The GStreamer project reports multiple security vulnerabilities fixed in the 1.28.2 release:
+++ +Several security vulnerabilities were addressed, including:
++
+- H.264 video parser NULL pointer dereference when freeing SPS/MVC data.
+- Integer overflows in the AV1 LEB128 parser, H.266/VVC video parser, and WAV parser cue handling.
+- Heap buffer overflow in the Matroska demuxer.
+- Assertion failures in the FLV demuxer on corrupted streams.
+- NULL-pointer dereferences in the mDVDsub subtitle parser.
+- Multiple out-of-bounds reads and writes in the MOV/MP4 demuxer audio channel layout parsing.
+- Denial of service in SRT/WebVTT parser
+These could lead to application crashes, memory exhaustion, or potentially arbitrary code execution.
+
Qt qtwebengine-chromium repo reports:
Backports for 262 security bugs in Chromium:
- CVE-2025-13223: Type Confusion in V8
- CVE-2025-13224: Type Confusion in V8
- CVE-2025-13630: Type Confusion in V8
- CVE-2025-13632: Inappropriate implementation in DevTools
- CVE-2025-13634: Inappropriate implementation in Downloads
- CVE-2025-13721: Race in v8
- CVE-2025-14766: Out of bounds read and write in V8
- CVE-2026-0628: Insufficient policy enforcement in WebView tag
- CVE-2026-0899: Out of bounds memory access in V8
- CVE-2026-0902: Inappropriate implementation in V8
- CVE-2026-0905: Insufficient policy enforcement in Network
- CVE-2026-1220: Description pending NVD publication
- CVE-2026-1861: Heap buffer overflow in libvpx
- CVE-2026-2314: Heap buffer overflow in Codecs
- CVE-2026-2315: Inappropriate implementation in WebGPU
- CVE-2026-2316: Insufficient policy enforcement in Frames
- CVE-2026-2317: Inappropriate implementation in Animation
- CVE-2026-2319: Race in DevTools
- CVE-2026-2320: Inappropriate implementation in File input
- CVE-2026-2441: Use after free in CSS
- CVE-2026-2648: Heap buffer overflow in PDFium
- CVE-2026-2649: Integer overflow in V8
- CVE-2026-2650: Heap buffer overflow in Media
- CVE-2026-3061: Out of bounds read in Media
- CVE-2026-3062: Out of bounds read and write in Tint
- CVE-2026-3063: Inappropriate implementation in DevTools
- CVE-2026-3536: Integer overflow in ANGLE
- CVE-2026-3537: Object lifecycle issue in PowerVR
- CVE-2026-3538: Integer overflow in Skia
- CVE-2026-3539: Object lifecycle issue in DevTools
- CVE-2026-3540: Inappropriate implementation in WebAudio
- CVE-2026-3541: Inappropriate implementation in CSS
- CVE-2026-3542: Inappropriate implementation in WebAssembly
- CVE-2026-3543: Inappropriate implementation in V8
- CVE-2026-3544: Heap buffer overflow in WebCodecs
- CVE-2026-3545: Insufficient data validation in Navigation
- CVE-2026-3909: Out of bounds write in Skia
- CVE-2026-3910: Inappropriate implementation in V8
- CVE-2026-3919: Use after free in Extensions
- CVE-2026-3921: Use after free in TextEncoding
- CVE-2026-3922: Use after free in MediaStream
- CVE-2026-3923: Use after free in WebMIDI
- CVE-2026-3924: use after free in WindowDialog
- CVE-2026-3926: Out of bounds read in V8
- CVE-2026-3929: Side-channel information leakage in ResourceTiming
- CVE-2026-3931: Heap buffer overflow in Skia
- CVE-2026-3934: Insufficient policy enforcement in ChromeDriver
- CVE-2026-3938: Insufficient policy enforcement in Clipboard
- CVE-2026-3940: Insufficient policy enforcement in DevTools
- CVE-2026-3941: Insufficient policy enforcement in DevTools
- CVE-2026-3942: Incorrect security UI in PictureInPicture
- CVE-2026-4440: Out of bounds read and write in WebGL
- CVE-2026-4441: Use after free in Base
- CVE-2026-4442: Heap buffer overflow in CSS
- CVE-2026-4443: Heap buffer overflow in WebAudio
- CVE-2026-4444: Stack buffer overflow in WebRTC
- CVE-2026-4445: Use after free in WebRTC
- CVE-2026-4446: Use after free in WebRTC
- CVE-2026-4448: Heap buffer overflow in ANGLE
- CVE-2026-4449: Use after free in Blink
- CVE-2026-4450: Out of bounds write in V8
- CVE-2026-4451: Insufficient validation of untrusted input in Navigation
- CVE-2026-4452: Integer overflow in ANGLE
- CVE-2026-4453: Integer overflow in Dawn
- CVE-2026-4454: Use after free in Network
- CVE-2026-4455: Heap buffer overflow in PDFium
- CVE-2026-4457: Type Confusion in V8
- CVE-2026-4458: Use after free in Extensions
- CVE-2026-4459: Out of bounds read and write in WebAudio
- CVE-2026-4460: Out of bounds read in Skia
- CVE-2026-4462: Out of bounds read in Blink
- CVE-2026-4463: Heap buffer overflow in WebRTC
- CVE-2026-4464: Integer overflow in ANGLE
- CVE-2026-4674: Out of bounds read in CSS
- CVE-2026-4675: Heap buffer overflow in WebGL
- CVE-2026-4677: Out of bounds read in WebAudio
- CVE-2026-4679: Integer overflow in Fonts
- CVE-2026-5272: Heap buffer overflow in GPU
- CVE-2026-5273: Use after free in CSS
- CVE-2026-5274: Integer overflow in Codecs
- CVE-2026-5275: Heap buffer overflow in ANGLE
- CVE-2026-5276: Insufficient policy enforcement in WebUSB
- CVE-2026-5277: Integer overflow in ANGLE
- CVE-2026-5279: Object corruption in V8
- CVE-2026-5280: Use after free in WebCodecs
- CVE-2026-5281: Use after free in Dawn
- CVE-2026-5282: Out of bounds read in WebCodecs
- CVE-2026-5283: Inappropriate implementation in ANGLE
- CVE-2026-5284: Use after free in Dawn
- CVE-2026-5285: Use after free in WebGL
- CVE-2026-5287: Use after free in PDF
- CVE-2026-5289: Use after free in Navigation
