Vulnerability in oma Package Manager Affects AOSC OS
CVE-2026-39958

5.2MEDIUM

Key Information:

Vendor

Aosc-dev

Status
Oma
Vendor
CVE Published:
9 April 2026

What is CVE-2026-39958?

The oma package manager for AOSC OS is susceptible to an improper input validation issue through its oma-topics component. Prior to version 1.25.2, oma-topics fails to validate the name field in the metadata of 'Topic Manifests.' A malicious actor can exploit this vulnerability by supplying a crafted Topic Manifest, which may lead to the inclusion of harmful APT source entries into /etc/apt/sources.list.d/atm.list. This security flaw allows for potential manipulation of package sources, posing risks to system integrity and security. The issue has been rectified in version 1.25.2.

Affected Version(s)

oma < 1.25.1

References

https://github.com/AOSC-Dev/oma/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/AOSC-Dev/oma/pull/733
x_refsource_MISC
https://github.com/AOSC-Dev/oma/commit/b361c0f219bbf91a68...
x_refsource_MISC

CVSS V4

Score:
5.2
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.