The Python project announces a new release with several security fixes:
- CVE-2026-1299: gh-144125: BytesGenerator will now refuse to serialize (write) headers that are unsafely folded or delimited; see verify_generated_headers. (Contributed by Bas Bloemsaat and Petr Viktorin in gh-121650).
- gh-143935: Fixed a bug in the folding of comments when flattening an email message using a modern email policy. Comments consisting of a very long sequence of non-foldable characters could trigger a forced line wrap that omitted the required leading space on the continuation line, causing the remainder of the comment to be interpreted as a new header field. This enabled header injection with carefully crafted inputs.
- gh-143925: Reject control characters in data: URL media types.
- gh-143919: Reject control characters in http.cookies.Morsel fields and values.
- CVE-2026-0865: gh-143916: Reject C0 control characters within wsgiref.headers.Headers fields, values, and parameters.
Denis Skvortsov, Security Researcher at Kaspersky reports:
xrdp before v0.10.5 contains an unauthenticated stack-based buffer overflow vulnerability. The issue stems from improper bounds checking when processing user domain information during the connection sequence. If exploited, the vulnerability could allow remote attackers to execute arbitrary code on the target system.
Tim Wojtulewicz of Corelight reports:
Zeek's HTTP analyzer can be tricked into interpreting Transfer-Encoding or Content-Length headers set in MIME entities within HTTP bodies and change the analyzer behavior.
Chrome Releases reports:
This update includes 1 security fix:
- [474435504] High CVE-2026-1504: Inappropriate implementation in Background Fetch API. Reported by Luan Herrera (@lbherrera_) on 2026-01-09
https://bugzilla.mozilla.org/show_bug.cgi?id=2007302 reports:
Mitigation bypass in the Privacy: Anti-Tracking component.
Use-after-free in the Layout: Scrolling and Overflow component.
By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks.
If a privileged user within a jail is able to nullfs-mount directories, a limitation of the kernel's path lookup logic allows that user to escape the jail's chroot, yielding access to the full filesystem of the host or parent jail.
In a jail configured to allow nullfs(4) mounts from within the jail, the jailed root user can escape the jail's filesystem root.
The OpenSSL project reports:
- Improper validation of PBMAC1 parameters in PKCS#12 MAC verification (CVE-2025-11187)
- Stack buffer overflow in CMS AuthEnvelopedData parsing (CVE-2025-15467)
- NULL dereference in SSL_CIPHER_find() function on unknown cipher ID (CVE-2025-15468)
- "openssl dgst" one-shot codepath silently truncates inputs >16MB (CVE-2025-15469)
- TLS 1.3 CompressedCertificate excessive memory allocation (CVE-2025-66199)
- Heap out-of-bounds write in BIO_f_linebuffer on short writes (CVE-2025-68160)
- Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (CVE-2025-69418)
- Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (CVE-2025-69419)
- Missing ASN1_TYPE validation in TS_RESP_verify_response() function (CVE-2025-69420)
- NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (CVE-2025-69421)
- Missing ASN1_TYPE validation in PKCS#12 parsing (CVE-2026-22795)
- ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (CVE-2026-22796)
Oracle reports:
Oracle reports multiple vulnerabilities in its MySQL server products.
https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx reports:
wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.46.1 and below, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.
Chrome Releases reports:
This update includes 1 security fix:
- [473851441] High CVE-2026-1220: Race in V8. Reported by @p1nky4745 on 2026-01-07
Gitlab reports:
Denial of Service issue in Jira Connect integration impacts GitLab CE/EE
Incorrect Authorization issue in Releases API impacts GitLab CE/EE
Unchecked Return Value issue in authentication services impacts GitLab CE/EE
Infinite Loop issue in Wiki redirects impacts GitLab CE/EE
Denial of Service issue in API endpoint impacts GitLab CE/EE
Mailpit author reports:
Ensure SMTP TO & FROM addresses are RFC 5322 compliant and prevent header injection (GHSA-54wq-72mp-cq7c)
Prevent Server-Side Request Forgery (SSRF) via HTML Check API (GHSA-6jxm-fv7w-rw5j)
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
A flaw was found in the crypto/x509 package in the Go standard library. This vulnerability allows a certificate validation bypass via an excluded subdomain constraint in a certificated chain as it does not restrict the usage of wildcard SANs in the leaf certificate.
SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
Memory safety bugs present in Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
Denial-of-service in the DOM: Service Workers component.
Information disclosure in the XML component.
Sandbox escape in the Messaging System component.
Memory safety bugs present in firefox-esr 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146.
Spoofing issue in the DOM: Copy & Paste and Drag & Drop component.
Clickjacking issue and information disclosure in the PDF Viewer component.
Use-after-free in the JavaScript: GC component.
Use-after-free in the JavaScript Engine component.
Information disclosure in the Networking component.
Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component.
Incorrect boundary conditions in the Graphics component.
Use-after-free in the IPC component.
Sandbox escape due to integer overflow in the Graphics component.
Sandbox escape due to incorrect boundary conditions in the Graphics component.
Mitigation bypass in the DOM: Security component.
Chrome Releases reports:
This update includes 10 security fixes:
- [458914193] High CVE-2026-0899: Out of bounds memory access in V8. Reported by @p1nky4745 on 2025-11-08
- [465730465] High CVE-2026-0900: Inappropriate implementation in V8. Reported by Google on 2025-12-03
- [40057499] High CVE-2026-0901: Inappropriate implementation in Blink. Reported by Irvan Kurniawan (sourc7) on 2021-10-04
- [469143679] Medium CVE-2026-0902: Inappropriate implementation in V8. Reported by 303f06e3 on 2025-12-16
- [444803530] Medium CVE-2026-0903: Insufficient validation of untrusted input in Downloads. Reported by Azur on 2025-09-13
- [452209495] Medium CVE-2026-0904: Incorrect security UI in Digital Credentials. Reported by Hafiizh on 2025-10-15
- [465466773] Medium CVE-2026-0905: Insufficient policy enforcement in Network. Reported by Google on 2025-12-02
- [467448811] Low CVE-2026-0906: Incorrect security UI. Reported by Khalil Zhani on 2025-12-10
- [444653104] Low CVE-2026-0907: Incorrect security UI in Split View. Reported by Hafiizh on 2025-09-12
- [452209503] Low CVE-2026-0908: Use after free in ANGLE. Reported by Glitchers BoB 14th. on 2025-10-15
https://github.com/pypa/virtualenv/security/advisories/GHSA-597g-3phw-6986 reports:
virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1.
oss-security@ list reports:
Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string.
Gitlab reports:
Stored Cross-site Scripting issue in GitLab Flavored Markdown placeholders impacts GitLab CE/EE
Cross-site Scripting issue in Web IDE impacts GitLab CE/EE
Missing Authorization issue in Duo Workflows API impacts GitLab EE
Missing Authorization issue in AI GraphQL mutation impacts GitLab EE
Denial of Service issue in import functionality impacts GitLab CE/EE
Insufficient Access Control Granularity issue in GraphQL runnerUpdate mutation impacts GitLab CE/EE
Information Disclosure issue in Mermaid diagram rendering impacts GitLab CE/EE
Mailpit author reports:
The Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability.
An attacker can host a malicious website that, when visited by a developer running Mailpit locally, establishes a WebSocket connection to the victim's Mailpit instance (default ws://localhost:8025). This allows the attacker to intercept sensitive data such as email contents, headers, and server statistics in real-time.
phpMyFAQ team reports:
Stored cross-site scripting (XSS) and unauthenticated config backup download vulnerability
Chrome Releases reports:
This update includes 1 security fix:
- [463155954] High CVE-2026-0628: Insufficient policy enforcement in WebView tag. Reported by Gal Weizman on 2025-11-23
Libsodium maintainer reports:
The function crypto_core_ed25519_is_valid_point(), a low-level function used to check if a given elliptic curve point is valid, was supposed to reject points that aren't in the main cryptographic group, but some points were slipping through.
Mailpit author reports:
A Server-Side Request Forgery (SSRF) vulnerability exists in Mailpit's /proxy endpoint that allows attackers to make requests to internal network resources.
The /proxy endpoint allows requests to internal network resources. While it validates http:// and https:// schemes, it does not block internal IP addresses, allowing attackers to access internal services and APIs.
net-snmp development team reports:
A specially crafted packet to an net-snmp snmptrapd daemon can cause a buffer overflow and the daemon to crash.
The GStreamer Security Center reports:
Multiple out-of-bounds reads in the MIDI parser that can cause crashes for certain input files.