The GStreamer project reports multiple security vulnerabilities fixed in the 1.28.1 release:
+++ +Twelve security vulnerabilities were addressed, including:
++
+- Out-of-bounds reads and writes in the H.266 video parser, WAV parser, + MP4 and ASF demuxers, and DVB subtitle decoder.
+- Integer overflows in the RIFF parser and Huffman table handling in the JPEG parser.
+- Stack buffer overflows in the RTP QDM2 depayloader and H.266 parser.
+These could lead to application crashes or potentially arbitrary code execution.
+
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed.
CVE-2026-2809: Memory safety bug in the JavaScript: WebAssembly component.
CVE-2026-2808: Integer overflow in the JavaScript: Standard Library component.
CVE-2026-2807: Memory safety bugs present in Firefox 147 and Thunderbird 147
CVE-2026-2806: Uninitialized memory in the Graphics: Text component.
CVE-2026-2805: Invalid pointer in the DOM: Core & HTML component.
CVE-2026-2804: Use-after-free in the JavaScript: WebAssembly component.
CVE-2026-2803: Information disclosure, mitigation bypass in the Settings UI component.
CVE-2026-2802: Race condition in the JavaScript: GC component.
CVE-2026-2801: Incorrect boundary conditions in the JavaScript: WebAssembly component.
CVE-2026-2799: Use-after-free in the DOM: Core & HTML component.
CVE-2026-2798: Use-after-free in the DOM: Core & HTML component.
CVE-2026-2797: Use-after-free in the JavaScript: GC component.
CVE-2026-2796: JIT miscompilation in the JavaScript: WebAssembly component
CVE-2026-2795: Use-after-free in the JavaScript: GC component.
Gitlab reports:
Cross-site Scripting issue in Mermaid sandbox impacts GitLab CE/EE
Denial of Service issue in container registry impacts GitLab CE/EE
Denial of Service issue in Jira events endpoint impacts GitLab CE/EE
Regular Expression Denial of Service issue in GitLab merge requests impacts GitLab CE/EE
Missing rate limit in Bitbucket Server importer impacts GitLab CE/EE
Denial of Service issue in CI trigger API impacts GitLab CE/EE
Denial of Service issue in token decoder impacts GitLab CE/EE
Improper Access Control issue in Conan package registry impacts GitLab EE
Access Control issue in CI job mutation impacts GitLab CE/EE
Mailpit author reports:
The Link Check API (/api/v1/message/{ID}/link-check) is vulnerable to Server-Side Request Forgery (SSRF). The server performs HTTP HEAD requests to every URL found in an email without validating target hosts or filtering private/internal IP addresses. The response returns status codes and status text per link, making this a non-blind SSRF. In the default configuration (no authentication on SMTP or API), this is fully exploitable remotely with zero user interaction.
The rtsock_msg_buffer() function serializes routing information into a buffer. As a part of this, it copies sockaddr structures into a sockaddr_storage structure on the stack. It assumes that the source sockaddr length field had already been validated, but this is not necessarily the case, and it's possible for a malicious userspace program to craft a request which triggers a 127-byte overflow.
In practice, this overflow immediately overwrites the canary for the rtsock_msg_buffer() stack frame, resulting in a panic once the function returns.
The bug allows an unprivileged user to crash the kernel by triggering a stack buffer overflow in rtsock_msg_buffer(). In particular, the overflow will corrupt a stack canary value that is verified when the function returns; this mitigates the impact of the stack overflow by triggering a kernel panic.
Other kernel bugs may exist which allow userspace to find the canary value and thus defeat the mitigation, at which point local privilege escalation may be possible.
If two sibling jails are restricted to separate filesystem trees, which is to say that neither of the two jail root directories is an ancestor of the other, jailed processes may nonetheless be able to access a shared directory via a nullfs mount, if the administrator has configured one.
In this case, cooperating processes in the two jails may establish a connection using a unix domain socket and exchange directory descriptors with each other.
When performing a filesystem name lookup, at each step of the lookup, the kernel checks whether the lookup would descend below the jail root of the current process. If the jail root directory is not encountered, the lookup continues.
