diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml
index e5be717ee640..033747a96dd5 100644
--- a/security/vuxml/vuln/2025.xml
+++ b/security/vuxml/vuln/2025.xml
@@ -1,13769 +1,13793 @@
+ Unsupported versions: [...] End of life: 2025-10-31. PowerDNS Team reports: It has been brought to our attention that the Recursor does not
apply strict enough validation of received delegation information.
The malicious delegation information can be sent by an attacker
spoofing packets. Chrome Releases reports: This update includes 20 security fixes: https://bugzilla.mozilla.org/show_bug.cgi?id=1993113 reports: Starting with Firefox 142, it was possible for a
compromised child process to trigger a use-after-free in the
GPU or browser process using WebGPU-related IPC calls.
This may have been usable to escape the child process
sandbox. https://github.com/erlang/otp/security/advisories/GHSA-9g37-pgj9-wrhc reports: Improper Limitation of a Pathname to a Restricted
Directory ('Path Traversal') vulnerability in Erlang OTP
(stdlib modules) allows Absolute Path Traversal, File Manipulation.
This vulnerability is associated with program files lib/stdlib/src/zip.erl
and program routines zip:unzip/1, zip:unzip/2, zip:extract/1,
zip:extract/2unless the memory option is passed. This issue
affects OTP from OTP 17.0 until OTP28.0.1, OTP27.3.4.1 and
OTP26.2.5.13, corresponding to stdlib from 2.0 until 7.0.1,
6.2.2.1 and 5.2.3.4. Internet Systems Consortium, Inc. reports: To trigger the issue, three configuration parameters
must have specific settings: "hostname-char-set" must be
left at the default setting, which is "[^A-Za-z0-9.-]";
"hostname-char-replacement" must be empty (the default);
and "ddns-qualifying-suffix" must NOT be empty (the default is empty).
DDNS updates do not need to be enabled for this issue to manifest.
A client that sends certain option content would then
cause kea-dhcp4 to exit unexpectedly.
This addresses CVE-2025-11232 [#4142, #4155]. https://github.com/google/security-research/security/advisories/GHSA-v2c8-vqqp-hv3g reports: An integer overflow exists in the FTS5 https://sqlite.org/fts5.html
extension. It occurs when the size of an array of tombstone
pointers is calculated and truncated into a 32-bit integer.
A pointer to partially controlled data can then be written
out of bounds. Michal Čihař reports: Upon authentication, the user could be associated by e-mail even if the
associate_by_email pipeline was not included. This could lead to account
compromise when a third-party authentication service does not validate
provided e-mail addresses or doesn't require unique e-mail addresses. http://sqlite3.com reports: Integer Overflow vulnerability in SQLite SQLite3 v.3.50.0
allows a remote attacker to cause a denial of service via
the setupLookaside function PrivateBin reports: We've identified an HTML injection/XSS vulnerability in the PrivateBin
service that allows the injection of arbitrary HTML markup via the attached
filename. Xu Biang reports: The eap-mschapv2 plugin doesn't correctly check the length of an EAP-MSCHAPv2 Failure Request packet on the client,
which can cause an integer underflow that leads to a crash and, depending on the compiler options, even a heap-based
buffer overflow that's potentially exploitable for remote code execution. Affected are all strongSwan versions since 4.2.12. Chrome Releases reports: This update includes 1 security fix: sep@nlnetlabs.nl reports: NLnet Labs Unbound up to and including version 1.24.0 is vulnerable
to possible domain hijack attacks. Promiscuous NS RRSets that
complement positive DNS replies in the authority section can be
used to trick resolvers to update their delegation information for
the zone. Usually these RRSets are used to update the resolver's
knowledge of the zone's name servers. A malicious actor can
exploit the possible poisonous effect by injecting NS RRSets (and
possibly their respective address records) in a reply. This could
be done for example by trying to spoof a packet or fragmentation
attacks. Unbound would then proceed to update the NS RRSet data
it already has since the new data has enough trust for it, i.e.,
in-zone data for the delegation point. Unbound 1.24.1 includes a
fix that scrubs unsolicited NS RRSets (and their respective address
records) from replies mitigating the possible poison effect. Mateusz Szymaniec and CERT Polska Reports: RT is vulnerable to XSS via calendar invitations added to a
ticket. Thanks to Mateusz Szymaniec and CERT Polska for
reporting this finding. Gareth Watkin-Jones from 4armed reports: RT is vulnerable to CSV injection via ticket values with
special characters that are exported to a TSV from search
results. Thanks to Gareth Watkin-Jones from 4armed for
reporting this finding. Connected sockets are not intended to belong to load-balancing
groups. However, the kernel failed to check the connection state
of sockets when adding them to load-balancing groups. Furthermore,
when looking up the destination socket for an incoming packet, the
kernel will match a socket belonging to a load-balancing group even
if it is connected. Connected sockets are only supposed to receive packets originating
from the connected host. The above behavior violates this contract. Software which sets SO_REUSEPORT_LB on a socket and then connects
it to a host will not observe any problems. However, due to its
membership in a load-balancing group, that socket will receive
packets originating from any host. This breaks the contract of the
connect(2) and implied connect via sendto(2), and may leave the
application vulnerable to spoofing attacks. Gitlab reports: Improper access control issue in runner API impacts GitLab EE Denial of service issue in event collection impacts GitLab CE/EE Denial of service issue in JSON validation impacts GitLab CE/EE Denial of service issue in upload impacts GitLab CE/EE Incorrect Authorization issue in pipeline builds impacts GitLab CE Business logic error issue in group memberships impacts GitLab EE Missing authorization issue in quick actions impacts GitLab EE Chrome Releases reports: This update includes 1 security fix: Chrome Releases reports: This update includes 3 security fixes: cna@mongodb.com reports: An authorized user may crash the MongoDB server by
causing buffer over-read. This can be done by issuing a DDL
operation while queries are being issued, under some
conditions. Icinga reports: An authorized user with access to Icinga DB Web, can use
a custom variable in a filter that is either protected by
icingadb/protect/variables or hidden by icingadb/denylist/variables,
to guess values assigned to it. security@mozilla.org reports: A malicious page could have used the type attribute of an OBJECT
tag to override the default browser behavior when encountering a
web resource served without a content-type. This could have
contributed to an XSS on a site that unsafely serves files without
a content-type header. security@mozilla.org reports: There was a way to change the value of JavaScript Object
properties that were supposed to be non-writeable. security@mozilla.org reports: A compromised web process using malicious IPC messages
could have caused the privileged browser process to reveal
blocks of its memory to the compromised process. security@mozilla.org reports: A compromised web process was able to trigger out of
bounds reads and writes in a more privileged process using
manipulated WebGL textures. security@mozilla.org reports: Use-after-free in MediaTrackGraphImpl::GetInstance() security@mozilla.org reports: Memory safety bugs. Some of these bugs showed evidence of
memory corruption and we presume that with enough effort
some of these could have been exploited to run arbitrary
code. security@mozilla.org reports: Memory safety bugs. Some of these bugs showed evidence of
memory corruption and we presume that with enough effort
some of these could have been exploited to run arbitrary
code. security@mozilla.org reports: Memory safety bug. This bug showed evidence of memory
corruption and we presume that with enough effort this could
have been exploited to run arbitrary code. security@mozilla.org reports: Sandbox excape due to integer overflow in the Graphics:
Canvas2D component security@mozilla.org reports: Some of these bugs showed evidence of memory corruption
and we presume that with enough effort some of these could
have been exploited to run arbitrary code. security@mozilla.org reports: This vulnerability affects Firefox < 143, Firefox ESR < 140.3,
Thunderbird < 143, and Thunderbird < 140.3. security@mozilla.org reports: Spoofing issue in the Site Permission component security@mozilla.org reports: Integer overflow in the SVG component mino reports: A privilege escalation vulnerability allows service accounts and STS
(Security Token Service) accounts with restricted session policies to
bypass their inline policy restrictions when performing "own" account
operations, specifically when creating new service accounts for the same
user. Tim Wojtulewicz of Corelight reports: The KRB analyzer can leak information about hosts in
analyzed traffic via external DNS lookups. security@mozilla.org reports: JIT miscompilation in the JavaScript Engine: JIT
component. Gitlab reports: Incorrect authorization issue in GraphQL mutations impacts GitLab EE Denial of Service issue in GraphQL blob type impacts GitLab CE/EE Missing authorization issue in manual jobs impacts GitLab CE/EE Denial of Service issue in webhook endpoints impacts GitLab CE/EE Ralph Slooten (Mailpit developer) reports: An HTTP endpoint was found which exposed expvar runtime
information (memory usage, goroutine counts, GC behavior,
uptime and potential runtime flags) due to the Prometheus
client library dependency. security@mozilla.org reports: The vulnerability has been assessed to have moderate
impact on affected systems, potentially allowing attackers
to exploit incorrect boundary conditions in the JavaScript
Garbage Collection component. In Thunderbird specifically,
these flaws cannot be exploited through email as scripting
is disabled when reading mail, but remain potential risks in
browser or browser-like contexts security@mozilla.org reports: The vulnerability has been rated as having moderate
impact, affecting both confidentiality and integrity
with low severity, while having no impact on
availability. For Thunderbird specifically, the
vulnerability cannot be exploited through email as
scripting is disabled when reading mail, but remains a
potential risk in browser or browser-like contexts security@mozilla.org reports: Sandbox escape due to use-after-free cna@mongodb.com reports: An authorized user can cause a crash in the MongoDB Server through
a specially crafted $group query. This vulnerability is related
to the incorrect handling of certain accumulator functions when
additional parameters are specified within the $group operation.
This vulnerability could lead to denial of service if triggered
repeatedly. cna@mongodb.com reports: MongoDB Server may allow upsert operations retried
within a transaction to violate unique index constraints,
potentially causing an invariant failure and server crash
during commit. This issue may be triggered by improper
WriteUnitOfWork state management. cna@mongodb.com reports: An improper setting of the lsid field on any sharded query can cause
a crash in MongoDB routers. This issue occurs when a generic
argument (lsid) is provided in a case when it is not applicable. cna@mongodb.com reports: MongoDB Server may access non-initialized region of
memory leading to unexpected behaviour when zero arguments
are called in internal aggregation stage. redis reports:
An authenticated user may use a specially crafted LUA script to read
out-of-bound data or crash the server and subsequent denial of
service.
The problem exists in all versions of Redis with Lua scripting
An additional workaround to mitigate the problem without patching
the redis-server executable is to prevent users from executing Lua
scripts. This can be done using ACL to block a script by restricting
both the EVAL and FUNCTION command families.
redis reports:
An authenticated user may use a specially crafted Lua script to
manipulate different LUA objects and potentially run their own code
in the context of another user
The problem exists in all versions of Redis with Lua scripting.
An additional workaround to mitigate the problem without patching
the redis-server executable is to prevent users from executing Lua
scripts. This can be done using ACL to block a script by restricting
both the EVAL and FUNCTION command families.
redis reports:
An authenticated user may use a specially crafted Lua script to
cause an integer overflow and potentially lead to remote code
execution
The problem exists in all versions of Redis with Lua scripting.
An additional workaround to mitigate the problem without patching
the redis-server executable is to prevent users from executing Lua
scripts. This can be done using ACL to block a script by restricting
both the EVAL and FUNCTION command families.
redis reports:
An authenticated user may use a specially crafted Lua script to
manipulate the garbage collector, trigger a use-after-free and
potentially lead to remote code execution.
The problem exists in all versions of Redis with Lua scripting.
An additional workaround to mitigate the problem without patching the
redis-server executable is to prevent users from executing Lua scripts.
This can be done using ACL to restrict EVAL and EVALSHA commands.
Qt qtwebengine-chromium repo reports: Backports for 9 security bugs in Chromium: Matthias Andree reports:
fetchmail's SMTP client, when configured to authenticate, is
susceptible to a protocol violation where, when a trusted but
malicious or malfunctioning SMTP server responds to an
authentication request with a "334" code but without a following
blank on the line, it will attempt to start reading from memory
address 0x1 to parse the server's SASL challenge. This address is
constant and not under the attacker's control. This event will
usually cause a crash of fetchmail.
Chrome Releases reports: This update includes 21 security fixes: Django reports: CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB. CVE-2025-59682: Potential partial directory-traversal via archive.extract(). Oracle reports: Vulnerability in the MySQL Connectors product of Oracle MySQL
(component: Connector/Python). Supported versions that are affected are
9.1.0 and prior. Easily exploitable vulnerability allows high privileged
attacker with network access via multiple protocols to compromise MySQL
Connectors. Successful attacks require human interaction from a person
other than the attacker. Successful attacks of this vulnerability can
result in unauthorized creation, deletion or modification access to
critical data or all MySQL Connectors accessible data as well as
unauthorized read access to a subset of MySQL Connectors accessible data
and unauthorized ability to cause a hang or frequently repeatable crash
(complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 6.4
(Confidentiality, Integrity and Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:H). The OpenSSL project reports reports: Out-of-bounds read & write in RFC 3211 KEK Unwrap Timing side-channel in SM2 algorithm on 64-bit ARM Fix Out-of-bounds read in HTTP client no_proxy handling The LibreSSL project reports: An incorrect length check can result in a 4-byte overwrite and an 8-byte overread. cve@mitre.org reports: GoldenDict 1.5.0 and 1.5.1 has an exposed dangerous
method that allows reading and modifying files when a user
adds a crafted dictionary and then searches for any term
included in that dictionary. secalert@redhat.com reports: A flaw was found in the Udisks daemon, where it allows unprivileged
users to create loop devices using the D-BUS system. This is
achieved via the loop device handler, which handles requests sent
through the D-BUS interface. As two of the parameters of this
handle, it receives the file descriptor list and index specifying
the file where the loop device should be backed. The function
itself validates the index value to ensure it isn't bigger
than the maximum value allowed. However, it fails to validate the
lower bound, allowing the index parameter to be a negative value.