- CVE-2026-5290: Use after free in Compositing
- CVE-2026-5291: Inappropriate implementation in WebGL
- CVE-2026-5292: Out of bounds read in WebCodecs
- CVE-2026-5860: Use after free in WebRTC
- CVE-2026-5861: Use after free in V8
- CVE-2026-5862: Inappropriate implementation in V8
- CVE-2026-5863: Inappropriate implementation in V8
- CVE-2026-5865: Type Confusion in V8
- CVE-2026-5866: Use after free in Media
- CVE-2026-5868: Heap buffer overflow in ANGLE
- CVE-2026-5870: Integer overflow in Skia
- CVE-2026-5871: Type Confusion in V8
- CVE-2026-5872: Use after free in Blink
- CVE-2026-5873: Out of bounds read and write in V8
- CVE-2026-5875: Policy bypass in Blink
- CVE-2026-5876: Side-channel information leakage in Navigation
- CVE-2026-5877: Use after free in Navigation
- CVE-2026-5878: Incorrect security UI in Blink
- CVE-2026-5879: Insufficient validation of untrusted input in ANGLE
- CVE-2026-5880: Incorrect security UI in browser UI
- CVE-2026-5882: Incorrect security UI in Fullscreen
- CVE-2026-5883: Use after free in Media
- CVE-2026-5884: Insufficient validation of untrusted input in Media
- CVE-2026-5885: Insufficient validation of untrusted input in WebML
- CVE-2026-5886: Out of bounds read in WebAudio
- CVE-2026-5888: Uninitialized Use in WebCodecs
- CVE-2026-5889: Cryptographic Flaw in PDFium
- CVE-2026-5890: Race in WebCodecs
- CVE-2026-5891: Insufficient policy enforcement in browser UI
- CVE-2026-5893: Race in V8
- CVE-2026-5894: Inappropriate implementation in PDF
- CVE-2026-5896: Policy bypass in Audio
- CVE-2026-5899: Incorrect security UI in History Navigation
- CVE-2026-5900: Policy bypass in Downloads
- CVE-2026-5901: Policy bypass in DevTools
- CVE-2026-5903: Policy bypass in IFrameSandbox
- CVE-2026-5904: Use after free in V8
- CVE-2026-5907: Insufficient data validation in Media
- CVE-2026-5908: Integer overflow in Media
- CVE-2026-5909: Integer overflow in Media
- CVE-2026-5910: Integer overflow in Media
- CVE-2026-5911: Policy bypass in ServiceWorkers
- CVE-2026-5912: Integer overflow in WebRTC
- CVE-2026-5913: Out of bounds read in Blink
- CVE-2026-5914: Type Confusion in CSS
- CVE-2026-5915: Insufficient validation of untrusted input in WebML
- CVE-2026-5918: Inappropriate implementation in Navigation
- CVE-2026-5919: Insufficient validation of untrusted input in WebSockets
- CVE-2026-6296: Heap buffer overflow in ANGLE
- CVE-2026-6297: Use after free in Proxy
- CVE-2026-6298: Heap buffer overflow in Skia
- CVE-2026-6299: Use after free in Prerender
- CVE-2026-6300: Use after free in CSS
- CVE-2026-6301: Type Confusion in Turbofan
- CVE-2026-6302: Use after free in Video
- CVE-2026-6303: Use after free in Codecs
- CVE-2026-6304: Use after free in Graphite
- CVE-2026-6305: Heap buffer overflow in PDFium
- CVE-2026-6306: Heap buffer overflow in PDFium
- CVE-2026-6307: Type Confusion in Turbofan
- CVE-2026-6308: Out of bounds read in Media
- CVE-2026-6309: Use after free in Viz
- CVE-2026-6311: Uninitialized Use in Accessibility
- CVE-2026-6312: Insufficient policy enforcement in Passwords
- CVE-2026-6313: Insufficient policy enforcement in CORS
- CVE-2026-6314: Out of bounds write in GPU
- CVE-2026-6316: Use after free in Forms
- CVE-2026-6359: Use after free in Video
- CVE-2026-6360: Use after free in FileSystem
- CVE-2026-6361: Heap buffer overflow in PDFium
- CVE-2026-6362: Use after free in Codecs
- CVE-2026-6363: Type Confusion in V8
- CVE-2026-6364: Out of bounds read in Skia
- CVE-2026-6919: Use after free in DevTools
- CVE-2026-6920: Out of bounds read in GPU
- CVE-2026-7333: Use after free in GPU
- CVE-2026-7335: Use after free in media
- CVE-2026-7336: Use after free in WebRTC
- CVE-2026-7339: Heap buffer overflow in WebRTC
- CVE-2026-7340: Integer overflow in ANGLE
- CVE-2026-7341: Use after free in WebRTC
- CVE-2026-7342: Use after free in WebView
- CVE-2026-7343: Use after free in Views
- CVE-2026-7344: Use after free in Accessibility
- CVE-2026-7345: Insufficient validation of untrusted input in Feedback
- CVE-2026-7346: Inappropriate implementation in Tint
- CVE-2026-7348: Use after free in Codecs
- CVE-2026-7349: Use after free in Cast
- CVE-2026-7350: Use after free in WebMIDI
- CVE-2026-7351: Race in MHTML
- CVE-2026-7353: Heap buffer overflow in Skia
- CVE-2026-7354: Out of bounds read and write in Angle
- CVE-2026-7355: Use after free in Media
- CVE-2026-7356: Use after free in Navigation
- CVE-2026-7357: Use after free in GPU
- CVE-2026-7359: Use after free in ANGLE
- CVE-2026-7360: Insufficient validation of untrusted input in Compositing
- CVE-2026-7363: Use after free in Canvas
- CVE-2026-7899: Out of bounds read and write in V8
- CVE-2026-7900: Heap buffer overflow in ANGLE
- CVE-2026-7901: Use after free in ANGLE
- CVE-2026-7902: Out of bounds memory access in V8
- CVE-2026-7903: Integer overflow in ANGLE
- CVE-2026-7904: Out of bounds read in Fonts
- CVE-2026-7906: Use after free in SVG
- CVE-2026-7907: Use after free in DOM
- CVE-2026-7908: Use after free in Fullscreen
- CVE-2026-7910: Use after free in Views
- CVE-2026-7912: Integer overflow in GPU
- CVE-2026-7914: Type Confusion in Accessibility
- CVE-2026-7916: Insufficient data validation in InterestGroups
- CVE-2026-7917: Use after free in Fullscreen
- CVE-2026-7918: Use after free in GPU