In a configuration where processes in two different jails are able to exchange file descriptors using a unix domain socket, it is possible for a jailed process to receive a directory for a descriptor that is below that process' jail root. This enables full filesystem access for a jailed process, breaking the chroot.
Note that the system administrator is still responsible for ensuring that an unprivileged user on the jail host is not able to pass directory descriptors to a jailed process, even in a patched kernel.
The Vaultwarden project reports:
- GHSA-w9f8-m526-h7fh. This vulnerability would allow an attacker to access a cipher from a different user (fully encrypted) if they already know its internal UUID.
- GHSA-h4hq-rgvh-wh27. This vulnerability allows an attacker with manager-level access within an organization to modify collections they can access, even if they do not have management permissions for them.
- GHSA-r32r-j5jq-3w4m. This vulnerability allows an attacker with manager-level access within an organization to modify collections they are not assigned.
Cary Phillips reports:
[openexr] v3.4.5 [...] fixes an incorrect size check in istream_nonparallel_read that could lead to a buffer overflow on invalid input data.
Jenkins Security Advisory:
Description
(High) SECURITY-3669 / CVE-2026-27099
Stored XSS vulnerability in node offline cause description
(Medium) SECURITY-3658 / CVE-2026-27100
Build information disclosure vulnerability through Run Parameter
https://bugzilla.mozilla.org/show_bug.cgi?id=2014390 reports:
Heap buffer overflow in libvpx.
Chrome Releases reports:
This update includes 3 security fixes:
- [477033835] High CVE-2026-2648: Heap buffer overflow in PDFium. Reported by soiax on 2026-01-19
- [481074858] High CVE-2026-2649: Integer overflow in V8. Reported by JunYoung Park(@candymate) of KAIST Hacking Lab on 2026-02-03
- [476461867] Medium CVE-2026-2650: Heap buffer overflow in Media. Reported by Google on 2026-01-18
PowerDNS Team reports:
2025-07: Internal logic flaw in cache management can lead to a denial of service in Recursor
2025-08: Insufficient validation of incoming notifies over TCP can lead to a denial of service in Recursor
2026-01: Crafted zones can lead to increased resource usage in Recursor
2026-01: This problem can be triggered by publishing and querying a crafted zone that causes large memory usage.
https://github.com/pnggroup/libpng/security/advisories/GHSA-g8hp-mq4h-rqm3 reports:
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.
The traefik project reports:
There is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service
https://github.com/dun/munge/security/advisories/GHSA-r9cr-jf4v-75gh reports:
MUNGE is an authentication service for creating and validating user credentials. From 0.5 to 0.5.17, local attacker can exploit a buffer overflow vulnerability in munged (the MUNGE authentication daemon) to leak cryptographic key material from process memory. With the leaked key material, the attacker could forge arbitrary MUNGE credentials to impersonate any user (including root) to services that rely on MUNGE for authentication. The vulnerability allows a buffer overflow by sending a crafted message with an oversized address length field, corrupting munged's internal state and enabling extraction of the MAC subkey used for credential verification. This vulnerability is fixed in 0.5.18.
Chrome Releases reports:
This update includes 1 security fix:
- [483569511] High CVE-2026-2441: Use after free in CSS. Reported by Shaheen Fazim on 2026-02-11
expat team reports:
Update contains 2 security fixes:
- CVE-2026-24515: NULL dereference in function XML_ExternalEntityParserCreate
- CVE-2026-25210: missing check for integer overflow in function doContent
The PostgreSQL project reports:
Improper validation of type oidvector in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely.
Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database.
Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database.
Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database.
Heap buffer overflow in PostgreSQL pg_trgm allows a database user to achieve unknown impacts via a crafted input string. The attacker has limited control over the byte patterns to be written, but we have not ruled out the viability of attacks that lead to privilege escalation.
https://jira.mongodb.org/browse/SERVER-113685 reports:
An authorized user may disable the MongoDB server by issuing a query against a collection that contains an invalid compound wildcard index.
https://jira.mongodb.org/browse/SERVER-99119 reports:
An authorized user may trigger a server crash by running a $geoNear pipeline with certain invalid index hints.
https://jira.mongodb.org/browse/SERVER-114126 reports:
Complex queries can cause excessive memory usage in MongoDB Query Planner resulting in an Out-Of-Memory Crash.
https://jira.mongodb.org/browse/SERVER-102364 reports:
MongoDB Server may experience an out-of-memory failure while evaluating expressions that produce deeply nested documents. The issue arises in recursive functions because the server does not periodically check the depth of the expression.
https://jira.mongodb.org/browse/SERVER-113532 reports:
Inserting certain large documents into a replica set could lead to replica set secondaries not being able to fetch the oplog from the primary. This could stall replication inside the replica set leading to server crash.