Under these circumstances, an attacker can cause the UDisks daemon
to crash or perform a local privilege escalation by gaining access
to files owned by privileged users. Quiche Releases reports: This update includes 1 security fix: Quiche Releases reports: This update includes 2 security fixes: Gitlab reports: Denial of Service issue when uploading specifically crafted JSON files impacts GitLab CE/EE Denial of Service issue bypassing query complexity limits impacts GitLab CE/EE Information disclosure issue in virtual registery configuration for low privileged users impacts GitLab CE/EE Privilege Escalation issue from within the Developer role impacts GitLab EE Denial of Service issue in GraphQL API via Unbounded Array Parameters impacts GitLab CE/EE Improper Authorization issue for Project Maintainers when assigning roles impacts GitLab EE Denial of Service issue in GraphQL API blobSearch impacts GitLab CE/EE Incorrect ownership assignment via Move Issue drop-down impacts GitLab CE/EE Denial of Service issue via string conversion methods impacts GitLab CE/EE Gert Doering reports: Notable changes beta1 ->
beta2 are: [...] add proper input sanitation to DNS strings to
prevent an attack coming from a trusted-but-malicous OpenVPN server
(CVE: 2025-10680, affects unixoid systems with --dns-updown scripts
and windows using the built-in powershell call)
Lev Stipakov writes: On Linux (and similar platforms), those options are written to a tmp
file, which is later sourced by a script running as root. Since
options are controlled by the server, it is possible for a malicious
server to execute script injection attack [...]. The original report is credited to Stanislav Fort <disclosure@aisle.com>. security@open-xchange.com reports: In some circumstances, when DNSdist is configured to use the nghttp2
library to process incoming DNS over HTTPS queries, an attacker
might be able to cause a denial of service by crafting a DoH exchange
that triggers an unbounded I/O read loop, causing an unexpected
consumption of CPU resources. The offending code was introduced in
DNSdist 1.9.0-alpha1 so previous versions are not affected. Chrome Releases reports: This update includes 4 security fixes: Chrome Releases reports: This update includes 4 security fixes: security-advisories@github.com reports: The PCRE2 library is a set of C functions that implement regular
expression pattern matching. In version 10.45, a heap-buffer-overflow
read vulnerability exists in the PCRE2 regular expression matching
engine, specifically within the handling of the (*scs:...) (Scan
SubString) verb when combined with (*ACCEPT) in src/pcre2_match.c.
This vulnerability may potentially lead to information disclosure
if the out-of-bounds data read during the memcmp affects the final
match result in a way observable by the attacker. expat security advisory: libexpat allows attackers to trigger large dynamic memory allocations
via a small document that is submitted for parsing. Jenkins Security Advisory: HTTP/2 denial of service vulnerability in bundled Jetty Missing permission check allows obtaining agent names Missing permission check in authenticated users' profile menu Log message injection vulnerability F5 reports: When NGINX Unit with the Java Language Module is in use,
undisclosed requests can lead to an infinite loop and cause
an increase in CPU resource utilization. OpenPrinting reports: When the AuthType is set to anything but Basic, if the request contains an
Authorization: Basic ... header, the password is not checked. An unsafe deserialization and validation of printer attributes, causes null
dereference in libcups library. Chrome Releases reports: This update includes 2 security fixes: Gitlab reports: Denial of Service issue in SAML Responses impacts GitLab CE/EE Server-Side Request Forgery issue in Webhook custom header impacts GitLab CE/EE Denial of Service issue in User-Controllable Fields impacts GitLab CE/EE Denial of Service issue in endpoint file upload impacts GitLab CE/EE Denial of Service issue in token listing operations impacts GitLab CE/EE Information disclosure issue in runner endpoints impacts GitLab CE/EE Chrome Releases reports: This update includes 6 security fixes: Kevin Backhouse reports: A denial-of-service was found in Exiv2 version v0.28.5: a quadratic
algorithm in the ICC profile parsing code in jpegBase::readMetadata()
can cause Exiv2 to run for a long time. Exiv2 is a command-line utility
and C++ library for reading, writing, deleting, and modifying the
metadata of image files. The denial-of-service is triggered when Exiv2
is used to read the metadata of a crafted jpg image file. Kevin Backhouse reports: An out-of-bounds read was found in Exiv2 versions v0.28.5 and earlier.
Exiv2 is a command-line utility and C++ library for reading, writing,
deleting, and modifying the metadata of image files. The out-of-bounds
read is triggered when Exiv2 is used to write metadata into a crafted
image file. An attacker could potentially exploit the vulnerability to
cause a denial of service by crashing Exiv2, if they can trick the victim
into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which
is a less frequently used Exiv2 operation than reading the metadata. For
example, to trigger the bug in the Exiv2 command-line application, you
need to add an extra command-line argument such as delete. Django reports: CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases. Internet2 reports: The Shibboleth Service Provider includes a storage API usable
for a number of different use cases such as the session cache,
replay cache, and relay state management. An ODBC extension
plugin is provided with some distributions of the software
(notably on Windows). A SQL injection vulnerability was identified in some of the
queries issued by the plugin, and this can be creatively
exploited through specially crafted inputs to exfiltrate
information stored in the database used by the SP. Zhengyu Liu, Jianjia Yu, Jelmer van Arnhem report: We discovered a remote code execution (RCE) vulnerability in the latest
release of the Vieb browser (v12.3.0). By luring a user to visit a
malicious website, an attacker can achieve arbitrary code execution on the
victim’s machine. Gitlab reports: Allocation of Resources Without Limits issue in import function impacts GitLab CE/EE Missing authentication issue in GraphQL endpoint impacts GitLab CE/EE Allocation of Resources Without Limits issue in GraphQL impacts GitLab CE/EE Code injection issue in GitLab repositories impacts GitLab CE/EE Internet Systems Consortium, Inc. reports: We corrected an issue in `kea-dhcp4` that caused
the server to abort if a client sent a broadcast request with particular
options, and Kea failed to find an appropriate subnet for that client.
This addresses CVE-2025-40779 [#4055, #4048]. Andy Shaw reports: When passing values outside of the expected range to QColorTransferGenericFunction
it can cause a denial of service, for example, this can happen when passing a
specifically crafted ICC profile to QColorSpace::fromICCProfile. Qt qtwebengine-chromium repo reports: Backports for 25 security bugs in Chromium: cve@mitre.org reports: In SQLite 3.49.0 before 3.49.1, certain argument values
to sqlite3_db_config (in the C-language API) can cause a
denial of service (application crash). An sz*nBig
multiplication is not cast to a 64-bit integer, and
consequently some memory allocations may be incorrect. perl-catalyst project reports: Catalyst::Authentication::Credential::HTTP versions 1.018
and earlier for Perl generate nonces using
the Perl Data::UUID library. * Data::UUID does not use a
strong cryptographic source for generating
UUIDs.* Data::UUID returns v3 UUIDs, which are generated
from known information and are unsuitable for
security, as per RFC 9562. * The nonces should be generated
from a strong cryptographic source, as per RFC 7616. security@mozilla.org reports: Memory safety bugs present in Firefox 141 and Thunderbird
141. Some of these bugs showed evidence of memory corruption
and we presume that with enough effort some of these could
have been exploited to run arbitrary code. security@mozilla.org reports: Memory safety bugs present in Firefox ESR 115.26, Firefox
ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1,
Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141.
Some of these bugs showed evidence of memory corruption and
we presume that with enough effort some of these could have
been exploited to run arbitrary code. security@mozilla.org reports: Spoofing issue in the Address Bar component. security@mozilla.org reports: 'Denial-of-service due to out-of-memory in the
Graphics: WebRender component.' security@mozilla.org reports: Uninitialized memory in the JavaScript Engine component. security@mozilla.org reports: 'Same-origin policy bypass in the Graphics: Canvas2D
component.' security@mozilla.org reports: An attacker was able to perform memory corruption in the GMP process
which processes encrypted media. This process is also heavily
sandboxed, but represents slightly different privileges from the
content process. F5 reports: NGINX Open Source and NGINX Plus have a vulnerability in the
ngx_mail_smtp_module that might allow an unauthenticated attacker to
over-read NGINX SMTP authentication process memory; as a result, the
server side may leak arbitrary bytes sent in a request to the
authentication server. This issue happens during the NGINX SMTP
authentication process and requires the attacker to make preparations
against the target system to extract the leaked data. The issue
affects NGINX only if (1) it is built with the ngx_mail_smtp_module,
(2) the smtp_auth directive is configured with method "none,"
and (3) the authentication server returns the "Auth-Wait" response
header. Chrome Releases reports: This update includes 6 security fixes: PostgreSQL project reports: Tighten security checks in planner estimation functions. Prevent pg_dump scripts from being used to attack the user running the restore. Convert newlines to spaces in names included in comments in pg_dump output. Gitlab reports: Cross-site scripting issue in blob viewer impacts GitLab CE/EE Cross-site scripting issue in labels impacts GitLab CE/EE Cross-site scripting issue in Workitem impacts GitLab CE/EE Improper Handling of Permissions issue in project API impacts GitLab CE/EE Incorrect Privilege Assignment issue in delete issues operation impacts GitLab CE/EE Allocation of Resources Without Limits issue in release name creation impacts GitLab CE/EE Incorrect Authorization issue in jobs API impacts GitLab CE/EE Authorization issue in Merge request approval policy impacts GitLab EE Inefficient Regular Expression Complexity issue in wiki impacts GitLab CE/EE Allocation of Resources Without Limits issue in Mattermost integration impacts GitLab CE/EE Incorrect Permission Assignment issue in ID token impacts GitLab CE/EE Insufficient Access Control issue in IP Restriction impacts GitLab EE Varnish Development Team reports: A denial of service attack can be performed on Varnish Cache servers
that have the HTTP/2 protocol turned on. An attacker can create a
large number of streams and immediately reset them without ever
reaching the maximum number of concurrent streams allowed for the
session, causing the Varnish server to consume unnecessary
resources processing requests for which the response will not be
delivered. This attack is a variant of the HTTP/2 Rapid Reset Attack, which was
partially handled as VSV00013. p5-Authen-SASL project reports: Authen::SASL::Perl::DIGEST_MD5 versions 2.04 through 2.1800 for Perl generates the cnonce insecurely. The cnonce (client nonce) is generated from an MD5 hash of the PID, the epoch time and the built-in rand function.
The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header.
The built-in rand function is unsuitable for cryptographic usage. According to RFC 2831, The cnonce-value is an opaque quoted string value provided by the client and used by both client and server
to avoid chosen plaintext attacks, and to provide mutual authentication. The security of the implementation depends on a good choice.
It is RECOMMENDED that it contain at least 64 bits of entropy. Chrome Releases reports: This update includes 12 security fixes: The Apache httpd project reports: 'RewriteCond expr' always evaluates to true in 2.4.64. An integer overflow in the archive_read_format_rar_seek_data()
function may lead to a double free problem. Exploiting a double free vulnerability can cause memory corruption.
This in turn could enable a threat actor to execute arbitrary code.
It might also result in denial of service. cve-coordination@google.com reports: An integer overflow can be triggered in SQLites `concat_ws()`
function. The resulting, truncated integer is then used to allocate
a buffer. When SQLite then writes the resulting string to the
buffer, it uses the original, untruncated size and thus a wild Heap
- Buffer overflow of size ~4GB can be triggered. This can result in
+ Buffer overflow of size ~4GB can be triggered. This can result in
arbitrary code execution. Deluan Quintão reports: A permission verification flaw in Navidrome allows any authenticated
regular user to bypass authorization checks and perform
administrator-only transcoding configuration operations, including
creating, modifying, and deleting transcoding settings. cve-coordination@google.com reports: An integer overflow in the sqlite3KeyInfoFromExprList function in
SQLite versions 3.39.2 through 3.41.1 allows an attacker with the
ability to execute arbitrary SQL statements to cause a denial of
service or disclose sensitive information from process memory via
a crafted SELECT statement with a large number of expressions in
the ORDER BY clause. Lib-Crypt-CBC project reports:
Crypt::CBC versions between 1.21 and 3.05 for Perl may use the rand() function as the default
source of entropy, which is not cryptographically secure, for cryptographic functions.
This issue affects operating systems where "/dev/urandom'" is unavailable.
