The PostgreSQL project reports:
+++ ++ Improper validation of type oidvector in PostgreSQL + allows a database user to disclose a few bytes of server + memory. We have not ruled out viability of attacks that + arrange for presence of confidential information in + disclosed bytes, but they seem unlikely. +
++ Missing validation of type of input in PostgreSQL + intarray extension selectivity estimator function allows + an object creator to execute arbitrary code as the + operating system user running the database. +
++ Heap buffer overflow in PostgreSQL pgcrypto allows a + ciphertext provider to execute arbitrary code as the + operating system user running the database. +
++ Missing validation of multibyte character length in + PostgreSQL text manipulation allows a database user to + issue crafted queries that achieve a buffer overrun. + That suffices to execute arbitrary code as the operating + system user running the database. +
++ Heap buffer overflow in PostgreSQL pg_trgm allows a + database user to achieve unknown impacts via a crafted + input string. The attacker has limited control over the + byte patterns to be written, but we have not ruled out + the viability of attacks that lead to privilege + escalation. +
+
https://jira.mongodb.org/browse/SERVER-113685 reports:
An authorized user may disable the MongoDB server by issuing a query against a collection that contains an invalid compound wildcard index.
https://jira.mongodb.org/browse/SERVER-99119 reports:
An authorized user may trigger a server crash by running a $geoNear pipeline with certain invalid index hints.
https://jira.mongodb.org/browse/SERVER-114126 reports:
Complex queries can cause excessive memory usage in MongoDB Query Planner resulting in an Out-Of-Memory Crash.
https://jira.mongodb.org/browse/SERVER-102364 reports:
MongoDB Server may experience an out-of-memory failure while evaluating expressions that produce deeply nested documents. The issue arises in recursive functions because the server does not periodically check the depth of the expression.
https://jira.mongodb.org/browse/SERVER-113532 reports:
Inserting certain large documents into a replica set could lead to replica set secondaries not being able to fetch the oplog from the primary. This could stall replication inside the replica set leading to server crash.
Gitlab reports:
Incomplete Validation issue in Web IDE impacts GitLab CE/EE
Denial of Service issue in GraphQL introspection impacts GitLab CE/EE
Denial of Service issue in JSON validation middleware impacts GitLab CE/EE
Cross-site Scripting issue in Code Flow impacts GitLab CE/EE
HTML Injection issue in test case titles impacts GitLab CE/EE
Denial of Service issue in Markdown processor impacts GitLab CE/EE
Denial of Service issue in Markdown Preview impacts GitLab CE/EE
Denial of Service issue in dashboard impacts GitLab EE
Server-Side Request Forgery issue in Virtual Registry impacts GitLab EE
Improper Validation issue in diff parser impacts GitLab CE/EE
Server-Side Request Forgery issue in Git repository import impacts GitLab CE/EE
Authorization Bypass issue in iterations API impacts GitLab EE
Missing Authorization issue in GLQL API impacts GitLab CE/EE
Stored HTML Injection issue in project label impacts GitLab CE/EE
Authorization Bypass issue in Pipeline Schedules API impacts GitLab CE/EE
Due to a programming error, blocklistd leaks a socket descriptor for each adverse event report it receives.
Once a certain number of leaked sockets is reached, blocklistd becomes unable to run the helper script: a child process is forked, but this child dereferences a null pointer and crashes before it is able to exec the helper. At this point, blocklistd still records adverse events but is unable to block new addresses or unblock addresses whose database entries have expired.
Once a second, much higher number of leaked sockets is reached, blocklistd becomes unable to receive new adverse event reports.
An attacker may take advantage of this by triggering a large number of adverse events from sacrificial IP addresses to effectively disable blocklistd before launching an attack.
Even in the absence of attacks or probes by would-be attackers, adverse events will occur regularly in the course of normal operations, and blocklistd will gradually run out file descriptors and become ineffective.
The accumulation of open sockets may have knock-on effects on other parts of the system, resulting in a general slowdown until blocklistd is restarted.
Chrome Releases reports:
This update includes 2 security fixes:
- [478942410] High CVE-2026-1861: Heap buffer overflow in libvpx. Reported by Google on 2026-01-26
- [479726070] High CVE-2026-1862: Type Confusion in V8. Reported by Chaoyuan Peng (@ret2happy) on 2026-01-29
The Roundcube project reports:
Unspecified CSS injection vulnerability.
Remote image blocking bypass via SVG content.