Gitlab reports:
Incomplete Validation issue in Web IDE impacts GitLab CE/EE
Denial of Service issue in GraphQL introspection impacts GitLab CE/EE
Denial of Service issue in JSON validation middleware impacts GitLab CE/EE
Cross-site Scripting issue in Code Flow impacts GitLab CE/EE
HTML Injection issue in test case titles impacts GitLab CE/EE
Denial of Service issue in Markdown processor impacts GitLab CE/EE
Denial of Service issue in Markdown Preview impacts GitLab CE/EE
Denial of Service issue in dashboard impacts GitLab EE
Server-Side Request Forgery issue in Virtual Registry impacts GitLab EE
Improper Validation issue in diff parser impacts GitLab CE/EE
Server-Side Request Forgery issue in Git repository import impacts GitLab CE/EE
Authorization Bypass issue in iterations API impacts GitLab EE
Missing Authorization issue in GLQL API impacts GitLab CE/EE
Stored HTML Injection issue in project label impacts GitLab CE/EE
Authorization Bypass issue in Pipeline Schedules API impacts GitLab CE/EE
Due to a programming error, blocklistd leaks a socket descriptor for each adverse event report it receives.
Once a certain number of leaked sockets is reached, blocklistd becomes unable to run the helper script: a child process is forked, but this child dereferences a null pointer and crashes before it is able to exec the helper. At this point, blocklistd still records adverse events but is unable to block new addresses or unblock addresses whose database entries have expired.
Once a second, much higher number of leaked sockets is reached, blocklistd becomes unable to receive new adverse event reports.
An attacker may take advantage of this by triggering a large number of adverse events from sacrificial IP addresses to effectively disable blocklistd before launching an attack.
Even in the absence of attacks or probes by would-be attackers, adverse events will occur regularly in the course of normal operations, and blocklistd will gradually run out file descriptors and become ineffective.
The accumulation of open sockets may have knock-on effects on other parts of the system, resulting in a general slowdown until blocklistd is restarted.
Chrome Releases reports:
This update includes 2 security fixes:
- [478942410] High CVE-2026-1861: Heap buffer overflow in libvpx. Reported by Google on 2026-01-26
- [479726070] High CVE-2026-1862: Type Confusion in V8. Reported by Chaoyuan Peng (@ret2happy) on 2026-01-29
The Roundcube project reports:
Unspecified CSS injection vulnerability.
Remote image blocking bypass via SVG content.
Qt qtwebengine-chromium repo reports:
Backports for 7 security bugs in Chromium:
- CVE-2025-13638: Prevent media element GC in callbacks in WebMediaPlayerMS
- CVE-2025-13639: Improve validation of SDP direction in remote description
- CVE-2025-13720: Avoid downcasting Hash and Integrity reports
- CVE-2025-14174: Metal: Don't use pixelsDepthPitch to size buffers
- CVE-2025-14765: Polyfill unary negation and abs for amd mesa frontend
- CVE-2026-0908: Use CheckedNumerics in HandleAllocator
- CVE-2026-1504: Block opaque 416 responses to non-range requests
An XSS vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials.
Authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-image URL (/share/img/{token}). When processing such requests, the server attempts to create an extremely large resized image, causing uncontrolled memory growth. This triggers the Linux OOM killer, terminates the Navidrome process, and results in a full service outage.
The traefik project reports:
There is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up goroutines and file descriptors indefinitely when the ACME TLS challenge is enabled.A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entrypoint.
The Python project announces a new release with several security fixes:
- CVE-2026-1299: gh-144125: BytesGenerator will now refuse to serialize (write) headers that are unsafely folded or delimited; see verify_generated_headers. (Contributed by Bas Bloemsaat and Petr Viktorin in gh-121650).