- CVE-2026-7919: Use after free in Aura
- CVE-2026-7920: Use after free in Skia
- CVE-2026-7921: Use after free in Passwords
- CVE-2026-7922: Use after free in ServiceWorker
- CVE-2026-7923: Out of bounds write in Skia
- CVE-2026-7924: Uninitialized Use in Dawn
- CVE-2026-7926: Use after free in PresentationAPI
- CVE-2026-7927: Type Confusion in Runtime
- CVE-2026-7929: Use after free in MediaRecording
- CVE-2026-7933: Out of bounds read in WebCodecs
- CVE-2026-7935: Inappropriate implementation in Speech
- CVE-2026-7937: Insufficient policy enforcement in DevTools
- CVE-2026-7938: Use after free in CSS
- CVE-2026-7940: Use after free in V8
- CVE-2026-7942: Integer overflow in ANGLE
- CVE-2026-7944: Insufficient validation of untrusted input in Persistent Cache
- CVE-2026-7945: Insufficient validation of untrusted input in COOP
- CVE-2026-7946: Insufficient policy enforcement in WebUI
- CVE-2026-7947: Insufficient validation of untrusted input in Network
- CVE-2026-7949: Out of bounds read in Skia
- CVE-2026-7950: Out of bounds read and write in GFX
- CVE-2026-7951: Out of bounds write in WebRTC
- CVE-2026-7954: Race in Shared Storage
- CVE-2026-7955: Uninitialized Use in GPU
- CVE-2026-7956: Use after free in Navigation
- CVE-2026-7957: Out of bounds write in Media
- CVE-2026-7959: Inappropriate implementation in Navigation
- CVE-2026-7963: Inappropriate implementation in ServiceWorker
- CVE-2026-7964: Insufficient validation of untrusted input in FileSystem
- CVE-2026-7965: Insufficient validation of untrusted input in DevTools
- CVE-2026-7967: Insufficient validation of untrusted input in Navigation
- CVE-2026-7968: Insufficient validation of untrusted input in CORS
- CVE-2026-7969: Integer overflow in Network
- CVE-2026-7971: Inappropriate implementation in ORB
- CVE-2026-7972: Uninitialized Use in GPU
- CVE-2026-7973: Integer overflow in Dawn
- CVE-2026-7974: Use after free in Blink
- CVE-2026-7975: Use after free in DevTools
- CVE-2026-7976: Use after free in Views
- CVE-2026-7977: Inappropriate implementation in Canvas
- CVE-2026-7980: Use after free in WebAudio
- CVE-2026-7982: Uninitialized Use in WebCodecs
- CVE-2026-7983: Out of bounds read in Dawn
- CVE-2026-7985: Use after free in GPU
- CVE-2026-7986: Insufficient policy enforcement in Autofill
- CVE-2026-7987: Use after free in WebRTC
- CVE-2026-7988: Type Confusion in WebRTC
- CVE-2026-7989: Insufficient data validation in DataTransfer
- CVE-2026-7991: Use after free in UI
- CVE-2026-7993: Insufficient validation of untrusted input in Payments
- CVE-2026-7996: Insufficient validation of untrusted input in SSL
- CVE-2026-7998: Insufficient validation of untrusted input in Dialog
- CVE-2026-7999: Inappropriate implementation in V8
- CVE-2026-8002: Use after free in Audio
- CVE-2026-8003: Insufficient validation of untrusted input in TabGroups
- CVE-2026-8004: Insufficient policy enforcement in DevTools
- CVE-2026-8007: Insufficient validation of untrusted input in Cast
The rsync project reports:
Six CVEs are fixed in this release. All six are assigned by VulnCheck as CNA. Affected versions are 3.4.2 and earlier in every case.
In addition to the six CVE fixes, this release adds defence-in-depth hardening on several adjacent paths: bounded wire-supplied counts and lengths in flist/io/acls/xattrs, a guard against length underflow in cumulative snprintf() callers, a parent block-index bounds check on the receiver, a NULL check in read_delay_line(), a lower ceiling on MAX_WIRE_DEL_STAT to avoid signed-int overflow in the read_del_stats() accumulator, rejection of hyphen-prefixed remote-shell hostnames (defence-in-depth against argv-injection in tooling that forwards untrusted input into the hostspec position; reported by Aisle Research via Michal Ruprich), and a NULL-check on localtime_r() in timestring() to keep a malicious server from crashing the client by advertising a file with an out-of-range modtime.
In the case of the cap_net service, when a key present in the old limit was omitted from the new limit, the missing key was treated as "allow any" instead of being rejected.
In certain scenarios, an application that had previously restricted a subset of network operations could ask for a new limit that extended the permissions of the process.
When bsdinstall or bsdconfig are prompted to scan for nearby Wi-Fi networks, they build up a list of network names and use bsddialog(1) to prompt the user to select a network. This is implemented using a shell script, and the code which handled network names was not careful to prevent expansion by the shell. As a result, a suitably crafted network name can be used to execute commands via a subshell.
The problem can be exploited to execute code as root on the system running bsdinstall or bsdconfig. The attacker would need to create an access point with a specially crafted name and be within range of a Wi-Fi scan. Note that bsdinstall and bsdconfig are vulnerable as soon as the user prompts them to scan for nearby networks; they do not need to actually select the malicious network.
libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for data to become available. However, it does not verify that its socket descriptor fits within select(2)'s descriptor set size limit of FD_SETSIZE (1024).
