_filter_list data…
CVE-2026-43618 — CVSS 8.1 (high): Rsync version 3.4.2 and prior contain an integer overflow vulnerability in the compressed-token decoder where a 32-bit signed counter is…
CVE-2014-2855 — CVSS 7.8 (high): The check_secret function in authenticate.c in rsync 3.1.0 and earlier allows remote attackers to cause a denial of service (infinite loop…
CVE-2024-12085 — CVSS 7.5 (high): A flaw was found in rsync which could be triggered when rsync compares file checksums. This flaw allows an attacker to manipulate the…
CVE-2018-5764 — CVSS 7.5 (high): The parse_arguments function in options.c in rsyncd in rsync before 3.1.3 does not prevent multiple --protect-args uses, which allows…
CVE-2008-1720 — CVSS 7.5 (high): Buffer overflow in rsync 2.6.9 to 3.0.1, with extended attribute (xattr) support enabled, might allow remote attackers to execute arbitrary…
CVE-2022-29154 — CVSS 7.4 (high): An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of…
CVE-2020-14387 — CVSS 7.4 (high): A flaw was found in rsync in versions since 3.2.0pre1. Rsync improperly validates certificate with host mismatch vulnerability. A remote…
CVE-2026-41035 — CVSS 7.4 (high): In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free…
CVE-2026-29518 — CVSS 7.0 (high): Rsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling that allows attackers to…
CVE-2026-43620 — CVSS 6.5 (medium): Rsync version 3.4.2 and prior contain a receiver-side out-of-bounds array read vulnerability in recv_files() in receiver.c that allows a…
CVE-2024-12087 — CVSS 6.5 (medium): A path traversal vulnerability exists in rsync. It stems from behavior enabled by the `--inc-recursive` option, a default-enabled option…
CVE-2024-12088 — CVSS 6.5 (medium): A flaw was found in rsync. When using the `--safe-links` option, the rsync client fails to properly verify if a symbolic link destination…
CVE-2014-9512 — CVSS 6.4 (medium): rsync 3.1.1 allows remote attackers to write to arbitrary files via a symlink attack on a file in the synchronization path.
CVE-2026-43619 — CVSS 6.3 (medium): Rsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes…
CVE-2024-12086 — CVSS 6.1 (medium): A flaw was found in rsync. It could allow a server to enumerate the contents of an arbitrary file from the client's machine. This issue…
CVE-2011-1097 — CVSS 5.1 (medium): rsync 3.x before 3.0.8, when certain recursion, deletion, and ownership options are used, allows remote rsync servers to cause a denial of…
CVE-2026-43617 — CVSS 4.8 (medium): Rsync version 3.4.2 and prior contain an authorization bypass vulnerability in the rsync daemon's hostname-based access control list…
CVE-2017-17433 — CVSS 3.7 (low): The recv_files function in receiver.c in the daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, proceeds with certain file…
CVE-2026-45232 — CVSS 3.1 (low): Rsync versions before 3.4.3 contain an off-by-one out-of-bounds stack write vulnerability in the establish_proxy_connection() function in…
CVE-2002-0080 — CVSS 2.1 (low): rsync, when running in daemon mode, does not properly call setgroups before dropping privileges, which could provide supplemental group…