CVE-2026-39958

Name of the Vulnerable Software and Affected Versions oma versions prior to 1.25.2

Description oma, a package manager for AOSC OS, has an issue where the oma-topics component improperly handles metadata from remote repository servers. Specifically, it fetches metadata for testing repositories named "Topic Manifests" from endpoints like {mirror}/debs/manifest/topics.json and registers them as APT source entries. A lack of input validation on the 'name' field within this metadata allows a malicious party to inject malformed Topic Manifests, potentially leading to the addition of malicious APT source entries to /etc/apt/sources.list.d/atm.list.

Recommendations Update to version 1.25.2 or later.