In that case, Crypt::CBC will fallback to use the insecure rand() function.
cmpilato reports:
The ViewVC standalone web server (standalone.py) is a script provided in the ViewVC
distribution for the purposes of quickly testing a ViewVC configuration. This script
can in particular configurations expose the contents of the host server's filesystem
though a directory traversal-style attack.
Manu reports:
The vulnerability is caused by an insufficient check on
the length of a decompressed domain name within a DNS
packet.
An attacker can craft a malicious DNS packet containing a
highly compressed domain name. When the resolv library
parses such a packet, the name decompression process
consumes a large amount of CPU resources, as the library
does not limit the resulting length of the name.
This resource consumption can cause the application thread
to become unresponsive, resulting in a Denial of Service
condition.
security@mozilla.org reports: Memory safety bugs present in Firefox 140 and
Thunderbird 140. Some of these bugs showed evidence of
memory corruption and we presume that with enough effort
some of these could have been exploited to run arbitrary
code. Focus incorrectly truncated URLs towards the beginning instead of
around the origin. security@mozilla.org reports: Memory safety bugs present in Firefox ESR 140.0,
Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140.
Some of these bugs showed evidence of memory corruption and
we presume that with enough effort some of these could have
been exploited to run arbitrary code. security@mozilla.org reports: In some cases search terms persisted in the URL bar even after
navigating away from the search page. security@mozilla.org reports: Thunderbird ignored paths when checking the validity of
navigations in a frame. security@mozilla.org reports: Setting a nameless cookie with an equals sign in the
value shadowed other cookies. Even if the nameless cookie
was set over HTTP and the shadowed cookie included the
`Secure` attribute. security@mozilla.org reports: Thunderbird cached CORS preflight responses across IP
address changes. This allowed circumventing CORS with DNS
rebinding. security@mozilla.org reports: Memory safety bugs present in Firefox ESR 128.12,
Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR
140.0, Firefox 140 and Thunderbird 140. Some of these bugs
showed evidence of memory corruption and we presume that
with enough effort some of these could have been exploited
to run arbitrary code. security@mozilla.org reports: Memory safety bugs present in Firefox ESR 115.25, Firefox
ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0,
Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some
of these bugs showed evidence of memory corruption and we
presume that with enough effort some of these could have
been exploited to run arbitrary code. security@mozilla.org reports: The JavaScript engine did not handle closed generators
correctly and it was possible to resume them leading to a
nullptr deref. security@mozilla.org reports: XSLT document loading did not correctly propagate the
source document which bypassed its CSP. security@mozilla.org reports: The `username:password` part was not correctly stripped
from URLs in CSP reports potentially leaking HTTP Basic
Authentication credentials. security@mozilla.org reports: Insufficient escaping in the Copy as cURL feature could
potentially be used to trick a user into executing
unexpected code. security@mozilla.org reports: Thunderbird executed `javascript:` URLs when used in
`object` and `embed` tags. security@mozilla.org reports: On arm64, a WASM `br_table` instruction with a lot of
entries could lead to the label being too far from the
instruction causing truncation and incorrect computation of
the branch address. security@mozilla.org reports: On 64-bit platforms IonMonkey-JIT only wrote 32 bits of
the 64-bit return value space on the stack. Baseline-JIT,
however, read the entire 64 bits. cve@mitre.org reports: A flaw exists in gdk-pixbuf within the gdk_pixbuf__jpeg_image_load_increment
function (io-jpeg.c) and in glib’s g_base64_encode_step (glib/gbase64.c).
When processing maliciously crafted JPEG images, a heap buffer overflow can occur
during Base64 encoding, allowing out-of-bounds reads from heap memory, potentially
causing application crashes or arbitrary code execution. PowerDNS Team reports: An attacker spoofing answers to ECS enabled requests
sent out by the Recursor has a chance of success higher
than non-ECS enabled queries. The updated version include
various mitigations against spoofing attempts of ECS enabled
queries by chaining ECS enabled requests and enforcing
stricter validation of the received answers. The most strict
mitigation done when the new setting outgoing.edns_subnet_harden
(old style name edns-subnet-harden) is enabled. Gitlab reports: Cross-site scripting issue impacts Kubernetes Proxy in GitLab CE/EE Cross-site scripting issue impacts Kubernetes Proxy in GitLab CE/EE using CDNs Exposure of Sensitive Information to an Unauthorized Actor issue impacts GitLab CE/EE Improper Access Control issue impacts GitLab EE Exposure of Sensitive Information to an Unauthorized Actor issue impacts GitLab CE/EE Improper Access Control issue impacts GitLab CE/EE cve-coordination@google.com reports: There exists a vulnerability in SQLite versions before
3.50.2 where the number of aggregate terms could exceed the
number of columns available. This could lead to a memory
corruption issue. security-advisories@github.com reports: 7-Zip is a file archiver with a high compression ratio. Zeroes
written outside heap buffer in RAR5 handler may lead to memory
corruption and denial of service in versions of 7-Zip prior to
25.0.0. Version 25.0.0 contains a fix for the issue. WasmTime development team reports: A bug in Wasmtime's implementation of the WASIp1 set of import
functions can lead to a WebAssembly guest inducing a panic in the
host (embedder). sep@nlnetlabs.nl reports: A multi-vendor cache poisoning vulnerability named 'Rebirthday
Attack' has been discovered in caching resolvers that support
EDNS Client Subnet (ECS). Unbound is also vulnerable when compiled
with ECS support, i.e., '--enable-subnet', AND configured
to send ECS information along with queries to upstream name servers,
i.e., at least one of the 'send-client-subnet',
'client-subnet-zone' or 'client-subnet-always-forward'
options is used. Resolvers supporting ECS need to segregate outgoing
- queries to accommodate for different outgoing ECS information. This
+ queries to accommodate for different outgoing ECS information. This
re-opens up resolvers to a birthday paradox attack (Rebirthday
Attack) that tries to match the DNS transaction ID in order to cache
non-ECS poisonous replies. The OpenQuantumSafe project reports: Secret-dependent branching in HQC reference implementation when compiled with Clang 17-20 for optimizations above -O0 Daiki Ueno reports: Alan Coopersmith reports: On 6/16/25 15:12, Alan Coopersmith wrote:
BTW, users of libxml2 may also be using its sibling project, libxslt,
which currently has no active maintainer, but has three unfixed security issues
reported against it according to
https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt
2 of the 3 have now been disclosed: (CVE-2025-7424) libxslt: Type confusion in xmlNode.psvi between stylesheet and source nodes (CVE-2025-7425) libxslt: heap-use-after-free in xmlFreeID caused by `atype` corruption Engineers from Apple & Google have proposed patches in the GNOME gitlab issues,
but neither has had a fix applied to the git repo since there is currently no
maintainer for libxslt. Note that a fourth vulnerability was reported on June 18, 2025, which remains undisclosed to date (GNOME libxslt issue 148, link below), see
https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt
Alan Coopersmith reports: As discussed in
https://gitlab.gnome.org/GNOME/libxml2/-/issues/913 the
security policy of libxml2 has been changed to disclose vulnerabilities
before fixes are available so that people other than the maintainer can
contribute to fixing security issues in this library. As part of this, the following 5 CVE's have been disclosed recently: (CVE-2025-49794) Heap use after free (UAF) leads to Denial of service (DoS)
https://gitlab.gnome.org/GNOME/libxml2/-/issues/931 [...] (CVE-2025-49795) Null pointer dereference leads to Denial of service (DoS)
https://gitlab.gnome.org/GNOME/libxml2/-/issues/932 [...] (CVE-2025-49796) Type confusion leads to Denial of service (DoS)
https://gitlab.gnome.org/GNOME/libxml2/-/issues/933 [...] For all three of the above, note that upstream is considering removing Schematron support completely, as discussed in
https://gitlab.gnome.org/GNOME/libxml2/-/issues/935. (CVE-2025-6021) Integer Overflow Leading to Buffer Overflow in xmlBuildQName()
https://gitlab.gnome.org/GNOME/libxml2/-/issues/926 [...] (CVE-2025-6170) Stack-based Buffer Overflow in xmllint Shell
https://gitlab.gnome.org/GNOME/libxml2/-/issues/941 [...] The mod_http2 project reports: a client can increase memory consumption for a HTTP/2 connection
via repeated request header names,leading to denial of service certain proxy configurations whith mod_proxy_http2 as the
backend, an assertion can be triggered by certain requests, leading
to denial of service The Apache httpd project reports: moderate: Apache HTTP Server: HTTP response splitting (CVE-2024-42516) low: Apache HTTP Server: SSRF with mod_headers setting Content-Type header (CVE-2024-43204) moderate: Apache HTTP Server: SSRF on Windows due to UNC paths (CVE-2024-43394) low: Apache HTTP Server: mod_ssl error log variable escaping (CVE-2024-47252) moderate: Apache HTTP Server: mod_ssl access control bypass with session resumption (CVE-2025-23048) low: Apache HTTP Server: mod_proxy_http2 denial of service (CVE-2025-49630) moderate: Apache HTTP Server: mod_ssl TLS upgrade attack (CVE-2025-49812) moderate: Apache HTTP Server: HTTP/2 DoS by Memory Increase (CVE-2025-53020) security@apache.org reports: A race condition on connection close could trigger a JVM crash when using the
APR/Native connector leading to a DoS. This was particularly noticeable with client
initiated closes of HTTP/2 connections. An uncontrolled resource consumption vulnerability if an HTTP/2 client did not
acknowledge the initial settings frame that reduces the maximum permitted
concurrent streams could result in a DoS. For some unlikely configurations of multipart upload, an Integer Overflow
vulnerability could lead to a DoS via bypassing of size limits. Gitlab reports: Cross-site scripting issue impacts GitLab CE/EE Improper authorization issue impacts GitLab CE/EE Improper authorization issue impacts GitLab EE Improper authorization issue impacts GitLab EE Git development team reports: CVE-2025-27613: Gitk:
When a user clones an untrusted repository and runs Gitk without
additional command arguments, any writable file can be created and
truncated. The option "Support per-file encoding" must have been
enabled. The operation "Show origin of this line" is affected as
well, regardless of the option being enabled or not.
CVE-2025-27614: Gitk:
A Git repository can be crafted in such a way that a user who has
cloned the repository can be tricked into running any script
supplied by the attacker by invoking `gitk filename`, where
`filename` has a particular structure.
CVE-2025-46835: Git GUI:
When a user clones an untrusted repository and is tricked into
editing a file located in a maliciously named directory in the
repository, then Git GUI can create and overwrite any writable
file.
CVE-2025-48384: Git:
When reading a config value, Git strips any trailing carriage
return and line feed (CRLF). When writing a config entry, values
with a trailing CR are not quoted, causing the CR to be lost when
the config is later read. When initializing a submodule, if the
submodule path contains a trailing CR, the altered path is read
resulting in the submodule being checked out to an incorrect
location. If a symlink exists that points the altered path to the
submodule hooks directory, and the submodule contains an executable
post-checkout hook, the script may be unintentionally executed
after checkout.
CVE-2025-48385: Git:
When cloning a repository Git knows to optionally fetch a bundle
advertised by the remote server, which allows the server-side to
offload parts of the clone to a CDN. The Git client does not
perform sufficient validation of the advertised bundles, which
allows the remote side to perform protocol injection.
This protocol injection can cause the client to write the fetched
bundle to a location controlled by the adversary. The fetched
content is fully controlled by the server, which can in the worst
case lead to arbitrary code execution.
CVE-2025-48386: Git:
The wincred credential helper uses a static buffer (`target`) as a
unique key for storing and comparing against internal storage. This
credential helper does not properly bounds check the available
space remaining in the buffer before appending to it with
`wcsncat()`, leading to potential buffer overflows.
cna@mongodb.com reports: MongoDB Server's mongos component can become
unresponsive to new connections due to incorrect handling of
incomplete data. This affects MongoDB when configured with
load balancer support.
Required Configuration:
This affects MongoDB sharded clusters when configured with load
balancer support for mongos using HAProxy on specified ports. cna@mongodb.com reports: An unauthorized user may leverage a specially crafted
aggregation pipeline to access data without proper
authorization due to improper handling of the $mergeCursors
stage in MongoDB Server. This may lead to access to data
without further authorisation. cna@mongodb.com reports: MongoDB Server may be susceptible to disruption caused by
high memory usage, potentially leading to server crash. This
condition is linked to inefficiencies in memory management
related to internal operations. In scenarios where certain
internal processes persist longer than anticipated, memory
consumption can increase, potentially impacting server
stability and availability. cna@mongodb.com reports: An issue has been identified in MongoDB Server where
unredacted queries may inadvertently appear in server logs
when certain error conditions are encountered. security-advisories@github.com reports: ModSecurity is an open source, cross platform web application
firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8
to before 2.9.11, an empty XML tag can cause a segmentation fault.
If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request
type is application/xml, and at least one XML tag is empty (eg
<foo></foo>), then a segmentation fault occurs. This
issue has been patched in version 2.9.11. A workaround involves
setting SecParseXmlIntoArgs to Off. @julienperriercornet reports:
An unauthenticated connection can cause repeated IP
protocol errors, leading to client starvation and,
ultimately, a denial of service.