An attacker able to cause an application using libcasper(3) to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, may trigger stack corruption. If the target application runs with setuid root privileges, this could be used to escalate local privileges.
ptrace(PT_SC_REMOTE) failed to properly validate parameters for the syscall(2) and __syscall(2) meta-system calls. As a result, a user with the ability to debug a process may trigger arbitrary code execution in the kernel, even if the target process has no special privileges.
The missing validation allows an unprivileged local user to escalate privileges, potentially gaining full control of the affected system.
When a fusefs file system implements extended attributes, the kernel may send a FUSE_LISTXATTR message to the userspace daemon to retrieve the list of extended attributes for a given file. The FUSE protocol requires the daemon to return a packed list of NUL-terminated strings. The fusefs kernel module calls strlen() on this daemon-supplied buffer without first verifying that the entire list is NUL-terminated.
If a malicious daemon sends a non-NUL-terminated list, the fusefs kernel module may read beyond the end of one heap-allocated buffer and potentially write beyond the end of a second buffer. A malicious daemon could disclose up to 253 bytes of kernel heap memory, or it could inject up to 250 attacker-controlled bytes into unallocated kernel heap space.
A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor. Because the blocked thread does not hold a reference to the underlying object, this closure may result in the object being freed while the thread remains blocked. In this situation, the kernel must remove the blocked thread from the per-object wait queue prior to freeing the object.
In the case of some file descriptor types, the kernel failed to unlink blocked threads from the object before freeing it. When the blocked thread is subsequently woken, it accesses memory that has already been freed resulting in a use-after-free vulnerability.
The use-after-free vulnerability may be triggered by an unprivileged local user and can be exploited to obtain superuser privileges.
The setcred(2) system call is only available to privileged users. However, before the privilege level of the caller is checked, the user-supplied list of supplementary groups is copied into a fixed-size kernel stack buffer without first validating its length. If the supplied list exceeds the capacity of that buffer, a stack buffer overflow occurs.
Because the bounds check on the supplementary groups list occurs after the kernel stack buffer has already been written, an unprivileged local user may trigger the overflow without holding any special privilege. Successful exploitation may allow an attacker to execute arbitrary code in the context of the kernel, allowing an unprivileged local user to gain elevated privileges on the affected system.
The nginx project reports:
nginx 1.31.0 fixes multiple security issues affecting HTTP/2 proxying, rewrite handling, SCGI/uWSGI response handling, charset conversion, HTTP/3 connection migration, and OCSP resolver response processing.
Oracle reports:
See linked CVE's for details.
The MariaDB project reports:
See linked CVE's for details.
Vinyl Development Team reports:
A deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync attack (request smuggling), which in turn can be used for cache poisoning, authentication bypass or possibly even information disclosure and manipulation.
The PostgreSQL project reports:
Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types. That is to say, the victim will execute arbitrary SQL functions of the attacker's choice.
Integer wraparound in multiple PostgreSQL server features allows an application input provider to cause the server to undersize an allocation and write out-of-bounds. This results in a segmentation fault.
Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones.
Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM.
SQL injection in PostgreSQL pg_createsubscriber allows an attacker with pg_create_subscription rights to execute arbitrary SQL as a superuser. The attack takes effect when pg_createsubscriber next runs. Versions before PostgreSQL 17 are unaffected.
PostgreSQL libpq lo_* functions let server superuser overwrite client stack memory. Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory.
PostgreSQL discloses MD5-hashed passwords via covert timing channel. Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier.
PostgreSQL SSL/GSS init causes denial of service, via uncontrolled recursion. Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket.
PostgreSQL pg_restore_attribute_stats accepts values that cause query planning to read past end of stats array. Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array. This allows a table maintainer to infer memory values past that array end. Versions before PostgreSQL 18 are unaffected.
PostgreSQL refint allows stack buffer overflow and SQL injection. Stack buffer overflow in PostgreSQL module refint allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a refint cascade primary key and facilitates user-controlled updates to that column. In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update.
PostgreSQL REFRESH PUBLICATION allows SQL injection via table name. SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription's publication-side credentials. The attack takes effect at the next REFRESH PUBLICATION. Versions before PostgreSQL 16 are unaffected.
nginx development team reports:
When using the "proxy_set_body" directive, an attacker might inject data in the proxied request to an HTTP/2 backend
A heap memory buffer overflow might occur in a worker process while handling a specially crafted request by ngx_http_rewrite_module, potentially resulting in arbitrary code execution
A heap memory buffer overread might occur in a worker process while handling a specially crafted response by ngx_http_scgi_module or ngx_http_uwsgi_module, allowing an attacker to cause a disclosure of worker process memory or segmentation fault in a worker process
A heap memory buffer overread might occur in a worker process while handling a specially sent response with decoding from UTF-8 via the "charset_map" directive, allowing an attacker to cause a limited disclosure of worker proccess memory or segmentation fault in a worker process
When using HTTP/3, processing of connection migration might cause new QUIC streams to receive a new client address before validation, allowing an attacker to cause address spoofing
use-after-free might occur during DNS server response processing if the "ssl_ocsp" directive was used, allowing an attacker to cause worker process memory corruption or segmentation fault in a worker process
Mailpit author reports:
Set a default 50MB per message limit to prevent DoS via unlimited SMTP DATA and /api/v1/send body sizes (GHSA-fpxj-m5q8-fphw)
Include CGNAT (Carrier-Grade NAT) in internal IP checks (GHSA-j3fj-qppj-fmmc)
Block internal IP access by default in HTML check (GHSA-j3fj-qppj-fmmc)
Fix for path traversal & arbitrary file write in mailpit dump --http <instance> via attacker-controlled message IDs (GHSA-qx5x-85p8-vg4j)
Fix concurrent map read & write in proxy CSS rewriter (GHSA-w4vj-r5pg-3722)
https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf reports:
setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context.