- gh-143935: Fixed a bug in the folding of comments when flattening an email message using a modern email policy. Comments consisting of a very long sequence of non-foldable characters could trigger a forced line wrap that omitted the required leading space on the continuation line, causing the remainder of the comment to be interpreted as a new header field. This enabled header injection with carefully crafted inputs.
- gh-143925: Reject control characters in data: URL media types.
- gh-143919: Reject control characters in http.cookies.Morsel fields and values.
- CVE-2026-0865: gh-143916: Reject C0 control characters within wsgiref.headers.Headers fields, values, and parameters.
Denis Skvortsov, Security Researcher at Kaspersky reports:
xrdp before v0.10.5 contains an unauthenticated stack-based buffer overflow vulnerability. The issue stems from improper bounds checking when processing user domain information during the connection sequence. If exploited, the vulnerability could allow remote attackers to execute arbitrary code on the target system.
Tim Wojtulewicz of Corelight reports:
Zeek's HTTP analyzer can be tricked into interpreting Transfer-Encoding or Content-Length headers set in MIME entities within HTTP bodies and change the analyzer behavior.
Chrome Releases reports:
This update includes 1 security fix:
- [474435504] High CVE-2026-1504: Inappropriate implementation in Background Fetch API. Reported by Luan Herrera (@lbherrera_) on 2026-01-09
https://bugzilla.mozilla.org/show_bug.cgi?id=2007302 reports:
Mitigation bypass in the Privacy: Anti-Tracking component.
Use-after-free in the Layout: Scrolling and Overflow component.
By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks.
If a privileged user within a jail is able to nullfs-mount directories, a limitation of the kernel's path lookup logic allows that user to escape the jail's chroot, yielding access to the full filesystem of the host or parent jail.
In a jail configured to allow nullfs(4) mounts from within the jail, the jailed root user can escape the jail's filesystem root.
The OpenSSL project reports:
- Improper validation of PBMAC1 parameters in PKCS#12 MAC verification (CVE-2025-11187)
- Stack buffer overflow in CMS AuthEnvelopedData parsing (CVE-2025-15467)
- NULL dereference in SSL_CIPHER_find() function on unknown cipher ID (CVE-2025-15468)
- "openssl dgst" one-shot codepath silently truncates inputs >16MB (CVE-2025-15469)
- TLS 1.3 CompressedCertificate excessive memory allocation (CVE-2025-66199)
- Heap out-of-bounds write in BIO_f_linebuffer on short writes (CVE-2025-68160)
- Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (CVE-2025-69418)
- Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (CVE-2025-69419)
- Missing ASN1_TYPE validation in TS_RESP_verify_response() function (CVE-2025-69420)
- NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (CVE-2025-69421)
- Missing ASN1_TYPE validation in PKCS#12 parsing (CVE-2026-22795)
- ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (CVE-2026-22796)
Oracle reports:
Oracle reports multiple vulnerabilities in its MySQL server products.
https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx reports:
wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.46.1 and below, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.
Chrome Releases reports:
This update includes 1 security fix:
- [473851441] High CVE-2026-1220: Race in V8. Reported by @p1nky4745 on 2026-01-07
Gitlab reports:
Denial of Service issue in Jira Connect integration impacts GitLab CE/EE
Incorrect Authorization issue in Releases API impacts GitLab CE/EE
Unchecked Return Value issue in authentication services impacts GitLab CE/EE
Infinite Loop issue in Wiki redirects impacts GitLab CE/EE
Denial of Service issue in API endpoint impacts GitLab CE/EE
Mailpit author reports:
Ensure SMTP TO & FROM addresses are RFC 5322 compliant and prevent header injection (GHSA-54wq-72mp-cq7c)
Prevent Server-Side Request Forgery (SSRF) via HTML Check API (GHSA-6jxm-fv7w-rw5j)
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
A flaw was found in the crypto/x509 package in the Go standard library. This vulnerability allows a certificate validation bypass via an excluded subdomain constraint in a certificated chain as it does not restrict the usage of wildcard SANs in the leaf certificate.
SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
Memory safety bugs present in Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
Denial-of-service in the DOM: Service Workers component.
Information disclosure in the XML component.