Seunghyun Lee reports:
An authenticated user may use a specially crafted string
to trigger a stack/heap out of bounds write on hyperloglog
operations, potentially leading to remote code execution.
Simcha Kosman & CyberArk Labs reports: A user can run the {redis,valkeyu}-check-aof cli and pass
a long file path to trigger a stack buffer overflow, which
may potentially lead to remote code execution. A worker thread could free its input buffer after decoding,
while the main thread might still be writing to it. This leads to
an use-after-free condition on heap memory. An attacker may use specifically crafted .xz file to cause
multi-threaded xz decoder to crash, or potentially run arbitrary
code under the credential the decoder was executed. GStreamer Security Center reports: It is possible for a malicious third party to trigger a buffer overflow that can
result in a crash of the application and possibly also allow code execution through
stack manipulation. security@mozilla.org reports: An attacker was able to bypass the `connect-src`
directive of a Content Security Policy by manipulating
subdocuments. This would have also hidden the connections
from the Network tab in Devtools. When Multi-Account Containers was enabled, DNS requests
could have bypassed a SOCKS proxy when the domain name was
invalid or the SOCKS proxy was not responding. If a user visited a webpage with an invalid TLS
certificate, and granted an exception, the webpage was able to
provide a WebAuthn challenge that the user would be prompted
to complete. This is in violation of the WebAuthN spec which
requires "a secure transport established without
errors". The exception page for the HTTPS-Only feature, displayed
when a website is opened via HTTP, lacked an anti-clickjacking
delay, potentially allowing an attacker to trick a user into
granting an exception and loading a webpage over HTTP. If a user saved a response from the Network tab in Devtools
using the Save As context menu option, that file may not have
been saved with the `.download` file extension.
This could have led to the user inadvertently running a
malicious executable. Memory safety bugs present in Firefox 139 and Thunderbird
139. Some of these bugs showed evidence of memory corruption
and we presume that with enough effort some of these could
have been exploited to run arbitrary code. security@mozilla.org reports: Firefox could have incorrectly parsed a URL and rewritten
it to the youtube.com domain when parsing the URL specified
in an `embed` tag. This could have bypassed website security
checks that restricted which domains users were allowed to
embed. When a file download is specified via the
`Content-Disposition` header, that directive would be ignored
if the file was included via a `<embed>` or
`<object>` tag, potentially making a website
vulnerable to a cross-site scripting attack. security@mozilla.org reports: An attacker who enumerated resources from the WebCompat extension
could have obtained a persistent UUID that identified the browser,
and persisted between containers and normal/private browsing mode,
but not profiles. This vulnerability affects Firefox < 140,
Firefox ESR < 115.25, Firefox ESR < 128.12, Thunderbird <
140, and Thunderbird < 128.12. php.net reports: security@mozilla.org reports: A use-after-free in FontFaceSet resulted in a potentially
exploitable crash. Chrome Releases reports: This update includes 1 security fix: Chrome Releases reports: This update includes 11 security fixes: Todd C. Miller reports, crediting Rich Mirch from Stratascale Cyber Research Unit (CRU): Sudo 1.9.17p1: The X.Org project reports: The Big Requests extension allows requests larger than the 16-bit length
limit.
It uses integers for the request length and checks for the size not to
exceed the maxBigRequestSize limit, but does so after translating the
length to integer by multiplying the given size in bytes by 4.
In doing so, it might overflow the integer size limit before actually
checking for the overflow, defeating the purpose of the test. The X.Org project reports: The X Rendering extension allows creating animated cursors providing a
list of cursors.
By default, the Xserver assumes at least one cursor is provided while a
client may actually pass no cursor at all, which causes an out-of-bound
read creating the animated cursor and a crash of the Xserver. The handler of XFixesSetClientDisconnectMode does not check the client
request length.
A client could send a shorter request and read data from a former
request. When reading requests from the clients, the input buffer might be shared
and used between different clients.
If a given client sends a full request with non-zero bytes to ignore,
the bytes to ignore may still be non-zero even though the request is
full, in which case the buffer could be shared with another client who's
request will not be processed because of those bytes to ignore, leading
to a possible hang of the other client request. The RecordSanityCheckRegisterClients() function in the X Record extension
implementation of the Xserver checks for the request length, but does not
check for integer overflow.
A client might send a very large value for either the number of clients
or the number of protocol ranges that will cause an integer overflow in
the request length computation, defeating the check for request length. A client might send a request causing an integer overflow when computing
the total size to allocate in RRChangeProviderProperty(). RedHat, Inc. reports: A flaw was found in Podman. The podman machine init command fails to verify the TLS
certificate when downloading the VM images from an OCI registry. This issue results
in a Man In The Middle attack. cna@mongodb.com reports: An authenticated user may trigger a use after free that may result
in MongoDB Server crash and other unexpected behavior, even if the
user does not have authorization to shut down a server. The crash
is triggered on affected versions by issuing an aggregation framework
operation using a specific combination of rarely-used aggregation
pipeline expressions. This issue affects MongoDB Server v6.0 version
prior to 6.0.21, MongoDB Server v7.0 version prior to 7.0.17 and
MongoDB Server v8.0 version prior to 8.0.4 when the SBE engine is
enabled. NVD reports: Under certain conditions, an authenticated user request
may execute with stale privileges following an intentional
change by an authorized administrator. NVD reports: The MongoDB Server is susceptible to a denial of service
vulnerability due to improper handling of specific date
values in JSON input when using OIDC authentication.
This can be reproduced using the mongo shell to send a
malicious JSON payload leading to an invariant failure
and server crash. cna@mongodb.com reports: MongoDB Server may be susceptible to stack overflow due to JSON
parsing mechanism, where specifically crafted JSON inputs may induce
unwarranted levels of recursion, resulting in excessive stack space
consumption. Such inputs can lead to a stack overflow that causes
the server to crash which could occur pre-authorisation. This issue
affects MongoDB Server v7.0 versions prior to 7.0.17 and MongoDB
Server v8.0 versions prior to 8.0.5.
The same issue affects MongoDB Server v6.0 versions prior to 6.0.21,
but an attacker can only induce denial of service after authenticating. GitHub Security Advisories reports:
Kanboard allows password reset emails to be sent with URLs
derived from the unvalidated Host header when the
application_url configuration is unset (default behavior).
This allows an attacker to craft a malicious password
reset link that leaks the token to an attacker-controlled
domain. If a victim (including an administrator) clicks
the poisoned link, their account can be taken over. This
affects all users who initiate a password reset while
application_url is not set.
Gitlab reports: Denial of Service impacts GitLab CE/EE Missing Authentication issue impacts GitLab CE/EE Improper access control issue impacts GitLab CE/EE Elevation of Privilege impacts GitLab CE/EE Improper access control issue impacts GitLab EE Cisco reports: A vulnerability in the decoding functions
of OpenH264 codec library could allow a remote, unauthenticated
attacker to trigger a heap overflow. This vulnerability is due to
a race condition between a Sequence Parameter Set (SPS) memory
allocation and a subsequent non Instantaneous Decoder Refresh
(non-IDR) Network Abstraction Layer (NAL) unit memory usage. An
attacker could exploit this vulnerability by crafting a malicious
bitstream and tricking a victim user into processing an arbitrary
video containing the malicious bistream. An exploit could allow
the attacker to cause an unexpected crash in the victim's user
decoding client and, possibly, perform arbitrary commands on the
victim's host by abusing the heap overflow. Cisco reports: A vulnerability in Universal Disk Format (UDF) processing of ClamAV
could allow an unauthenticated, remote attacker to cause a denial
of service (DoS) condition on an affected device.
This vulnerability is due to a memory overread during UDF file
scanning. An attacker could exploit this vulnerability by submitting
a crafted file containing UDF content to be scanned by ClamAV on
an affected device. A successful exploit could allow the attacker
to terminate the ClamAV scanning process, resulting in a DoS condition
on the affected software. For a description of this vulnerability,
see the . Cisco reports: A vulnerability in the PDF scanning processes of ClamAV could allow
an unauthenticated, remote attacker to cause a buffer overflow
condition, cause a denial of service (DoS) condition, or execute
arbitrary code on an affected device.
This vulnerability exists because memory buffers are allocated
incorrectly when PDF files are processed. An attacker could exploit
this vulnerability by submitting a crafted PDF file to be scanned
by ClamAV on an affected device. A successful exploit could allow
the attacker to trigger a buffer overflow, likely resulting in the
termination of the ClamAV scanning process and a DoS condition on
- the affected software. Although unproven, there is also a possibility
+ the affected software. Although unproven, there is also a possibility
that an attacker could leverage the buffer overflow to execute
arbitrary code with the privileges of the ClamAV process. Chrome Releases reports: This update includes 3 security fixes: Deluan reports: This vulnerability arises due to improper input validation on the role parameter within the API endpoint /api/artist. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially gaining unauthorized access to the backend database and compromising sensitive user information. Grafana Labs reports: An incident occurred where the DingDing alerting integration URL
was inadvertently exposed to viewers due to a setting oversight,
which we learned about through a bug bounty report. The CVSS 3.0 score for this vulnerability is 4.3 (Medium). Grafana Labs reports: On April 15, we discovered a vulnerability that stems from the user
deletion logic associated with organization administrators.
An organization admin could remove any user from the specific
organization they manage. Additionally, they have the power to delete
users entirely from the system if they have no other org membership.
This leads to two situations: These two situations allow an organization manager to disrupt
instance-wide activity by continually deleting server administrators
if there is only one organization or if the server administrators are
not part of any organization. The CVSS score for this vulnerability is 5.5 Medium. security@mozilla.org reports: CVE-2025-49709: Certain canvas operations could have lead
to memory corruption. CVE-2025-49710: An integer overflow was present in
`OrderedHashTable` used by the JavaScript engine. Chrome Releases reports: This update includes 2 security fixes: Chrome Releases reports: This update includes 3 security fixes: security@mozilla.org reports: Thunderbird's update mechanism allowed a medium-integrity user
process to interfere with the SYSTEM-level updater by manipulating
the file-locking behavior. By injecting code into the user-privileged
process, an attacker could bypass intended access controls, allowing
SYSTEM-level file operations on paths controlled by a non-privileged
user and enabling privilege escalation. This vulnerability affects
Firefox < 138, Firefox ESR < 128.10, Firefox ESR < 115.23,
Thunderbird < 138, and Thunderbird < 128.10. Webmin reports: A less-privileged Webmin user can execute commands as root via a vulnerability in the shell autocomplete feature. secalert@redhat.com reports: A flaw was found in Yelp. The Gnome user help application allows
+ A flaw was found in Yelp. The Gnome user help application allows
the help document to execute arbitrary scripts. This vulnerability
allows malicious users to input help documents, which may exfiltrate
user files to an external environment. secalert@redhat.com reports: A flaw was found in Yelp. The Gnome user help application allows
+ A flaw was found in Yelp. The Gnome user help application allows
the help document to execute arbitrary scripts. This vulnerability
allows malicious users to input help documents, which may exfiltrate
user files to an external environment. Gitlab reports: HTML injection impacts GitLab CE/EE Cross-site scripting issue impacts GitLab CE/EE Missing authorization issue impacts GitLab Ultimate EE Denial of Service impacts GitLab CE/EE Denial of Service via unbounded Webhook token names impacts GitLab CE/EE Denial of Service via unbounded Board Names impacts GitLab CE/EE Information disclosure issue impacts GitLab CE/EE Denial of Service (DoS) via uncontrolled HTTP Response Processing impacts GitLab CE/EE Information disclosure via authorization bypass impacts GitLab CE/EE Sensitive information disclosure via Group IP restriction bypass PostgreSQL JDBC Driver project reports:
Client Allows Fallback to Insecure Authentication Despite
channelBinding=require configuration. Fix channel binding
required handling to reject non-SASL authentication Previously,
when channel binding was set to "require", the driver
would silently ignore this requirement for non-SASL
authentication methods. This could lead to a false sense of
security when channel binding was explicitly requested but not
actually enforced. The fix ensures that when channel binding is
set to "require", the driver will reject connections that use
non-SASL authentication methods or when SASL authentication has
not completed properly.
security-advisories@github.com reports:
ModSecurity is an open source, cross platform web
application firewall (WAF) engine for Apache, IIS
and Nginx. Versions prior to 2.9.10 contain a denial of
service vulnerability similar to
GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg`
(and `sanitizeArg` - this is the same action but an
alias) is vulnerable to adding an excessive number
of arguments, thereby leading to denial of service.
Version 2.9.10 fixes the issue. As a workaround, avoid
using rules that contain the `sanitiseArg` (or
`sanitizeArg`) action.
security-advisories@github.com reports: ModSecurity is an open source, cross platform web
application firewall (WAF) engine for Apache, IIS and Nginx.
Versions up to and including 2.9.8 are vulnerable to denial
of service in one special case (in stable released versions):
when the payload's content type is `application/json`,
and there is at least one rule which does a
`sanitiseMatchedBytes` action. A patch is available at
pull request 3389 and expected to be part of version 2.9.9.