Gitlab reports:
Cross-site Scripting issue in Analytics dashboard chart rendering impacts GitLab EE
Cross-site Scripting issue in global search impacts GitLab CE/EE
Cross-site Scripting issue in Duo Agent output rendering impacts GitLab EE
Cross-site Scripting issue in Analytics Dashboard impacts GitLab EE
Denial of Service issue in CI/CD job update API impacts GitLab CE/EE
Denial of Service issue in Duo Workflows API impacts GitLab CE/EE
Denial of Service issue in internal API endpoints impacts GitLab CE/EE
Improper Authorization issue in GraphQL token scope enforcement impacts GitLab CE/EE
Denial of Service issue in Insights Configuration impacts GitLab EE
Access Control issue in Issues API impacts GitLab CE/EE
Denial of Service issue in direct transfer CSV parser impacts GitLab CE/EE
CSRF issue in JiraConnect subscriptions impacts GitLab CE/EE
Confused Deputy issue in Jira integration impacts GitLab CE/EE
Cross-site Scripting issue in Banzai markdown sanitizer impacts GitLab CE/EE
Cross-site Scripting issue in achievement email notifications impacts GitLab CE/EE
Access Control issue in Helm package upload impacts GitLab CE/EE
Improper Access Control issue in NuGet Symbol Server impacts GitLab CE/EE
Improper Access Control issue in Container Registry protected tags impacts GitLab CE/EE
Missing Authorization issue in group user search impacts GitLab CE/EE
Improper Access Control issue in code owner approval rules impacts GitLab EE
Access Control issue in PyPI Package Protection Rules impacts GitLab CE/EE
Improper Access Control issue in issue links API impacts GitLab CE/EE
Server-Side Request Forgery issue in virtual registry redirect handler impacts GitLab EE
Access Control issue in GraphQL approval rule mutations impacts GitLab EE
Missing Authorization issue in Security Policy Project Reassignment impacts GitLab EE
Wojtulewicz of Corelight reports:
A specially-crafted series of MIME headers sent via SMTP or HTTP could cause Zeek to use large amounts of memory and potentially crash.
Simon Kelley reports:
Today, 11th May 2026 CERT is releasing a set of six CVEs for serious security vulnerabilities in dnsmasq. These are all long-standing bugs which apply to pretty much all non-ancient versions.
Christopher Cullen and Molly Jaconski write, in Vulnerability Note VU#471747:
- CVE-2026-2291
- dnsmasq's
extract_name()function can be abused to cause a heap buffer overflow, enabling an attacker to inject false DNS cache entries. This could cause DNS queries to be redirected to attacker-controlled IP addresses or result in a Denial of Service (DoS).- CVE-2026-4890
- An infinite-loop flaw in the DNSSEC validation of dnsmasq allows remote attackers to cause Denial of Service (DoS) conditions via a crafted DNS packet.
- CVE-2026-4891
- A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to leak memory information via a crafted DNS packet.
- CVE-2026-4892
- A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root privileges via a crafted DHCPv6 packet.
- CVE-2026-4893
- An information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks via a crafted DNS packet containing RFC 7871 client-subnet information.
- CVE-2026-5172
- A buffer overflow vulnerability in dnsmasq’s
extract_addresses()function allows attackers to trigger a heap out-of-bounds read and crash dnsmasq by exploiting a malformed DNS response.
NIST reports:
Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026.
Expat 2.8.1 was released yesterday. The key motivation for cutting a release and doing so now was:
Fixing vulnerability CVE-2026-45186 that allows easy denial of service.
See also https://github.com/libexpat/libexpat/pull/1216
https://git.kernel.org/pub/scm/utils/dash/dash.git/commit/?id=0034bfe185d3d875cebace8cb3ca5c9dabf9e0f3 reports:
Division and remainder currently guard against division by zero, but not against the signed overflow case INTMAX_MIN / -1. On affected systems this can trigger SIGFPE during arithmetic expansion.
https://bugzilla.mozilla.org/show_bug.cgi?id=2035939 reports:
Other issue in the WebRTC component.
https://www.mozilla.org/en-US/security/advisories/mfsa2026-40/ reports:
Memory safety bugs present in Firefox 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
https://www.mozilla.org/en-US/security/advisories/mfsa2026-40/ reports:
Memory safety bugs. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
https://bugzilla.mozilla.org/show_bug.cgi?id=2029301 reports:
Incorrect boundary conditions in the Audio/Video: Playback component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2034352 reports:
Use-after-free in the DOM: Networking component.
Chrome Releases reports:
This update includes 127 security fixes:
Critical:
- [493747582] CVE-2026-7896: Integer overflow in Blink.
- [504069514] CVE-2026-7897: Use after free in Mobile.
- [504587882] CVE-2026-7898: Use after free in Chromoting.
High:
- [505481948] CVE-2026-7899: Out of bounds read and write in V8.
- [496503799] CVE-2026-7900: Heap buffer overflow in ANGLE.
- [497724490] CVE-2026-7901: Use after free in ANGLE.
- [502030575] CVE-2026-7902: Out of bounds memory access in V8.
- [491760376] CVE-2026-7903: Integer overflow in ANGLE.
- [492350406] CVE-2026-7904: Out of bounds read in Fonts.
- [495259842] CVE-2026-7905: Insufficient validation of untrusted input in Media.
- [496284584] CVE-2026-7906: Use after free in SVG.
- [496292089] CVE-2026-7907: Use after free in DOM.
- [497436531] CVE-2026-7908: Use after free in Fullscreen.
- [497437113] CVE-2026-7909: Inappropriate implementation in ServiceWorker.
- [497543810] CVE-2026-7910: Use after free in Views.
- [497548912] CVE-2026-7911: Use after free in Aura.
- [497639714] CVE-2026-7912: Integer overflow in GPU.
- [497936728] CVE-2026-7913: Insufficient policy enforcement in DevTools.
- [498401609] CVE-2026-7914: Type Confusion in Accessibility.
- [498454478] CVE-2026-7915: Insufficient data validation in DevTools.