Qt qtwebengine-chromium repo reports:
Backports for 7 security bugs in Chromium:
- CVE-2025-13638: Prevent media element GC in callbacks in WebMediaPlayerMS
- CVE-2025-13639: Improve validation of SDP direction in remote description
- CVE-2025-13720: Avoid downcasting Hash and Integrity reports
- CVE-2025-14174: Metal: Don't use pixelsDepthPitch to size buffers
- CVE-2025-14765: Polyfill unary negation and abs for amd mesa frontend
- CVE-2026-0908: Use CheckedNumerics in HandleAllocator
- CVE-2026-1504: Block opaque 416 responses to non-range requests
An XSS vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials.
Authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-image URL (/share/img/{token}). When processing such requests, the server attempts to create an extremely large resized image, causing uncontrolled memory growth. This triggers the Linux OOM killer, terminates the Navidrome process, and results in a full service outage.
The traefik project reports:
There is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up goroutines and file descriptors indefinitely when the ACME TLS challenge is enabled.A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entrypoint.
The Python project announces a new release with several security fixes:
- CVE-2026-1299: gh-144125: BytesGenerator will now refuse to serialize (write) headers that are unsafely folded or delimited; see verify_generated_headers. (Contributed by Bas Bloemsaat and Petr Viktorin in gh-121650).
- gh-143935: Fixed a bug in the folding of comments when flattening an email message using a modern email policy. Comments consisting of a very long sequence of non-foldable characters could trigger a forced line wrap that omitted the required leading space on the continuation line, causing the remainder of the comment to be interpreted as a new header field. This enabled header injection with carefully crafted inputs.
- gh-143925: Reject control characters in data: URL media types.
- gh-143919: Reject control characters in http.cookies.Morsel fields and values.
- CVE-2026-0865: gh-143916: Reject C0 control characters within wsgiref.headers.Headers fields, values, and parameters.
Denis Skvortsov, Security Researcher at Kaspersky reports:
xrdp before v0.10.5 contains an unauthenticated stack-based buffer overflow vulnerability. The issue stems from improper bounds checking when processing user domain information during the connection sequence. If exploited, the vulnerability could allow remote attackers to execute arbitrary code on the target system.
Tim Wojtulewicz of Corelight reports:
Zeek's HTTP analyzer can be tricked into interpreting Transfer-Encoding or Content-Length headers set in MIME entities within HTTP bodies and change the analyzer behavior.
Chrome Releases reports:
This update includes 1 security fix:
- [474435504] High CVE-2026-1504: Inappropriate implementation in Background Fetch API. Reported by Luan Herrera (@lbherrera_) on 2026-01-09
https://bugzilla.mozilla.org/show_bug.cgi?id=2007302 reports:
Mitigation bypass in the Privacy: Anti-Tracking component.
Use-after-free in the Layout: Scrolling and Overflow component.
By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks.
If a privileged user within a jail is able to nullfs-mount directories, a limitation of the kernel's path lookup logic allows that user to escape the jail's chroot, yielding access to the full filesystem of the host or parent jail.
In a jail configured to allow nullfs(4) mounts from within the jail, the jailed root user can escape the jail's filesystem root.
The OpenSSL project reports:
- Improper validation of PBMAC1 parameters in PKCS#12 MAC verification (CVE-2025-11187)
- Stack buffer overflow in CMS AuthEnvelopedData parsing (CVE-2025-15467)
- NULL dereference in SSL_CIPHER_find() function on unknown cipher ID (CVE-2025-15468)
- "openssl dgst" one-shot codepath silently truncates inputs >16MB (CVE-2025-15469)
- TLS 1.3 CompressedCertificate excessive memory allocation (CVE-2025-66199)
- Heap out-of-bounds write in BIO_f_linebuffer on short writes (CVE-2025-68160)
- Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (CVE-2025-69418)
- Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (CVE-2025-69419)
- Missing ASN1_TYPE validation in TS_RESP_verify_response() function (CVE-2025-69420)
- NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (CVE-2025-69421)
- Missing ASN1_TYPE validation in PKCS#12 parsing (CVE-2026-22795)
- ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (CVE-2026-22796)
Oracle reports:
Oracle reports multiple vulnerabilities in its MySQL server products.
https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx reports:
wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.46.1 and below, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.
Chrome Releases reports:
This update includes 1 security fix:
- [473851441] High CVE-2026-1220: Race in V8. Reported by @p1nky4745 on 2026-01-07
Gitlab reports:
Denial of Service issue in Jira Connect integration impacts GitLab CE/EE
Incorrect Authorization issue in Releases API impacts GitLab CE/EE
Unchecked Return Value issue in authentication services impacts GitLab CE/EE
Infinite Loop issue in Wiki redirects impacts GitLab CE/EE
Denial of Service issue in API endpoint impacts GitLab CE/EE
Mailpit author reports:
Ensure SMTP TO & FROM addresses are RFC 5322 compliant and prevent header injection (GHSA-54wq-72mp-cq7c)
Prevent Server-Side Request Forgery (SSRF) via HTML Check API (GHSA-6jxm-fv7w-rw5j)
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
A flaw was found in the crypto/x509 package in the Go standard library. This vulnerability allows a certificate validation bypass via an excluded subdomain constraint in a certificated chain as it does not restrict the usage of wildcard SANs in the leaf certificate.
SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
Memory safety bugs present in Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
Denial-of-service in the DOM: Service Workers component.
Information disclosure in the XML component.
Sandbox escape in the Messaging System component.
Memory safety bugs present in firefox-esr 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146.
Spoofing issue in the DOM: Copy & Paste and Drag & Drop component.
Clickjacking issue and information disclosure in the PDF Viewer component.
Use-after-free in the JavaScript: GC component.
Use-after-free in the JavaScript Engine component.
Information disclosure in the Networking component.
Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component.
Incorrect boundary conditions in the Graphics component.
Use-after-free in the IPC component.
Sandbox escape due to integer overflow in the Graphics component.
Sandbox escape due to incorrect boundary conditions in the Graphics component.
Mitigation bypass in the DOM: Security component.
Chrome Releases reports:
This update includes 10 security fixes:
- [458914193] High CVE-2026-0899: Out of bounds memory access in V8. Reported by @p1nky4745 on 2025-11-08
- [465730465] High CVE-2026-0900: Inappropriate implementation in V8. Reported by Google on 2025-12-03
- [40057499] High CVE-2026-0901: Inappropriate implementation in Blink. Reported by Irvan Kurniawan (sourc7) on 2021-10-04
- [469143679] Medium CVE-2026-0902: Inappropriate implementation in V8. Reported by 303f06e3 on 2025-12-16
- [444803530] Medium CVE-2026-0903: Insufficient validation of untrusted input in Downloads. Reported by Azur on 2025-09-13
- [452209495] Medium CVE-2026-0904: Incorrect security UI in Digital Credentials. Reported by Hafiizh on 2025-10-15
- [465466773] Medium CVE-2026-0905: Insufficient policy enforcement in Network. Reported by Google on 2025-12-02
- [467448811] Low CVE-2026-0906: Incorrect security UI. Reported by Khalil Zhani on 2025-12-10
- [444653104] Low CVE-2026-0907: Incorrect security UI in Split View. Reported by Hafiizh on 2025-09-12
- [452209503] Low CVE-2026-0908: Use after free in ANGLE. Reported by Glitchers BoB 14th. on 2025-10-15
https://github.com/pypa/virtualenv/security/advisories/GHSA-597g-3phw-6986 reports:
virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1.
oss-security@ list reports:
Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string.
Gitlab reports:
Stored Cross-site Scripting issue in GitLab Flavored Markdown placeholders impacts GitLab CE/EE
Cross-site Scripting issue in Web IDE impacts GitLab CE/EE
Missing Authorization issue in Duo Workflows API impacts GitLab EE
Missing Authorization issue in AI GraphQL mutation impacts GitLab EE
Denial of Service issue in import functionality impacts GitLab CE/EE
Insufficient Access Control Granularity issue in GraphQL runnerUpdate mutation impacts GitLab CE/EE
Information Disclosure issue in Mermaid diagram rendering impacts GitLab CE/EE
Mailpit author reports:
The Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability.
An attacker can host a malicious website that, when visited by a developer running Mailpit locally, establishes a WebSocket connection to the victim's Mailpit instance (default ws://localhost:8025). This allows the attacker to intercept sensitive data such as email contents, headers, and server statistics in real-time.
phpMyFAQ team reports:
Stored cross-site scripting (XSS) and unauthenticated config backup download vulnerability
Chrome Releases reports:
This update includes 1 security fix:
- [463155954] High CVE-2026-0628: Insufficient policy enforcement in WebView tag. Reported by Gal Weizman on 2025-11-23
Libsodium maintainer reports:
The function crypto_core_ed25519_is_valid_point(), a low-level function used to check if a given elliptic curve point is valid, was supposed to reject points that aren't in the main cryptographic group, but some points were slipping through.
Mailpit author reports:
A Server-Side Request Forgery (SSRF) vulnerability exists in Mailpit's /proxy endpoint that allows attackers to make requests to internal network resources.
The /proxy endpoint allows requests to internal network resources. While it validates http:// and https:// schemes, it does not block internal IP addresses, allowing attackers to access internal services and APIs.
net-snmp development team reports:
A specially crafted packet to an net-snmp snmptrapd daemon can cause a buffer overflow and the daemon to crash.
The GStreamer Security Center reports:
Multiple out-of-bounds reads in the MIDI parser that can cause crashes for certain input files.