Mercurial
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Mercurial.
By the Year
In 2025 there have been 0 vulnerabilities in Mercurial. Mercurial did not have any published security vulnerabilities last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2025 | 0 | 0.00 |
2024 | 0 | 0.00 |
2023 | 0 | 0.00 |
2022 | 0 | 0.00 |
2021 | 0 | 0.00 |
2020 | 0 | 0.00 |
2019 | 1 | 5.90 |
2018 | 5 | 8.60 |
It may take a day or so for new Mercurial vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Mercurial Security Vulnerabilities
A flaw was found in Mercurial before 4.9
CVE-2019-3902
5.9 - Medium
- April 22, 2019
A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository.
insecure temporary file
cext/manifest.c in Mercurial before 4.7.2 has an out-of-bounds read during parsing of a malformed manifest entry.
CVE-2018-17983
9.1 - Critical
- October 04, 2018
cext/manifest.c in Mercurial before 4.7.2 has an out-of-bounds read during parsing of a malformed manifest entry.
Out-of-bounds Read
The mpatch_apply function in mpatch.c in Mercurial before 4.6.1 incorrectly proceeds in cases where the fragment start is past the end of the original data
CVE-2018-13346
7.5 - High
- July 06, 2018
The mpatch_apply function in mpatch.c in Mercurial before 4.6.1 incorrectly proceeds in cases where the fragment start is past the end of the original data, aka OVE-20180430-0004.
Improper Input Validation
mpatch.c in Mercurial before 4.6.1 mishandles integer addition and subtraction
CVE-2018-13347
9.8 - Critical
- July 06, 2018
mpatch.c in Mercurial before 4.6.1 mishandles integer addition and subtraction, aka OVE-20180430-0002.
Integer Overflow or Wraparound
The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data
CVE-2018-13348
7.5 - High
- July 06, 2018
The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data, but actually are not, aka OVE-20180430-0001.
Improper Input Validation
Mercurial version 4.5 and earlier contains a Incorrect Access Control (CWE-285) vulnerability in Protocol server
CVE-2018-1000132
9.1 - Critical
- March 14, 2018
Mercurial version 4.5 and earlier contains a Incorrect Access Control (CWE-285) vulnerability in Protocol server that can result in Unauthorized data access. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in 4.5.1.
Incorrect Permission Assignment for Critical Resource
In Mercurial before 4.4.1, it is possible
CVE-2017-17458
9.8 - Critical
- December 07, 2017
In Mercurial before 4.4.1, it is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked into the repository. Typical use of Mercurial prevents construction of such repositories, but they can be created programmatically.
Shell injection
The binary delta decoder in Mercurial before 3.7.3
CVE-2016-3630
8.8 - High
- April 13, 2016
The binary delta decoder in Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a (1) clone, (2) push, or (3) pull command, related to (a) a list sizing rounding error and (b) short records.
Data Processing Errors