- [498720754] CVE-2026-7916: Insufficient data validation in InterestGroups.
- [498752242] CVE-2026-7917: Use after free in Fullscreen.
- [498780188] CVE-2026-7918: Use after free in GPU.
- [498832921] CVE-2026-7919: Use after free in Aura.
- [498989348] CVE-2026-7920: Use after free in Skia.
- [499062376] CVE-2026-7921: Use after free in Passwords.
- [499449324] CVE-2026-7922: Use after free in ServiceWorker.
- [500080194] CVE-2026-7923: Out of bounds write in Skia.
- [500087204] CVE-2026-7924: Uninitialized Use in Dawn.
- [501833981] CVE-2026-7925: Use after free in Chromoting.
- [502249087] CVE-2026-7926: Use after free in PresentationAPI.
- [502830119] CVE-2026-7927: Type Confusion in Runtime.
- [504612429] CVE-2026-7928: Use after free in WebRTC.
- [504660052] CVE-2026-7929: Use after free in MediaRecording.
Medium:
- [434825208] CVE-2026-7930: Insufficient validation of untrusted input in Cookies.
- [474338157] CVE-2026-7931: Insufficient validation of untrusted input in iOS.
- [481634116] CVE-2026-7932: Insufficient policy enforcement in Downloads.
- [488585490] CVE-2026-7933: Out of bounds read in WebCodecs.
- [489023922] CVE-2026-7934: Insufficient validation of untrusted input in Popup Blocker.
- [489624550] CVE-2026-7935: Inappropriate implementation in Speech.
- [490485402] CVE-2026-7936: Object lifecycle issue in V8.
- [491766258] CVE-2026-7937: Insufficient policy enforcement in DevTools.
- [492735384] CVE-2026-7938: Use after free in CSS.
- [492963096] CVE-2026-7939: Inappropriate implementation in SanitizerAPI.
- [493631402] CVE-2026-7940: Use after free in V8.
- [493955234] CVE-2026-7941: Insufficient validation of untrusted input in Mobile.
- [495363705] CVE-2026-7942: Integer overflow in ANGLE.
- [495373657] CVE-2026-7943: Insufficient validation of untrusted input in ANGLE.
- [495783187] CVE-2026-7944: Insufficient validation of untrusted input in Persistent Cache.
- [495802788] CVE-2026-7945: Insufficient validation of untrusted input in COOP.
- [496016840] CVE-2026-7946: Insufficient policy enforcement in WebUI.
- [496169594] CVE-2026-7947: Insufficient validation of untrusted input in Network.
- [496193452] CVE-2026-7948: Race in Chromoting.
- [496206134] CVE-2026-7949: Out of bounds read in Skia.
- [496259890] CVE-2026-7950: Out of bounds read and write in GFX.
- [496266456] CVE-2026-7951: Out of bounds write in WebRTC.
- [496279876] CVE-2026-7952: Insufficient policy enforcement in Extensions.
- [496379792] CVE-2026-7953: Insufficient validation of untrusted input in Omnibox.
- [496380960] CVE-2026-7954: Race in Shared Storage.
- [496441232] CVE-2026-7955: Uninitialized Use in GPU.
- [496463315] CVE-2026-7956: Use after free in Navigation.
- [496607380] CVE-2026-7957: Out of bounds write in Media.
- [496632973] CVE-2026-7958: Inappropriate implementation in ServiceWorker.
- [496645205] CVE-2026-7959: Inappropriate implementation in Navigation.
- [497007825] CVE-2026-7960: Race in Speech.
- [497008295] CVE-2026-7961: Insufficient validation of untrusted input in Permissions.
- [497081987] CVE-2026-7962: Insufficient policy enforcement in DirectSockets.
- [497250399] CVE-2026-7963: Inappropriate implementation in ServiceWorker.
- [497254383] CVE-2026-7964: Insufficient validation of untrusted input in FileSystem.
- [497255035] CVE-2026-7965: Insufficient validation of untrusted input in DevTools.
- [497341787] CVE-2026-7966: Insufficient validation of untrusted input in SiteIsolation.
- [497365545] CVE-2026-7967: Insufficient validation of untrusted input in Navigation.
- [497432281] CVE-2026-7968: Insufficient validation of untrusted input in CORS.
- [497450574] CVE-2026-7969: Integer overflow in Network.
- [497487462] CVE-2026-7970: Use after free in TopChrome.
- [497529290] CVE-2026-7971: Inappropriate implementation in ORB.
- [497546281] CVE-2026-7972: Uninitialized Use in GPU.
- [497565944] CVE-2026-7973: Integer overflow in Dawn.
- [497649372] CVE-2026-7974: Use after free in Blink.
- [497735587] CVE-2026-7975: Use after free in DevTools.
- [497736679] CVE-2026-7976: Use after free in Views.
- [497821223] CVE-2026-7977: Inappropriate implementation in Canvas.
- [497828892] CVE-2026-7978: Inappropriate implementation in Companion.
- [497849876] CVE-2026-7979: Inappropriate implementation in Media.
- [497859275] CVE-2026-7980: Use after free in WebAudio.
- [497926602] CVE-2026-7981: Out of bounds read in Codecs.
- [497952533] CVE-2026-7982: Uninitialized Use in WebCodecs.
- [497975608] CVE-2026-7983: Out of bounds read in Dawn.
- [498277368] CVE-2026-7984: Use after free in ReadingMode.
- [498352423] CVE-2026-7985: Use after free in GPU.
- [498396238] CVE-2026-7986: Insufficient policy enforcement in Autofill.
- [498696266] CVE-2026-7987: Use after free in WebRTC.
- [498753456] CVE-2026-7988: Type Confusion in WebRTC.
- [498765082] CVE-2026-7989: Insufficient data validation in DataTransfer.
- [498892267] CVE-2026-7990: Insufficient validation of untrusted input in Updater.
- [499065126] CVE-2026-7991: Use after free in UI.
- [499067529] CVE-2026-7992: Insufficient validation of untrusted input in UI.
- [499099003] CVE-2026-7993: Insufficient validation of untrusted input in Payments.
