diff --git a/security/vuxml/vuln/2026.xml b/security/vuxml/vuln/2026.xml index 4c2fa0230a0b..2ed681d7420c 100644 --- a/security/vuxml/vuln/2026.xml +++ b/security/vuxml/vuln/2026.xml @@ -1,148 +1,177 @@ + + phpmyfaq -- multiple vulnerabilities + + + phpmyfaq-php82 + phpmyfaq-php83 + phpmyfaq-php84 + phpmyfaq-php85 + 4.0.16 + + + + +

phpMyFAQ team reports:

+
+

Stored cross-site scripting (XSS) and unauthenticated config backup + download vulnerability

+
+ +
+ + https://www.phpmyfaq.de/security/advisory-2025-12-29/ + + + 2025-12-29 + 2026-01-10 + +
+ chromium -- multiple security fixes chromium 143.0.7499.192 ungoogled-chromium 143.0.7499.192

Chrome Releases reports:

This update includes 1 security fix:

  • [463155954] High CVE-2026-0628: Insufficient policy enforcement in WebView tag. Reported by Gal Weizman on 2025-11-23
CVE-2026-0628 https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop.html 2026-01-06 2026-01-07
security/libsodium -- crypto_core_ed25519_is_valid_point mishandles checks for whether an elliptic curve point is valid libsodium 1.0.21

Libsodium maintainer reports:

The function crypto_core_ed25519_is_valid_point(), a low-level function used to check if a given elliptic curve point is valid, was supposed to reject points that aren't in the main cryptographic group, but some points were slipping through.

CVE-2025-69277 https://00f.net/2025/12/30/libsodium-vulnerability/ 2025-12-30 2026-01-07
mail/mailpit -- Server-Side Request Forgery mailpit 1.28.1

Mailpit author reports:

A Server-Side Request Forgery (SSRF) vulnerability exists in Mailpit's /proxy endpoint that allows attackers to make requests to internal network resources.

The /proxy endpoint allows requests to internal network resources. While it validates http:// and https:// schemes, it does not block internal IP addresses, allowing attackers to access internal services and APIs.

CVE-2026-21859 https://github.com/axllent/mailpit/security/advisories/GHSA-8v65-47jx-7mfr 2026-01-06 2026-01-06
net-mgmt/net-snmp -- Remote Code Execution (snmptrapd) net-snmp 5.9.5

net-snmp development team reports:

A specially crafted packet to an net-snmp snmptrapd daemon can cause a buffer overflow and the daemon to crash.

CVE-2025-68615 https://github.com/net-snmp/net-snmp/security/advisories/GHSA-4389-rwqf-q9gq 2025-12-23 2026-01-06
gstreamer1-plugins-bad -- Out-of-bounds reads in MIDI parser gstreamer1-plugins-bad 1.26.10

The GStreamer Security Center reports:

Multiple out-of-bounds reads in the MIDI parser that can cause crashes for certain input files.

CVE-2025-67326 CVE-2025-67327 https://gstreamer.freedesktop.org/security/sa-2025-0009.html 2025-12-27 2026-01-04