No known workarounds are available. security@mozilla.org reports: A clickjacking vulnerability could have been used to trick a user
into leaking saved payment card details to a malicious page. security@mozilla.org reports: Script elements loading cross-origin resources generated load and
error events which leaked information enabling XS-Leaks attacks. security@mozilla.org reports: Due to insufficient escaping of the newline character in the Copy
as cURL feature, an attacker could trick a user into using this
command, potentially leading to local code execution on the user's
system. security@mozilla.org reports: Error handling for script execution was incorrectly isolated from
web content, which could have allowed cross-origin leak attacks. chrome-cve-admin@google.com reports: Out of bounds read and write in V8 in Google Chrome prior
to 137.0.7151.68 allowed a remote attacker to potentially
exploit heap corruption via a crafted HTML page.
(Chromium security severity: High) Electron developers report: This update fixes the following vulnerability: Roundcube Webmail reports: Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v zdi-disclosures@trendmicro.com reports: GIMP FLI File Parsing Out-Of-Bounds Write Remote Code Execution
- Vulnerability. This vulnerability allows remote attackers to execute
+ Vulnerability. This vulnerability allows remote attackers to execute
arbitrary code on affected installations of GIMP. User interaction
is required to exploit this vulnerability in that the target must
visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of FLI files. The issue
results from the lack of proper validation of user-supplied data,
which can result in a write past the end of an allocated buffer.
An attacker can leverage this vulnerability to execute code in the
context of the current process. Was ZDI-CAN-25100. zdi-disclosures@trendmicro.com reports: GIMP XWD File Parsing Integer Overflow Remote Code Execution
- Vulnerability. This vulnerability allows remote attackers to execute
+ Vulnerability. This vulnerability allows remote attackers to execute
arbitrary code on affected installations of GIMP. User interaction
is required to exploit this vulnerability in that the target must
visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of XWD files. The issue
results from the lack of proper validation of user-supplied data,
which can result in an integer overflow before allocating a buffer.
An attacker can leverage this vulnerability to execute code in the
context of the current process. Was ZDI-CAN-25082. curl security team reports: CVE-2025-5025: No QUIC certificate pinning with wolfSSL CVE-2025-4947: QUIC certificate check skip with wolfSSL cve@mitre.org reports: In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds
memory access can occur in the Python API (Python bindings) because
of an incorrect return value. This occurs in xmlPythonFileRead and
xmlPythonFileReadRaw because of a difference between bytes and
characters. cve@mitre.org reports: libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based
buffer overflow in xmlSnprintfElements in valid.c. To exploit this,
DTD validation must occur for an untrusted document or untrusted
DTD. NOTE: this is similar to CVE-2017-9047. cve@mitre.org reports: libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free
in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in
xmlschemas.c. To exploit this, a crafted XML document must be
validated against an XML schema with certain identity constraints,
or a crafted XML schema must be used. Chrome Releases reports: This update includes 11 security fixes: chrome-cve-admin@google.com reports: Use after free in Compositing in Google Chrome prior to
137.0.7151.55 allowed a remote attacker to potentially
exploit heap corruption via a crafted HTML page.
(Chromium security severity: High) security@mozilla.org reports: Memory safety bug present in Firefox ESR 128.10, and
Thunderbird 128.10.
This bug showed evidence of memory corruption and we presume
that with enough effort this could have been exploited to run
arbitrary code. security@mozilla.org reports: Memory safety bugs present in Firefox 138, Thunderbird
138, Firefox ESR 128.10, and Thunderbird 128.10.
Some of these bugs showed evidence of memory corruption and
we presume that with enough effort some of these could have
been exploited to run arbitrary code. security@mozilla.org reports: In certain cases, SNI could have been sent unencrypted
even when encrypted DNS was enabled. security@mozilla.org reports: Previewing a response in Devtools ignored CSP headers,
which could have allowed content injection attacks. security@mozilla.org reports: Memory safety bugs present in Firefox 138 and Thunderbird
138. Some of these bugs showed evidence of memory corruption
and we presume that with enough effort some of these could
have been exploited to run arbitrary code. security-advisories@github.com reports: ModSecurity is an open source, cross platform web application
firewall (WAF) engine for Apache, IIS and Nginx. Versions up to
and including 2.9.8 are vulnerable to denial of service in one
special case (in stable released versions): when the payload's
content type is `application/json`, and there is at least one rule
which does a `sanitiseMatchedBytes` action. A patch is available
- at pull request 3389 and expected to be part of version 2.9.9. No
+ at pull request 3389 and expected to be part of version 2.9.9. No
known workarounds are available. The traefik project reports: There is a potential vulnerability in Traefik managing the requests
using a PathPrefix, Path or PathRegex matcher. When Traefik is configured
to route the requests to a backend using a matcher based on the path, if
the URL contains a URL encoded string in its path, it's possible to target
a backend, exposed using another router, by-passing the middlewares chain. security-advisories@github.com reports:
CVE-2024-11955: A vulnerability was found in GLPI up to
10.0.17. It has been declared as problematic. Affected by
this vulnerability is an unknown functionality of the file
/index.php.
The manipulation of the argument redirect leads to
open redirect. The attack can be launched remotely.
The exploit has been disclosed to the public and
may be used. Upgrading to version 10.0.18 is able to
address this issue.
It is recommended to upgrade the affected component.
CVE-2025-23024: Starting in version 0.72 and prior to
version 10.0.18, an anonymous user can disable all the
active plugins. Version 10.0.18 contains a patch.
As a workaround, one may delete the `install/update.php`
file.
CVE-2025-23046: Prior to version 10.0.18, a low privileged
user can enable debug mode and access sensitive information.
Version 10.0.18 contains a patch.
As a workaround, one may delete the `install/update.php`
file.
CVE-2025-25192: Starting in version 9.5.0 and prior to
version 10.0.18, if a "Mail servers"
authentication provider is configured to use an Oauth
connection provided by the OauthIMAP plugin, anyone can
connect to GLPI using a user name on which an Oauth
authorization has already been established.
Version 10.0.18 contains a patch. As a
workaround, one may disable any "Mail
servers" authentication provider configured to
use an Oauth connection provided by the OauthIMAP
plugin.
CVE-2025-21626: Starting in version 0.71 and prior to
version 10.0.18, an anonymous user can fetch sensitive
information from the `status.php` endpoint.
Version 10.0.18 contains a fix for the issue.
Some workarounds are available. One may delete the
`status.php` file, restrict its access, or
remove any sensitive values from the `name` field of
the active LDAP directories, mail servers authentication
providers and mail receivers.
CVE-2025-21627: In versions prior to 10.0.18, a malicious
link can be crafted to perform a reflected XSS attack on the
search page. If the anonymous ticket creation is enabled,
this attack can be performed by an unauthenticated
user. Version 10.0.18 contains a fix for the issue.
CVE-2025-21619: An administrator user can perfom a SQL
injection through the rules configuration forms.
This vulnerability is fixed in 10.0.18.
CVE-2025-24799: An unauthenticated user can perform a SQL
injection through the inventory endpoint.
This vulnerability is fixed in 10.0.18.
CVE-2025-24801: An authenticated user can upload and force
the execution of *.php files located on the GLPI server.
This vulnerability is fixed in 10.0.18.
Electron developers report: This update fixes the following vulnerability: Internet Systems Consortium, Inc. reports: security@grafana.com reports: A cross-site scripting (XSS) vulnerability exists in Grafana caused
by combining a client path traversal and open redirect. This allows
attackers to redirect users to a website that hosts a frontend
- plugin that will execute arbitrary JavaScript. This vulnerability
+ plugin that will execute arbitrary JavaScript. This vulnerability
does not require editor permissions and if anonymous access is
enabled, the XSS will work. If the Grafana Image Renderer plugin
is installed, it is possible to exploit the open redirect to achieve
a full read SSRF.
The default Content-Security-Policy (CSP) in Grafana will block the
XSS though the `connect-src` directive. cna@python.org reports: There is an issue in CPython when using
`bytes.decode("unicode_escape",
error="ignore|replace")`. If you are not using the
"unicode_escape" encoding or an error handler your
- usage is not affected. To work-around this issue you may stop
+ usage is not affected. To work-around this issue you may stop
using the error= handler and instead wrap the bytes.decode()
call in a try-except catching the DecodeError. The OpenSSL project reports: The x509 application adds trusted use instead of rejected use (low) security@mozilla.org reports: A race condition existed in nsHttpTransaction that could
have been exploited to cause memory corruption, potentially
leading to an exploitable condition. Gitlab reports: Unprotected large blob endpoint in GitLab allows Denial of Service Improper XPath validation allows modified SAML response to bypass 2FA requirement A Discord webhook integration may cause DoS Unbounded Kubernetes cluster tokens may lead to DoS Unvalidated notes position may lead to Denial of Service Hidden/masked variables may get exposed in the UI Two-factor authentication requirement bypass View full email addresses that should be partially obscured Branch name confusion in confidential MRs Unauthorized access to job data via a GraphQL query The screen project reports: Multiple security issues in screen. security@mozilla.org reports: An attacker was able to perform an out-of-bounds read or
write on a JavaScript object by confusing array index sizes. The Weechat project reports: Multiple integer and buffer overflows in WeeChat core. Chrome Releases reports: This update includes 4 security fixes: security@mozilla.org reports: Memory safety bugs present in Firefox 137, Thunderbird 137,
Firefox ESR 128.9, and Thunderbird 128.9. Some of these bugs
showed evidence of memory corruption and we presume that
with enough effort some of these could have been exploited
to run arbitrary code. security@mozilla.org reports: Memory safety bug present in Firefox ESR 128.9, and
Thunderbird 128.9. This bug showed evidence of memory
corruption and we presume that with enough effort this could
have been exploited to run arbitrary code. VSCode developers report: A security feature bypass vulnerability exists in VS Code 1.100.0 and earlier versions where a maliciously crafted URL could be considered trusted when it should not have due to how VS Code handled glob patterns in the trusted domains feature. When paired with the #fetch tool in Chat, this scenario would require the attacker to convince an LLM (via prompt injection) to fetch the maliciously crafted URL but when fetched, the user would have no moment to confirm the flighting of the request. xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes. numbers.c in libxslt before 1.1.43 has a use-after-free because
, in nested XPath evaluations, an XPath context node can be
modified but never restored. This is related to
xsltNumberFormatGetValue, xsltEvalXPathPredicate,
xsltEvalXPathStringNs, and xsltComputeSortResultInternal. The Varnish Development Team reports: A client-side desync vulnerability can be triggered in Varnish Cache
and Varnish Enterprise. This vulnerability can be triggered under
specific circumstances involving malformed HTTP/1 requests. An attacker can abuse a flaw in Varnish's handling of chunked
transfer encoding which allows certain malformed HTTP/1 requests
to exploit improper framing of the message body to smuggle additional
requests. Specifically, Varnish incorrectly permits CRLF to be
skipped to delimit chunk boundaries. security@mozilla.org reports: Memory safety bugs present in Firefox 137 and Thunderbird 137.
Some of these bugs showed evidence of memory corruption and
we presume that with enough effort some of these could have
been exploited to run arbitrary code. security@mozilla.org reports: Due to insufficient escaping of special characters in the
"copy as cURL" feature, an attacker could trick
a user into using this command, potentially leading to local
code execution on the user's system. security@mozilla.org reports: A security vulnerability in Thunderbird allowed malicious
sites to use redirects to send credentialed requests to
arbitrary endpoints on any site that had invoked the Storage
Access API. This enabled potential Cross-Site Request
Forgery attacks across origins. security@mozilla.org reports: A vulnerability was identified in Thunderbird where XPath
parsing could trigger undefined behavior due to missing null
checks during attribute access. This could lead to
out-of-bounds read access and potentially, memory
corruption. security@mozilla.org reports: An attacker with control over a content process could
potentially leverage the privileged UITour actor to leak
sensitive information or escalate privileges. security@mozilla.org reports: A process isolation vulnerability in Thunderbird stemmed
from improper handling of javascript: URIs, which could
allow content to execute in the top-level document's
process instead of the intended frame, potentially enabling
a sandbox escape. Gitlab reports: Partial Bypass for Device OAuth flow using Cross Window Forgery Denial of service by abusing Github import API Group IP restriction bypass allows disclosing issue title of restricted project PostgreSQL project reports:
A buffer over-read in PostgreSQL GB18030 encoding
validation allows a database input provider to achieve
temporary denial of service on platforms where a 1-byte
over-read can elicit process termination. This affects
the database server and also libpq. Versions before
PostgreSQL 17.5, 16.9, 15.13, 14.18, and 13.21 are
affected.
Chrome Releases reports: This update includes 2 security fixes: Chrome Releases reports: This update includes 8 security fixes: cve@mitre.org reports: FastCGI fcgi2 (aka fcgi) 2.x through 2.4.4 has an integer
overflow (and resultant heap-based buffer overflow) via
crafted nameLen or valueLen values in data to the IPC socket.