- [499116954] CVE-2026-7994: Inappropriate implementation in Chromoting.
- [501745798] CVE-2026-7995: Out of bounds read in AdFilter.
Low:
- [484547631] CVE-2026-7996: Insufficient validation of untrusted input in SSL.
- [487960705] CVE-2026-7997: Insufficient validation of untrusted input in Updater.
- [491676472] CVE-2026-7998: Insufficient validation of untrusted input in Dialog.
- [493099941] CVE-2026-7999: Inappropriate implementation in V8.
- [494464734] CVE-2026-8000: Insufficient validation of untrusted input in ChromeDriver.
- [494764371] CVE-2026-8001: Use after free in Printing.
- [495779613] CVE-2026-8002: Use after free in Audio.
- [495985532] CVE-2026-8003: Insufficient validation of untrusted input in TabGroups.
- [496189510] CVE-2026-8004: Insufficient policy enforcement in DevTools.
- [496298665] CVE-2026-8005: Insufficient validation of untrusted input in Cast.
- [496373088] CVE-2026-8006: Insufficient policy enforcement in DevTools.
- [496399759] CVE-2026-8007: Insufficient validation of untrusted input in Cast.
- [496426191] CVE-2026-8008: Inappropriate implementation in DevTools.
- [496555077] CVE-2026-8009: Inappropriate implementation in Cast.
- [496624084] CVE-2026-8010: Insufficient validation of untrusted input in SiteIsolation.
- [496626029] CVE-2026-8011: Insufficient policy enforcement in Search.
- [496628298] CVE-2026-8012: Inappropriate implementation in MHTML.
- [497427430] CVE-2026-8013: Insufficient validation of untrusted input in FedCM.
- [497490364] CVE-2026-8014: Inappropriate implementation in Preload.
- [497548558] CVE-2026-8015: Inappropriate implementation in Media.
- [497695401] CVE-2026-8016: Use after free in WebRTC.
- [497722578] CVE-2026-8017: Side-channel information leakage in Media.
- [498292657] CVE-2026-8018: Insufficient policy enforcement in DevTools.
- [498353173] CVE-2026-8019: Insufficient policy enforcement in WebApp.
- [498382925] CVE-2026-8020: Uninitialized Use in GPU.
- [498417031] CVE-2026-8021: Script injection in UI.
- [499194407] CVE-2026-8022: Inappropriate implementation in MHTML.
https://jira.mongodb.org/browse/SERVER-119981 reports:
- Computing the MD5 checksum of a malformed BSON object under specific conditions may cause loss of availability in MongoDB server.
- An authorization flaw in the user management command could allow an authenticated user to make limited changes to authentication-related data associated with another user account. This could affect how authentication is performed for the impacted account.
https://github.com/ocaml/opam/releases/tag/2.5.1 reports:
In OCaml opam before 2.5.1, a .install field containing a destination filepath can use ../ to reach a parent directory.
Reported by Andrew Nesbitt <andrewnez@gmail.com>.
The Apache httpd project reports:
mod_proxy_ajp: CVE-2026-34059, CVE-2026-34032, CVE-2026-33857, CVE-2026-28780
multiple modules: CVE-2026-33523
mod_authn_socache: CVE-2026-33007
mod_auth_digest: CVE-2026-33006
mod_dav_lock: mod_dav_lock
mod_md: CVE-2026-29168
mod_rewrite: CVE-2026-24072
mod_http2: CVE-2026-23918
ModSecurity is an open source web application firewall engine.
According to the upstream changelog, multiple vulnerabilities have been fixed.
https://bugzilla.mozilla.org/buglist.cgi?bug_id=2028537%2C2029911%2C2031121%2C2033602 reports:
Memory safety bugs. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
The Prosody team reports:
Traffic patterns were discovered which can cause Prosody to consume excessive amounts of memory with much smaller amounts of incoming traffic. This traffic can be sent by unauthenticated connections. It was discovered that mod_proxy65’s access control was broken and incomplete due to two bugs.
The issue with unpausing connections was discovered and disclosed by Max Hearnden.
H.Merijn Brand - Tux <linux@tux.freedom.nl> reports:
Text::CSV_XS versions before 1.62 for Perl have a use-after-free when registered callbacks extend the Perl argument stack, which may enable type confusion or memory corruption. The Parse, print, getline, and getline_all methods invoke registered callbacks (for example after_parse, before_print, or on_error) and cache the Perl argument stack pointer across the call. If a callback extends the argument stack enough to trigger a reallocation, the return value is written through the stale pointer into the freed buffer, and the caller reads the original $self argument as the return value instead. Calling code that expects parsed data from getline_all receives the Text::CSV_XS object in its place, leading to logic errors or crashes. Text::CSV_XS objects used without any registered callbacks are not affected.
When processing the header of an incoming message, libnv failed to properly validate the message size.
The lack of validation allows a malicious program to write outside the bounds of a heap allocation. This can trigger a crash or system panic, and it may be possible for an unprivileged user to exploit the bug to elevate their privileges.
When exchanging data over a socket, libnv uses select(2) to wait for data to arrive. However, it does not verify whether the provided socket descriptor fits in select(2)'s file descriptor set size limit of FD_SETSIZE (1024).
An attacker who is able to force a libnv application to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, can trigger stack corruption. If the target application is setuid-root, then this could be used to elevate local privileges.
As dhclient is building an environment to pass to dhclient-script, it may need to resize the array of string pointers. The code which expands the array incorrectly calculates its new size when requesting memory, resulting in a heap buffer overrun.
A specially crafted packet can cause dhclient to overrun its buffer of environment entries. This can result in a crash, but it may be possible to leverage this bug to achieve remote code execution.
Incorrect packet validation allowed unbounded recursion parsing SCTP chunk parameters. This can eventually result in a stack overflow and panic.
Remote attackers can craft packets which cause affected systems to panic. This affects any system where pf is configured to process traffic, independent of the configured ruleset.
An operator precedence bug in the kernel results in a scenario where a buffer overflow causes attacker-controlled data to overwrite adjacent execve(2) argument buffers.
