diff --git a/security/vuxml/vuln/2026.xml b/security/vuxml/vuln/2026.xml index b41c5aaddc65..f29b93836ed7 100644 --- a/security/vuxml/vuln/2026.xml +++ b/security/vuxml/vuln/2026.xml @@ -1,86 +1,115 @@ + + security/libsodium -- crypto_core_ed25519_is_valid_point mishandles checks for whether an elliptic curve point is valid + + +libsodium +1.0.21 + + + + +

Libsodium maintainer reports:

+
+

The function crypto_core_ed25519_is_valid_point(), a low-level function + used to check if a given elliptic curve point is valid, was supposed to + reject points that aren't in the main cryptographic group, + but some points were slipping through.

+
+ + + + CVE-2025-69277 + https://00f.net/2025/12/30/libsodium-vulnerability/ + + + 2025-12-30 + 2026-01-07 + + + mail/mailpit -- Server-Side Request Forgery mailpit 1.28.1

Mailpit author reports:

A Server-Side Request Forgery (SSRF) vulnerability exists in Mailpit's /proxy endpoint that allows attackers to make requests to internal network resources.

The /proxy endpoint allows requests to internal network resources. While it validates http:// and https:// schemes, it does not block internal IP addresses, allowing attackers to access internal services and APIs.

 CVE-2026-21859 https://github.com/axllent/mailpit/security/advisories/GHSA-8v65-47jx-7mfr 2026-01-06 2026-01-06 net-mgmt/net-snmp -- Remote Code Execution (snmptrapd) net-snmp 5.9.5

net-snmp development team reports:

A specially crafted packet to an net-snmp snmptrapd daemon can cause a buffer overflow and the daemon to crash.

 CVE-2025-68615 https://github.com/net-snmp/net-snmp/security/advisories/GHSA-4389-rwqf-q9gq 2025-12-23 2026-01-06 gstreamer1-plugins-bad -- Out-of-bounds reads in MIDI parser gstreamer1-plugins-bad 1.26.10

The GStreamer Security Center reports:

Multiple out-of-bounds reads in the MIDI parser that can cause crashes for certain input files.

 CVE-2025-67326 CVE-2025-67327 https://gstreamer.freedesktop.org/security/sa-2025-0009.html 2025-12-27 2026-01-04