Alimezar

**Name of the Vulnerable Software and Affected Versions** Wazuh versions 4.0.0 through 4.14.3 **Description** Wazuh server API brute-force protection for the 'POST /security/user/authenticate' endpoint can be bypassed by sending concurrent authentication requests. While the `max login attempts` threshold is correctly enforced for sequential requests, a parallel burst allows more failed login attempts to be processed before an IP block is applied, enabling more password guesses than the configured policy intends. **Recommendations** Update to version 4.14.4.

**Name of the Vulnerable Software and Affected Versions** Wazuh versions 4.8.0 through 4.14.3 **Description** A stack-based buffer overflow exists in the `print hex string()` function within wazuh-remoted. This occurs when formatting attacker-controlled bytes using `sprintf()` on platforms where char is treated as signed and the compiled code sign-extends bytes before the variadic call. For instance, input bytes such as 0xFF may result in the emission of "ffffffff" instead of "ff", leading to an out-of-bounds write past a fixed 2049-byte stack buffer. This path is reachable remotely via TCP/1514 before agent authentication or registration when an oversized length prefix triggers the "unexpected message (hex)" diagnostic path. Additionally, this same unauthenticated path allows for remote log amplification by logging attacker-controlled hex dumps to `/var/ossec/logs/ossec.log`, which can consume disk/IO resources and degrade monitoring fidelity. **Recommendations** Update to version 4.14.4.

**Name of the Vulnerable Software and Affected Versions** Wazuh versions 4.4.0 through 4.14.3 **Description** A path traversal issue exists in the cluster synchronization extraction routine, specifically within the `decompress files()` function. This allows an authenticated cluster peer to write arbitrary files outside the intended extraction directory on other cluster nodes. This flaw can be escalated to remote code execution in the Wazuh service context by overwriting Python modules loaded by Wazuh components. In environments where the cluster daemon operates with elevated privileges, a full system-level compromise is possible. Over 3,500 unpatched instances were identified as of 2026-05-10. **Recommendations** Update to version 4.14.4.

**Name of the Vulnerable Software and Affected Versions** Werkzeug versions 3.1.5 and below **Description** The `safe join` function in Werkzeug, a WSGI web application library, improperly handles Windows device names when used as filenames, particularly when preceded by other path segments. Specifically, the function allows Windows device names as filenames, potentially leading to indefinite hanging when reading files if the application is running on Windows and the requested path ends with a special device name. The `send from directory` function utilizes `safe join` to serve files, making it susceptible to this issue. **Recommendations** Update to Werkzeug version 3.1.6 or later.