Vulnerability in Aosc-dev Oma

CVE-2026-39958

oma is a package manager for AOSC OS. Prior to 1.25.2, oma-topics is responsible for fetching metadata for testing repositories (topics) named "Topic Manifests" ({mirror}/debs/manifest/topics.json) from remote repository servers, registeri…

Vulnerability class: CRLF Injection

EPSS: 0.001 (19.2th percentile) — read the EPSS interpretation.

Affected products

Aosc-dev Oma — versions < 1.25.1

Weakness classification (CWE)

CWE-93 — CRLF Injection

References

https://github.com/AOSC-Dev/oma/security/advisories/GHSA-86jc-7r6q-cr3f (x_refsource_CONFIRM)
https://github.com/AOSC-Dev/oma/pull/733 (x_refsource_MISC)
https://github.com/AOSC-Dev/oma/commit/b361c0f219bbf91a684610c76210f71f093dbc18 (x_refsource_MISC)
https://github.com/AOSC-Dev/oma/releases/tag/v1.25.2 (x_refsource_MISC)