High

DATE	CVE	VULNERABILITY TITLE	RISK
2018-07-06	CVE-2018-13348	Improper Input Validation vulnerability in Mercurial The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data, but actually are not, aka OVE-20180430-0001. network low complexity mercurial CWE-20	7.5
2018-07-06	CVE-2018-13346	Improper Input Validation vulnerability in Mercurial The mpatch_apply function in mpatch.c in Mercurial before 4.6.1 incorrectly proceeds in cases where the fragment start is past the end of the original data, aka OVE-20180430-0004. network low complexity mercurial CWE-20	7.5
2017-10-05	CVE-2017-1000115	Link Following vulnerability in multiple products Mercurial prior to version 4.3 is vulnerable to a missing symlink check that can malicious repositories to modify files outside the repository network low complexity mercurial debian redhat CWE-59	7.5
2017-06-06	CVE-2017-9462	Incorrect Permission Assignment for Critical Resource vulnerability in multiple products In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name. network low complexity mercurial debian redhat CWE-732	8.8
2016-05-09	CVE-2016-3105	Improper Access Control vulnerability in multiple products The convert extension in Mercurial before 3.8 might allow context-dependent attackers to execute arbitrary code via a crafted git repository name. network low complexity debian mercurial CWE-284	8.8
2016-04-13	CVE-2016-3630	Data Processing Errors vulnerability in multiple products The binary delta decoder in Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a (1) clone, (2) push, or (3) pull command, related to (a) a list sizing rounding error and (b) short records. network low complexity fedoraproject opensuse mercurial debian suse CWE-19	8.8
2016-04-13	CVE-2016-3069	Improper Input Validation vulnerability in multiple products Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted name when converting a Git repository. network low complexity mercurial debian suse opensuse fedoraproject redhat CWE-20	8.8
2016-04-13	CVE-2016-3068	Improper Input Validation vulnerability in multiple products Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted git ext:: URL when cloning a subrepository. network low complexity debian mercurial fedoraproject redhat suse opensuse CWE-20	8.8