Sandbox escape in the Messaging System component.
Memory safety bugs present in firefox-esr 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146.
Spoofing issue in the DOM: Copy & Paste and Drag & Drop component.
Clickjacking issue and information disclosure in the PDF Viewer component.
Use-after-free in the JavaScript: GC component.
Use-after-free in the JavaScript Engine component.
Information disclosure in the Networking component.
Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component.
Incorrect boundary conditions in the Graphics component.
Use-after-free in the IPC component.
Sandbox escape due to integer overflow in the Graphics component.
Sandbox escape due to incorrect boundary conditions in the Graphics component.
Mitigation bypass in the DOM: Security component.
Chrome Releases reports:
This update includes 10 security fixes:
- [458914193] High CVE-2026-0899: Out of bounds memory access in V8. Reported by @p1nky4745 on 2025-11-08
- [465730465] High CVE-2026-0900: Inappropriate implementation in V8. Reported by Google on 2025-12-03
- [40057499] High CVE-2026-0901: Inappropriate implementation in Blink. Reported by Irvan Kurniawan (sourc7) on 2021-10-04
- [469143679] Medium CVE-2026-0902: Inappropriate implementation in V8. Reported by 303f06e3 on 2025-12-16
- [444803530] Medium CVE-2026-0903: Insufficient validation of untrusted input in Downloads. Reported by Azur on 2025-09-13
- [452209495] Medium CVE-2026-0904: Incorrect security UI in Digital Credentials. Reported by Hafiizh on 2025-10-15
- [465466773] Medium CVE-2026-0905: Insufficient policy enforcement in Network. Reported by Google on 2025-12-02
- [467448811] Low CVE-2026-0906: Incorrect security UI. Reported by Khalil Zhani on 2025-12-10
- [444653104] Low CVE-2026-0907: Incorrect security UI in Split View. Reported by Hafiizh on 2025-09-12
- [452209503] Low CVE-2026-0908: Use after free in ANGLE. Reported by Glitchers BoB 14th. on 2025-10-15
https://github.com/pypa/virtualenv/security/advisories/GHSA-597g-3phw-6986 reports:
virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1.
oss-security@ list reports:
Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string.
Gitlab reports:
Stored Cross-site Scripting issue in GitLab Flavored Markdown placeholders impacts GitLab CE/EE
Cross-site Scripting issue in Web IDE impacts GitLab CE/EE
Missing Authorization issue in Duo Workflows API impacts GitLab EE
Missing Authorization issue in AI GraphQL mutation impacts GitLab EE
Denial of Service issue in import functionality impacts GitLab CE/EE
Insufficient Access Control Granularity issue in GraphQL runnerUpdate mutation impacts GitLab CE/EE
Information Disclosure issue in Mermaid diagram rendering impacts GitLab CE/EE
Mailpit author reports:
The Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability.
An attacker can host a malicious website that, when visited by a developer running Mailpit locally, establishes a WebSocket connection to the victim's Mailpit instance (default ws://localhost:8025). This allows the attacker to intercept sensitive data such as email contents, headers, and server statistics in real-time.
phpMyFAQ team reports:
Stored cross-site scripting (XSS) and unauthenticated config backup download vulnerability
Chrome Releases reports:
This update includes 1 security fix:
- [463155954] High CVE-2026-0628: Insufficient policy enforcement in WebView tag. Reported by Gal Weizman on 2025-11-23
Libsodium maintainer reports:
The function crypto_core_ed25519_is_valid_point(), a low-level function used to check if a given elliptic curve point is valid, was supposed to reject points that aren't in the main cryptographic group, but some points were slipping through.
Mailpit author reports:
A Server-Side Request Forgery (SSRF) vulnerability exists in Mailpit's /proxy endpoint that allows attackers to make requests to internal network resources.
The /proxy endpoint allows requests to internal network resources. While it validates http:// and https:// schemes, it does not block internal IP addresses, allowing attackers to access internal services and APIs.
net-snmp development team reports:
A specially crafted packet to an net-snmp snmptrapd daemon can cause a buffer overflow and the daemon to crash.
The GStreamer Security Center reports:
Multiple out-of-bounds reads in the MIDI parser that can cause crashes for certain input files.