This occurs in ReadParams in fcgiapp.c. security@open-xchange.com reports:
When DNSdist is configured to provide DoH via the
nghttp2provider, an attacker can cause a denial of service by
crafting a DoH exchange that triggers an illegal memory
access (double-free) and crash of DNSdist, causing a denial
of service. The remedy is: upgrade to the patched 1.9.9
version. A workaround is to temporarily switch to the h2o
provider until DNSdist has been upgraded to a fixed version.
We would like to thank Charles Howes for bringing this issue
to our attention. PowerDNS Team reports: PowerDNS Security Advisory 2025-01: A crafted zone can
lead to an illegal memory access in the Recursor cve@mitre.org reports:
In SQLite 3.44.0 through 3.49.0 before 3.49.1, the
concat_ws() SQL function can cause memory to be written
beyond the end of a malloc-allocated buffer. If the
separator argument is attacker-controlled and has a large
string (e.g., 2MB or more), an integer overflow occurs in
calculating the size of the result buffer, and thus malloc
may not allocate enough memory.
h11 reports: h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11's parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions. This issue has been patched in version 0.16.0. Since exploitation requires the combination of buggy h11 with a buggy (reverse) proxy, fixing either component is sufficient to mitigate this issue. Grafana Labs reports: This vulnerability, which was discovered while reviewing a pull
request from an external contributor, effects Grafana’s data source
proxy API and allows authorization checks to be bypassed by adding
an extra slash character (/) in the URL path. Among Grafana-maintained
data sources, the vulnerability only affects the read paths
of Prometheus (all flavors) and Alertmanager when configured with
basic authorization. The CVSS score for this vulnerability is
5.0 MEDIUM. Grafana Labs reports: During the development of a new feature in Grafana 11.6.x,
a security vulnerability was introduced that allows for Viewers
and Editors to bypass dashboard-specific permissions. As a result,
users with the Viewer role could view all the dashboards within their
org and users with the Editor role could view, edit, and delete all
the dashboards in their org. Note: Organization isolation boundaries still apply, which
means viewers and editors in one organization cannot view or edit
dashboards in another org. Also this vulnerability does not allow
users to query data via data sources they don’t have access to.
The CVSS score for this vulnerability is
8.3 HIGH. Grafana Labs reports: An external security researcher responsibly reported a security
vulnerability in Grafana’s built-in
XY chart plugin
that is vulnerable to a
DOM XSS vulnerability. The CVSS score for this vulnerability is
6.8 MEDIUM. Axel Mierczuk reports:
By default, the Redis configuration does not limit the
output buffer of normal clients (see
client-output-buffer-limit). Therefore, the output buffer
can grow unlimitedly over time. As a result, the service
is exhausted and the memory is unavailable.
When password authentication is enabled on the Redis
server, but no password is provided, the client can still
cause the output buffer to grow from "NOAUTH" responses
until the system will run out of memory.
Gitlab reports: Cross Site Scripting (XSS) in Maven Dependency Proxy through CSP directives Cross Site Scripting (XSS) in Maven dependency proxy through cache headers Network Error Logging (NEL) Header Injection in Maven Dependency Proxy Allows Browser Activity Monitoring Denial of service (DOS) via issue preview Unauthorized access to branch names when Repository assets are disabled in the project Chrome Releases reports: This update includes 1 security fix. Deluan reports: In certain Subsonic API endpoints, authentication can be
bypassed by using a non-existent username combined with an
empty (salted) password hash. This allows read-only access to
the server’s resources, though attempts at write operations
fail with a “permission denied” error. security-advisories@github.com reports:
Erlang/OTP is a set of libraries for the Erlang
programming language. Prior to versions OTP-27.3.3,
OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow
an attacker to perform unauthenticated remote code
execution (RCE). By exploiting a flaw in SSH protocol
message handling, a malicious actor could gain
unauthorized access to affected systems and execute
arbitrary commands without valid credentials. This issue
is patched in versions OTP-27.3.3, OTP-26.2.5.11, and
OTP-25.3.2.20. A temporary workaround involves disabling
the SSH server or to prevent access via firewall rules.
ejabberd team reports: Fixed issue with handling of user provided occupant-id in
messages and presences sent to muc room. Server was
replacing just first instance of occupant-id with its own
version, leaving other ones untouched. That would mean that
depending on order in which clients send occupant-id, they
could see value provided by sender, and that could be used
to spoof as different sender. Chrome Releases reports: This update includes 2 security fixes: Chrome Releases reports: This update includes 2 security fixes: element-hq/synapse developers report: A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild. Jenkins Security Advisory: Missing permission check allows retrieving agent configurations Missing permission check allows retrieving secrets from agent configurations Gitlab reports: Denial of service via CI pipelines Unintentionally authorizing sensitive actions on users behalf IP Restriction Bypass through GraphQL Subscription Unauthorized users can list the number of confidential issues Debugging Information Disclosed secalert@redhat.com reports: A stack overflow vulnerability exists in the libexpat library due
to the way it handles recursive entity expansion in XML documents.
When parsing an XML document with deeply nested entity references,
libexpat can be forced to recurse indefinitely, exhausting the stack
space and causing a crash. This issue could lead to denial of
service (DoS) or, in some cases, exploitable memory corruption,
depending on the environment and library usage. security@mozilla.org reports: Memory safety bugs present in Firefox 136 and Thunderbird 136.
Some of these bugs showed evidence of memory corruption and
we presume that with enough effort some of these could have
been exploited to run arbitrary code. security@mozilla.org reports: Leaking of file descriptors from the fork server to web
content processes could allow for privilege escalation
attacks. security@mozilla.org reports: An attacker could read 32 bits of values spilled onto the stack in
a JIT compiled function. security@mozilla.org reports: Memory safety bugs present in Firefox 136, Thunderbird
136, Firefox ESR 128.8, and Thunderbird 128.8. Some of these
bugs showed evidence of memory corruption and we presume
that with enough effort some of these could have been
exploited to run arbitrary code. security@mozilla.org reports: A crafted URL containing specific Unicode characters
could have hidden the true origin of the page, resulting in
a potential spoofing attack. security@mozilla.org reports: JavaScript code running while transforming a document
with the XSLTProcessor could lead to a use-after-free. Chrome Releases reports: This update includes 13 security fixes: security@mozilla.org reports: Memory safety bugs present in Firefox 133, Thunderbird 133,
Firefox ESR 128.5, and Thunderbird 128.5. Some of these
bugs showed evidence of memory corruption and we presume
that with enough effort some of these could have been
exploited to run arbitrary code. security@mozilla.org reports: Memory safety bugs present in Firefox 133 and Thunderbird 133.
Some of these bugs showed evidence of memory corruption and
we presume that with enough effort some of these could have
been exploited to run arbitrary code. security@mozilla.org reports: Under certain circumstances, a user opt-in setting that
Focus should require authentication before use could have
been be bypassed. security@mozilla.org reports: Memory safety bugs present in Firefox 133, Thunderbird 133,
Firefox ESR 115.18, Firefox ESR 128.5, Thunderbird 115.18,
and Thunderbird 128.5. Some of these bugs showed evidence
of memory corruption and we presume that with enough effort
some of these could have been exploited to run arbitrary
code. security@mozilla.org reports: When segmenting specially crafted text, segmentation
would corrupt memory leading to a potentially exploitable
crash. security@mozilla.org reports: Parsing a JavaScript module as JSON could, under some
circumstances, cause cross-compartment access, which may
result in a use-after-free. security@mozilla.org reports: When using Alt-Svc, ALPN did not properly validate
certificates when the original server is redirecting to an
insecure site. security@mozilla.org reports: Assuming a controlled failed memory allocation, an
attacker could have caused a use-after-free, leading to a
potentially exploitable crash. security@mozilla.org reports: The WebChannel API, which is used to transport various
information across processes, did not check the sending
principal but rather accepted the principal being sent.
This could have led to privilege escalation attacks. security@mozilla.org reports: Memory safety bugs present in Firefox 135 and Thunderbird
135. Some of these bugs showed evidence of memory corruption
and we presume that with enough effort some of these could
have been exploited to run arbitrary code. security@mozilla.org reports: CVE-2025-1938: Memory safety bugs present in Firefox 135,
Thunderbird 135, Firefox ESR 128.7, and Thunderbird 128.7.
Some of these bugs showed evidence of memory corruption and
we presume that with enough effort some of these could have
been exploited to run arbitrary code. CVE-2025-1935: A web page could trick a user into setting
that site as the default handler for a custom URL protocol. CVE-2025-1934: It was possible to interrupt the processing
of a RegExp bailout and run additional JavaScript, potentially
triggering garbage collection when the engine was not
expecting it. security@mozilla.org reports: Memory safety bugs present in Firefox 135, Thunderbird 135,
Firefox ESR 115.20, Firefox ESR 128.7, and Thunderbird 128.7.
Some of these bugs showed evidence of memory corruption and
we presume that with enough effort some of these could have
been exploited to run arbitrary code. security@mozilla.org reports: It was possible to cause a use-after-free in the content
process side of a WebTransport connection, leading to a
potentially exploitable crash. security@mozilla.org reports: On 64-bit CPUs, when the JIT compiles WASM i32 return
values they can pick up bits from left over memory.
This can potentially cause them to be treated as a different
type. cna@mongodb.com reports: When run on commands with certain arguments set, explain may fail
- to validate these arguments before using them. This can lead to
+ to validate these arguments before using them. This can lead to
crashes in router servers. This affects MongoDB Server v5.0 prior
to 5.0.31, MongoDB Server v6.0 prior to 6.0.20, MongoDB Server v7.0
prior to 7.0.16 and MongoDB Server v8.0 prior to 8.0.4 cna@mongodb.com reports: Specifically crafted MongoDB wire protocol messages can cause mongos
to crash during command validation. This can occur without using
an authenticated connection. This issue affects MongoDB v5.0
versions prior to 5.0.31, MongoDB v6.0 versions prior to6.0.20 and
MongoDB v7.0 versions prior to 7.0.16 cna@mongodb.com reports: A user authorized to access a view may be able to alter the intended
collation, allowing them to access to a different or unintended
view of underlying data. This issue affects MongoDB Server v5.0
version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.20,
MongoDB Server v7.0 version prior to 7.0.14 and MongoDB Server v7.3
versions prior to 7.3.4. Gert Doering reports: OpenVPN servers between 2.6.1 and 2.6.13 using
--tls-crypt-v2 can be made to abort with an ASSERT() message by
sending a particular combination of authenticated and malformed packets. To trigger the bug, a valid tls-crypt-v2 client key is needed, or
network observation of a handshake with a valid tls-crypt-v2 client key No crypto integrity is violated, no data is leaked, and no remote
code execution is possible. This bug does not affect OpenVPN clients. security@golang.org reports: Matching of hosts against proxy patterns can improperly treat an
IPv6 zone ID as a hostname component. For example, when the NO_PROXY
environment variable is set to "*.example.com", a request
to "[::1%25.example.com]:80` will incorrectly match and not
be proxied. go-redis is the official Redis client library for the Go programming
language. Prior to 9.5.5, 9.6.3, and 9.7.3, go-redis potentially
responds out of order when `CLIENT SETINFO` times out during
connection establishment. This can happen when the client is
configured to transmit its identity, there are network connectivity
- issues, or the client was configured with aggressive timeouts. The
- problem occurs for multiple use cases. For sticky connections, you
+ issues, or the client was configured with aggressive timeouts. The
+ problem occurs for multiple use cases. For sticky connections, you
receive persistent out-of-order responses for the lifetime of the
connection. All commands in the pipeline receive incorrect responses.
When used with the default ConnPool once a connection is returned
after use with ConnPool#Put the read buffer will be checked and the
connection will be marked as bad due to the unread data. This means
that at most one out-of-order response before the connection is
discarded. This issue is fixed in 9.5.5, 9.6.3, and 9.7.3. You
can prevent the vulnerability by setting the flag DisableIndentity
to true when constructing the client instance. golang-jwt is a Go implementation of JSON Web Tokens. Prior to
5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a
call to strings.Split) its argument (which is untrusted data) on
periods. As a result, in the face of a malicious request whose
Authorization header consists of Bearer followed by many period
characters, a call to that function incurs allocations to the tune
of O(n) bytes (where n stands for the length of the function's
- argument), with a constant factor of about 16. This issue is fixed
+ argument), with a constant factor of about 16. This issue is fixed
in 5.2.2 and 4.5.2. security@mozilla.org reports: An inconsistent comparator in xslt/txNodeSorter could have resulted
in potentially exploitable out-of-bounds access. Only affected
- version 122 and later. This vulnerability affects Firefox <
+ version 122 and later. This vulnerability affects Firefox <
136, Firefox ESR < 128.8, Thunderbird < 136, and Thunderbird
< 128.8. Under certain circumstances, a user opt-in setting that Focus should
require authentication before use could have been be bypassed
- (distinct from CVE-2025-0245). This vulnerability affects Firefox
+ (distinct from CVE-2025-0245). This vulnerability affects Firefox
< 136. When String.toUpperCase() caused a string to get longer it was
possible for uninitialized memory to be incorporated into the result
string This vulnerability affects Firefox < 136 and Thunderbird
< 136. Websites redirecting to a non-HTTP scheme URL could allow a website
address to be spoofed for a malicious page This vulnerability affects
Firefox for iOS < 136. Suricate team reports: Multiple vulnerabilities Qt qtwebengine-chromium repo reports: Backports for 11 security bugs in Chromium: Electron developers report: This update fixes the following vulnerability: Gitlab reports: Cross-site Scripting (XSS) through merge-request error messages Cross-site Scripting (XSS) through improper rendering of certain file types Admin Privileges Persists After Role is Revoked External user can access internal projects Prompt injection in Amazon Q integration may allow unauthorized actions Uncontrolled Resource Consumption via a maliciously crafted terraform file in merge request Maintainer can inject shell code in Harbor project name configuration when using helper scripts Electron developers report: This update fixes the following vulnerability: Qt qtwebengine-chromium repo reports: Backports for 1 security bug in Chromium: The Varnish Development Team reports: A client-side desync vulnerability can be triggered in Varnish Cache
and Varnish Enterprise. This vulnerability can be triggered under
specific circumstances involving malformed HTTP/1 requests. Chrome Releases reports: This update includes 2 security fixes: php.net reports: The Shibboleth Project reports:
An updated version of the OpenSAML C++ library is available
which corrects a parameter manipulation vulnerability when using
SAML bindings that rely on non-XML signatures. The Shibboleth
Service Provider is impacted by this issue, and it manifests as
a critical security issue in that context.
Parameter manipulation allows the forging of signed SAML messages
A number of vulnerabilities in the OpenSAML library used by the
Shibboleth Service Provider allowed for creative manipulation of
parameters combined with reuse of the contents of older requests
to fool the library's signature verification of non-XML based
signed messages.
Most uses of that feature involve very low or
low impact use cases without critical security implications;
however, there are two scenarios that are much more critical,
one affecting the SP and one affecting some implementers who
have implemented their own code on top of our OpenSAML library
and done so improperly.
The SP's support for the HTTP-POST-SimpleSign SAML binding for
Single Sign-On responses is its critical vulnerability, and it
is enabled by default (regardless of what one's published SAML
metadata may advertise).
The other critical case involves a mistake that
does *not* impact the Shibboleth SP, allowing SSO to occur over
the HTTP-Redirect binding contrary to the plain language of the
SAML Browser SSO profile. The SP does not support this, but
other implementers may have done so.
Prior to updating, it is possible to mitigate the POST-SimpleSign
vulnerability by editing the protocols.xml configuration file and
removing this line:
Gitlab reports: CVE-2025-25291 and CVE-2025-25292 (third party gem ruby-saml) CVE-2025-27407 (third party gem graphql) Denial of Service Due to Inefficient Processing of Untrusted Input Credentials disclosed when repository mirroring fails Denial of Service Vulnerability in GitLab Approval Rules due to Unbounded Field Internal Notes in Merge Requests Are Emailed to Non-Members Upon Review Submission Maintainer can inject shell code in Google integrations Guest with custom Admin group member permissions can approve the users invitation despite user caps Vim reports: See https://github.com/vim/vim/security/advisories/GHSA-693p-m996-3rmf Chrome Releases reports: This update includes 5 security fixes: security@documentfoundation.org reports: LibreOffice supports Office URI Schemes to enable browser integration
of LibreOffice with MS SharePoint server. An additional scheme
'vnd.libreoffice.command' specific to LibreOffice was
- added. In the affected versions of LibreOffice a link in a browser
+ added. In the affected versions of LibreOffice a link in a browser
using that scheme could be constructed with an embedded inner URL
that when passed to LibreOffice could call internal macros with
arbitrary arguments. This issue affects LibreOffice: from 24.8
before < 24.8.5, from 25.2 before < 25.2.1. security-advisories@github.com reports: Vim is distributed with the tar.vim plugin, that allows
easy editing and viewing of (compressed or uncompressed) tar
files. Starting with 9.1.0858, the tar.vim plugin uses the
":read" ex command line to append below the
cursor position, however the is not sanitized and is taken
literally from the tar archive. This allows to execute
shellcommands via special crafted tar archives. Whether
this really happens, depends on the shell being used
('shell' option, which is set using $SHELL).
Electron develpers report: This update fixes the following vulnerabilities: Electron developers report: This update fixes the following vulnerabilities: security-advisories@github.com reports: Jinja is an extensible templating engine. Prior to 3.1.6, an
+ Jinja is an extensible templating engine. Prior to 3.1.6, an
oversight in how the Jinja sandboxed environment interacts with the
|attr filter allows an attacker that controls the content of a
template to execute arbitrary Python code. To exploit the
vulnerability, an attacker needs to control the content of a template.
Whether that is the case depends on the type of application using
- Jinja. This vulnerability impacts users of applications which
+ Jinja. This vulnerability impacts users of applications which
execute untrusted templates. Jinja's sandbox does catch calls
to str.format and ensures they don't escape the sandbox.
However, it's possible to use the |attr filter to get a reference
to a string's plain format method, bypassing the sandbox.
After the fix, the |attr filter no longer bypasses the environment's
attribute lookup. This vulnerability is fixed in 3.1.6. The X.Org project reports: The root cursor is referenced in the xserver as a global variable. If
a client manages to free the root cursor, the internal reference points
to freed memory and causes a use-after-free. The code in XkbVModMaskText() allocates a fixed sized buffer on the
stack and copies the names of the virtual modifiers to that buffer.
The code however fails to check the bounds of the buffer correctly and
would copy the data regardless of the size, which may lead to a buffer
overflow. The computation of the length in XkbSizeKeySyms() differs from what is
actually written in XkbWriteKeySyms(), which may lead to a heap based
buffer overflow. If XkbChangeTypesOfKey() is called with 0 group, it will resize the key
symbols table to 0 but leave the key actions unchanged.
If later, the same function is called with a non-zero value of groups,
this will cause a buffer overflow because the key actions are of the wrong
size. The function GetBarrierDevice() searches for the pointer device based on
its device id and returns the matching value, or supposedly NULL if no
match was found.
However the code will return the last element of the list if no matching
device id was found which can lead to out of bounds memory access. The function compCheckRedirect() may fail if it cannot allocate the backing
pixmap. In that case, compRedirectWindow() will return a BadAlloc error
without the validation of the window tree marked just before, which leaves
the validate data partly initialized, and the use of an uninitialized pointer
later. When a device is removed while still frozen, the events queued for that
device remain while the device itself is freed and replaying the events
will cause a use after free. When changing an alarm, the values of the change mask are evaluated one
after the other, changing the trigger values as requested and eventually,
SyncInitTrigger() is called.
If one of the changes triggers an error, the function will return early,
not adding the new sync object.
This can be used to cause a use after free when the alarm eventually
triggers. MITRE Caldera contributor report: In MITRE Caldera through 4.2.0 and 5.0.0 before 35bc06e,
a Remote Code Execution (RCE) vulnerability was found in the dynamic
agent (implant) compilation functionality of the server. This allows
remote attackers to execute arbitrary code on the server that Caldera
is running on via a crafted web request to the Caldera server API used
for compiling and downloading of Caldera's Sandcat or Manx agent
(implants). This web request can use the gcc -extldflags linker flag
with sub-commands. Jenkins Security Advisory: Encrypted values of secrets stored in agent configuration revealed to users with Agent/Extended Read permission Encrypted values of secrets stored in view configuration revealed to users with View/Read permission CSRF vulnerability Open redirect vulnerability security-advisories@github.com reports: Spotipy is a lightweight Python library for the Spotify Web API.
The `CacheHandler` class creates a cache file to store the auth
- token. Prior to version 2.25.1, the file created has `rw-r--r--`
+ token. Prior to version 2.25.1, the file created has `rw-r--r--`
(644) permissions by default, when it could be locked down to
- `rw-------` (600) permissions. This leads to overly broad exposure
+ `rw-------` (600) permissions. This leads to overly broad exposure
of the spotify auth token. If this token can be read by an attacker
(another user on the machine, or a process running as another user),
it can be used to perform administrative actions on the Spotify
account, depending on the scope granted to the token. Version
2.25.1 tightens the cache file permissions. Chrome Releases reports: This update includes 14 security fixes: Electron developers report: This update fixes the following vulnerabilities: The NGINX Unit team reports: Unit 1.34.2 fixes two issues in the Java language module websocket code. vim reports: Potential code execution with tar.vim and special crafted tar files Vim is distributed with the tar.vim plugin, that allows easy
editing and viewing of (compressed or uncompressed) tar files. Since commit 129a844 (Nov 11, 2024 runtime(tar): Update tar.vim to
support permissions), the tar.vim plugin uses the ":read " ex command
line to append below the cursor position, however the is not sanitized
and is taken literaly from the tar archive. This allows to execute
shell commands via special crafted tar archives. Whether this really
happens, depends on the shell being used ('shell' option, which is set
using $SHELL). Impact is high but a user must be convinced to edit such a file
using Vim which will reveal the filename, so a careful user may suspect
some strange things going on. Gitlab reports: XSS in k8s proxy endpoint XSS Maven Dependency Proxy HTML injection leads to XSS on self hosted instances Improper Authorisation Check Allows Guest User to Read Security Policy Planner role can read code review analytics in private projects Chrome Releases reports: This update includes 1 security fix. Kevin Backhouse reports: A heap buffer overflow was found in Exiv2 versions v0.28.0 to v0.28.4.
Versions prior to v0.28.0, such as v0.27.7, are not affected. Exiv2 is a
command-line utility and C++ library for reading, writing, deleting, and
modifying the metadata of image files. The heap overflow is triggered when
Exiv2 is used to write metadata into a crafted image file. An attacker
could potentially exploit the vulnerability to gain code execution, if
they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which
is a less frequently used Exiv2 operation than reading the metadata. For
example, to trigger the bug in the Exiv2 command-line application, you
need to add an extra command-line argument such as fixiso. A shell injection vulnerability exists in GNU Emacs due to improper
handling of custom man URI schemes. Initially considered low severity, as it required user interaction with
local files, it was later discovered that an attacker could exploit this
vulnerability by tricking a user into visiting a specially crafted
website or an HTTP URL with a redirect, leading to arbitrary shell
command execution without further user action. An Emacs user who chooses to invoke elisp-completion-at-point (for
code completion) on untrusted Emacs Lisp source code can trigger unsafe
Lisp macro expansion that allows attackers to execute arbitrary code.
This unsafe expansion also occurs if a user chooses to enable on-the-fly
diagnosis that byte compiles untrusted Emacs Lisp source code. cve@mitre.org reports: Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization
are used, allows remote SQL injection. OpenSSH client host verification error (CVE-2025-26465) ssh(1) contains a logic error that allows an on-path attacker to
impersonate any server during certain conditions when the
VerifyHostKeyDNS option is enabled. OpenSSH server denial of service (CVE-2025-26466) The OpenSSH client and server are both vulnerable to a memory/CPU
denial of service while handling SSH2_MSG_PING packets. OpenSSH client host verification error (CVE-2025-26465) Under specific circumstances, a machine-in-the-middle may impersonate
any server when the client has the VerifyHostKeyDNS option enabled. OpenSSH server denial of service (CVE-2025-26466) During the processing of SSH2_MSG_PING packets, a server may be
subject to a memory/CPU denial of service. Chrome Releases reports: This update includes 3 security fixes: Chrome Releases reports: This update includes 4 security fixes: Chrome Releases reports: This update includes 12 security fixes: VSCode developers report: The update addresses these issues, including a fix for a security vulnerability. Graham Northup reports: A buffer overflow in extract_openvpn_cr allows attackers with a valid
LDAP username and who can control the challenge/response password field
to pass a string with more than 14 colons into this field and cause a
buffer overflow. The PostgreSQL Project reports:
Improper neutralization of quoting syntax in PostgreSQL
libpq functions PQescapeLiteral(), PQescapeIdentifier(),
PQescapeString(), and PQescapeStringConn() allows a
database input provider to achieve SQL injection in
certain usage patterns. Specifically, SQL injection
requires the application to use the function result to
construct input to psql, the PostgreSQL interactive
terminal. Similarly, improper neutralization of quoting
syntax in PostgreSQL command line utility programs
allows a source of command line arguments to achieve SQL
injection when client_encoding is BIG5 and
server_encoding is one of EUC_TW or MULE_INTERNAL.
Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and
13.19 are affected.
Gitlab reports: A CSP-bypass XSS in merge-request page Denial of Service due to Unbounded Symbol Creation Exfiltrate content from private issues using Prompt Injection A custom permission may allow overriding Repository settings Internal HTTP header leak via route confusion in workhorse SSRF via workspaces Unauthorized Incident Closure and Deletion by Planner Role in GitLab ActionCable does not invalidate tokens after revocation Intel reports:
A potential security vulnerability in some Intel Processors may allow
denial of service. Intel released microcode updates to mitigate this
potential vulnerability.
A potential security vulnerability in some Intel Software Guard
Extensions (Intel SGX) Platforms may allow denial of service. Intel
is released microcode updates to mitigate this potential
vulnerability.
Potential security vulnerabilities in the UEFI firmware for some Intel
Processors may allow escalation of privilege, denial of service, or
information disclosure. Intel released UEFI firmware and CPU microcode
updates to mitigate these potential vulnerabilities.
A potential security vulnerability in some 13th and 14th Generation
Intel Core™ Processors may allow denial of service. Intel released
microcode and UEFI reference code updates to mitigate this potential
vulnerability.
A potential security vulnerability in the Intel Data Streaming
Accelerator (Intel DSA) for some Intel Xeon Processors may allow
denial of service. Intel released software updates to mitigate this
potential vulnerability.
The OpenSSL project reports: RFC7250 handshakes with unauthenticated servers don't abort as expected (High).
Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode is set. security@mozilla.org reports: A bug in WebAssembly code generation could have lead to a crash.
It may have been possible for an attacker to leverage this to achieve
code execution. A race condition could have led to private browsing tabs being
opened in normal browsing windows. This could have resulted in a
potential privacy leak. Certificate length was not properly checked when added to a certificate
- store. In practice only trusted data was processed.
+
+
+
Problem Description:
Impact:
Description
(High) SECURITY-3618 / CVE-2025-5115
(Medium) SECURITY-3594 / CVE-2025-59474
(Medium) SECURITY-3625 / CVE-2025-59475
(Medium) SECURITY-3424 / CVE-2025-59476
Problem Description:
Impact:
https://gitlab.gnome.org/GNOME/libxslt/-/issues/139
https://project-zero.issues.chromium.org/issues/409761909
https://gitlab.gnome.org/GNOME/libxslt/-/issues/140
https://project-zero.issues.chromium.org/issues/410569369
Problem Description:
Impact:
-
-
[CVE-2024-55549] Fix UAF related to excluded namespaces
[CVE-2025-24855] Fix use-after-free of XPath context node
Description
(Medium) SECURITY-3512 / CVE-2025-31720
Description
(Medium) SECURITY-3513 / CVE-2025-31721
<Binding id="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
path="/SAML2/POST-SimpleSign" />
-
Description
(Medium) SECURITY-3495 / CVE-2025-27622
Description
(Medium) SECURITY-3496 / CVE-2025-27623
Description
(Medium) SECURITY-3498 / CVE-2025-27624
Description
(Medium) SECURITY-3501 / CVE-2025-27625
Summary
Description
Impact
Problem Description
Impact
Problem Description:
Problem Description:
Impact:
Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 128.6, and Thunderbird 128.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
Memory safety bugs present in Firefox 134 and Thunderbird 134. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
The fullscreen notification is prematurely hidden when fullscreen is re-requested quickly by the user. This could have been leveraged to perform a potential spoofing attack.
security@mozilla.org reports:
An attacker could have caused a use-after-free via crafted XSLT data, leading to a potentially exploitable crash.
An attacker could have caused a use-after-free via the Custom Highlight API, leading to a potentially exploitable crash.
A race during concurrent delazification could have led to a use-after-free.
Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19, and Thunderbird - 128.6. Some of these bugs showed evidence of memory corruption and + 128.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For example, in the Other field of the Instant Messaging section. If another user imported the address book, clicking on the link could result in opening a web page inside Thunderbird, and that page could execute (unprivileged) JavaScript.
MariaDB reports:
Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.
Sam Hocevar reports:
Multiple memory leaks and invalid memory accesses:
- CVE-2018-20545: Illegal WRITE memory access at common-image.c
- CVE-2018-20546: Illegal READ memory access at caca/dither.c
- CVE-2018-20547: Illegal READ memory access at caca/dither.c
- CVE-2018-20548: Illegal WRITE memory access at common-image.c
- CVE-2018-20549: Illegal WRITE memory access at caca/file.c
-- CVE-2021-3410: Buffer overflow in libcaca/caca/canvas.c in function caca_resize
+- CVE-2021-3410: Buffer overflow in libcaca/caca/canvas.c in function caca_resize
- CVE-2021-30498: Heap buffer overflow in export.c in function export_tga
- CVE-2021-30499: Buffer overflow in export.c in function export_troff
Cacti repo reports:
- security #GHSA-c5j8-jxj3-hh36: Authenticated RCE via multi-line SNMP responses
- security #GHSA-f9c7-7rc3-574c: SQL Injection vulnerability when using tree rules through Automation API
- security #GHSA-fh3x-69rr-qqpp: SQL Injection vulnerability when request automation devices
- security #GHSA-fxrq-fr7h-9rqq: Arbitrary File Creation leading to RCE
- security #GHSA-pv2c-97pp-vxwg: Local File Inclusion (LFI) Vulnerability via Poller Standard Error Log Path
- security #GHSA-vj9g-p7f2-4wqj: SQL Injection vulnerability when view host template
The nginx development team reports:
This update fixes the SSL session reuse vulnerability.
Qt qtwebengine-chromium repo reports:
Backports for 9 security bugs in Chromium:
- CVE-2024-12693: Out of bounds memory access in V8
- CVE-2024-12694: Use after free in Compositing
- CVE-2025-0436: Integer overflow in Skia
- CVE-2025-0437: Out of bounds read in Metrics
- CVE-2025-0438: Stack buffer overflow in Tracing
- CVE-2025-0441: Inappropriate implementation in Fenced Frames
- CVE-2025-0443: Insufficient data validation in Extensions
- CVE-2025-0447: Inappropriate implementation in Navigation
- CVE-2025-0611: Object corruption in V8
Chrome Releases reports:
This update includes 2 security fixes:
- [384844003] Medium CVE-2025-0762: Use after free in DevTools. Reported by Sakana.S on 2024-12-18
Dendrite team reports:
This is a security release, gomatrixserverlib was vulnerable to server-side request forgery, serving content from a private network it can access, under certain conditions.
In some cases, the ktrace facility will log the contents of kernel structures to userspace. In one such case, ktrace dumps a variable-sized sockaddr to userspace. There, the full sockaddr is copied, even when it is shorter than the full size. This can result in up to 14 uninitialized bytes of kernel memory being copied out to userspace.
It is possible for an unprivileged userspace program to leak 14 bytes of a kernel heap allocation to userspace.
When etcupdate encounters conflicts while merging files, it saves a version containing conflict markers in /var/db/etcupdate/conflicts. This version does not preserve the mode of the input file, and is world-readable. This applies to files that would normally have restricted visibility, such as /etc/master.passwd.
An unprivileged local user may be able to read encrypted root and user passwords from the temporary master.passwd file created in /var/db/etcupdate/conflicts. This is possible only when conflicts within the password file arise during an update, and the unprotected file is deleted when conflicts are resolved.
In order to export a file system via NFS, the file system must define a file system identifier (FID) for all exported files. Each FreeBSD file system implements operations to translate between FIDs and vnodes, the kernel's in-memory representation of files. These operations are VOP_VPTOFH(9) and VFS_FHTOVP(9).
On 64-bit systems, the implementation of VOP_VPTOFH() in the cd9660, tarfs and ext2fs filesystems overflows the destination FID buffer by 4 bytes, a stack buffer overflow.
A NFS server that exports a cd9660, tarfs, or ext2fs file system can be made to panic by mounting and accessing the export with an NFS client. Further exploitation (e.g., bypassing file permission checking or remote kernel code execution) is potentially possible, - though this has not been demonstrated. In particular, release + though this has not been demonstrated. In particular, release kernels are compiled with stack protection enabled, and some instances of the overflow are caught by this mechanism, causing a panic.
A logic error in the ssh(1) ObscureKeystrokeTiming feature (on by default) rendered this feature ineffective.
A passive observer could detect which network packets contain real keystrokes, and infer the specific characters being transmitted from packet timing.
Golang reports:
This update include security fixes:
- CVE-2024-45338: Non-linear parsing of case-insensitive content
The Vaultwarden project reports:
RCE in the admin panel.
Getting access to the Admin Panel via CSRF.
Escalation of privilege via variable confusion in OrgHeaders trait.
Chrome Releases reports:
This update includes 3 security fixes:
- [386143468] High CVE-2025-0611: Object corruption in V8. Reported by 303f06e3 on 2024-12-26
- [385155406] High CVE-2025-0612: Out of bounds memory access in V8. Reported by Alan Goodman on 2024-12-20
Chrome Releases reports:
This update includes 16 security fixes:
- [374627491] High CVE-2025-0434: Out of bounds memory access in V8. Reported by ddme on 2024-10-21
- [379652406] High CVE-2025-0435: Inappropriate implementation in Navigation. Reported by Alesandro Ortiz on 2024-11-18
- [382786791] High CVE-2025-0436: Integer overflow in Skia. Reported by Han Zheng (HexHive) on 2024-12-08
- [378623799] High CVE-2025-0437: Out of bounds read in Metrics. Reported by Xiantong Hou of Wuheng Lab and Pisanbao on 2024-11-12
- [384186539] High CVE-2025-0438: Stack buffer overflow in Tracing. Reported by Han Zheng (HexHive) on 2024-12-15
- [371247941] Medium CVE-2025-0439: Race in Frames. Reported by Hafiizh on 2024-10-03
- [40067914] Medium CVE-2025-0440: Inappropriate implementation in Fullscreen. Reported by Umar Farooq on 2023-07-22
- [368628042] Medium CVE-2025-0441: Inappropriate implementation in Fenced Frames. Reported by someoneverycurious on 2024-09-21
- [40940854] Medium CVE-2025-0442: Inappropriate implementation in Payments. Reported by Ahmed ElMasry on 2023-11-08
- [376625003] Medium CVE-2025-0443: Insufficient data validation in Extensions. Reported by Anonymous on 2024-10-31
- [359949844] Low CVE-2025-0446: Inappropriate implementation in Extensions. Reported by Hafiizh on 2024-08-15
- [375550814] Low CVE-2025-0447: Inappropriate implementation in Navigation. Reported by Khiem Tran (@duckhiem) on 2024-10-25
- [377948403] Low CVE-2025-0448: Inappropriate implementation in Compositing. Reported by Dahyeon Park on 2024-11-08
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-12693.
- Security: backported fix for CVE-2024-12694.
- Security: backported fix for CVE-2024-12695.
- Security: backported fix for CVE-2025-0434.
- Security: backported fix for CVE-2025-0436.
- Security: backported fix for CVE-2025-0437.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2025-0434.
- Security: backported fix for CVE-2025-0436.
- Security: backported fix for CVE-2025-0437.
Gitlab reports:
Stored XSS via Asciidoctor render
Developer could exfiltrate protected CI/CD variables via CI lint
Cyclic reference of epics leads resource exhaustion
The ClamAV project reports:
A possible buffer overflow read bug is found in the OLE2 file parser that could cause a denial-of-service (DoS) condition.
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-12053.
The Go project reports:
crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints
A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain.
net/http: sensitive headers incorrectly sent after cross-domain redirect
The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-12053.
- Security: backported fix for CVE-2024-12693.
- Security: backported fix for CVE-2024-12694.
Filippo Valsorda reports:
A plugin name containing a path separator may allow an attacker to execute an arbitrary binary.
Such a plugin name can be provided to the age CLI through an attacker-controlled recipient or identity string, or to the plugin.NewIdentity, plugin.NewIdentityWithoutData, or plugin.NewRecipient APIs.
Frank Lichtenheld reports:
[OpenVPN v2.6.13 ...] improve server-side handling of clients sending usernames or passwords longer than USER_PASS_LEN - this would not result in a crash, buffer overflow or other security issues, but the server would then misparse incoming IV variables and produce misleading error messages.
rsync reports:
This update includes multiple security fixes:
- CVE-2024-12084: Heap Buffer Overflow in Checksum Parsing
- CVE-2024-12085: Info Leak via uninitialized Stack contents defeats ASLR
- CVE-2024-12086: Server leaks arbitrary client files
- CVE-2024-12087: Server can make client write files outside of destination directory using symbolic links
- CVE-2024-12088: --safe-links Bypass
- CVE-2024-12747: symlink race condition
Git development team reports:
CVE-2024-50349: Printing unsanitized URLs when asking for credentials made the user susceptible to crafted URLs (e.g. in recursive clones) that mislead the user into typing in passwords for trusted sites that would then be sent to untrusted sites instead.
CVE-2024-52006: Git may pass on Carriage Returns via the credential protocol to credential helpers which use line-reading functions that interpret said Carriage Returns as line endings, even though Git did not intend that.
Keycloak reports:
This update includes 2 security fixes:
- CVE-2024-11734: Unrestricted admin use of system and environment variables
- CVE-2024-11736: Denial of Service in Keycloak Server via Security Headers
cve@mitre.org reports:
An issue in the action_listcategories() function of Sangoma Asterisk v22/22.0.0/22.0.0-rc1/22.0.0-rc2/22.0.0-pre1 allows attackers to execute a path traversal.
Redis core team reports:
An authenticated with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service.The problem exists in Redis 7.0.0 or newer.
Redis core team reports:
An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting.
Gitlab reports:
Possible access token exposure in GitLab logs
Cyclic reference of epics leads resource exhaustion
Unauthorized user can manipulate status of issues in public projects
Instance SAML does not respect external_provider configuration