The bug may be exploitable by an unprivileged user to obtain superuser privileges.
The BOOTP file field is written to the lease file without escaping embedded double-quotes, allowing injection of arbitrary dhclient.conf directives. When the lease file is subsequently re-parsed by dhclient, e.g., after a system restart, an attacker-controlled field from the lease is passed to dhclient-script(8), which evaluates it.
A rogue DHCP server may be able to execute arbirary code as root on a system running dhclient.
Cary Phillips reports:
[OpenEXR v3.4.11 is a p]atch release that addresses the following security vulnerabilities:
- CVE-2026-42217 Shift exponent overflow in readVariableLengthInteger() (ImfIDManifest.cpp)
- CVE-2026-42216 Out-of-bounds read in IDManifest::init() during prefix expansion
- CVE-2026-41142 Integer overflow in ImageChannel::resize leads to heap OOB write via OpenEXRUtil public API
- OSS-fuzz 504280155 Heap-buffer-overflow in DwaCompressor_uncompress
- OSS-fuzz 505062709 Null-dereference READ in Imf_3_3::prefixFromLayerName
https://bugzilla.mozilla.org/show_bug.cgi?id=2029461 reports:
Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component.
https://bugzilla.mozilla.org/buglist.cgi?bug_id=2021904%2C2022731%2C2027158%2C2027733%2C2027973%2C2027976%2C2028231%2C2028731%2C2028886%2C2029067%2C2029700%2C2029724%2C2029806%2C2029814%2C2030108%2C2030111%2C2031524%2C2031921%2C2032040 reports:
Memory safety bugs. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
https://bugzilla.mozilla.org/show_bug.cgi?id=2027433 reports:
Information disclosure due to incorrect boundary conditions in the Audio/Video component.
https://bugzilla.mozilla.org/buglist.cgi?bug_id=2029419%2C2029717%2C2029769%2C2029886 reports:
Memory safety bugs. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
https://bugzilla.mozilla.org/show_bug.cgi?id=2027433 reports:
Information disclosure due to incorrect boundary conditions in the Audio/Video component.
https://bugzilla.mozilla.org/buglist.cgi?bug_id=2010727%2C2019004%2C2019224%2C2019547%2C2020378%2C2022381%2C2022608%2C2022785%2C2023120%2C2023128%2C2023140%2C2023279%2C2023836%2C2023882%2C2023925%2C2023950%2C2023959%2C2023965%2C2024243%2C2024245%2C2024247%2C2024253%2C2024346%2C2024357%2C2024416%2C2024420%2C2024429%2C2024432%2C2024455%2C2024466%2C2024468%2C2024476%2C2024664%2C2024666%2C2024669%2C2024670%2C2024671%2C2024761%2C2024918%2C2025292%2C2025332%2C2025348%2C2025384%2C2025395%2C2025458%2C2025461%2C2025463%2C2025481%2C2025483%2C2025485%2C2025494%2C2025506%2C2025511%2C2025513%2C2025520%2C2026277%2C2026282%2C2026288%2C2026289%2C2026311%2C2026312%2C2026869%2C2027152%2C2027161%2C2027238%2C2027261%2C2027269%2C2027274%2C2027280%2C2027281%2C2027300%2C2027302%2C2027331%2C2027339%2C2027340%2C2027738%2C2027975%2C2028000%2C2028011%2C2028289%2C2028525%2C2028728%2C2028887%2C2028888%2C2028896%2C2029063%2C2029064%2C2029290%2C2029291%2C2029294%2C2029300%2C2029304%2C2029316%2C2029317%2C2029401%2C2029415%2C2029430%2C2029457%2C2029727%2C2029735%2C2029743%2C2029752%2C2029754%2C2029776%2C2029809%2C2030324%2C2030370 reports:
Memory safety bugs present. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1935995%2C1999158%2C2015952%2C2021909%2C2022026%2C2022041%2C2022088%2C2022276%2C2022335%2C2022338%2C2022373%2C2022597%2C2022874%2C2023276%2C2023544%2C2023551%2C2023599%2C2023608%2C2023814%2C2024233%2C2024239%2C2024241%2C2024242%2C2024250%2C2024251%2C2024343%2C2024422%2C2024425%2C2024440%2C2024442%2C2024446%2C2024458%2C2024463%2C2024478%2C2024650%2C2024653%2C2024654%2C2024655%2C2024656%2C2024661%2C2024662%2C2024668%2C2024919%2C2025278%2C2025349%2C2025350%2C2025354%2C2025360%2C2025363%2C2025370%2C2025379%2C2025381%2C2025399%2C2025400%2C2025403%2C2025407%2C2025415%2C2025420%2C2025427%2C2025429%2C2025430%2C2025479%2C2025489%2C2025493%2C2025497%2C2025502%2C2025515%2C2025517%2C2025526%2C2025609%2C2025948%2C2025949%2C2025951%2C2025953%2C2025955%2C2025962%2C2025969%2C2025970%2C2025971%2C2025973%2C2025976%2C2025977%2C2026280%2C2026285%2C2026293%2C2026296%2C2026310%2C2027237%2C2027260%2C2027268%2C2027277%2C2027284%2C2027291%2C2027293%2C2027298%2C2027330%2C2027342%2C2027345%2C2027359%2C2027365%2C2027378%2C2027754%2C2027959%2C2027962%2C2027964%2C2027971%2C2027974%2C2027979%2C2027982%2C2027995%2C2028001%2C2028267%2C2028268%2C2028275%2C2028288%2C2028290%2C2028291%2C2028528%2C2028551%2C2028627%2C2028879%2C2028889%2C2029061%2C2029071%2C2029283%2C2029296%2C2029314%2C2029323%2C2029411%2C2029423%2C2029424%2C2029425%2C2029427%2C2029436%2C2029440%2C2029449%2C2029450%2C2029458%2C2029462%2C2029468%2C2029472%2C2029690%2C2029707%2C2029708%2C2029728%2C2029802%2C2029896%2C2029906%2C2030106%2C2030118%2C2030123%2C2030135%2C2030230%2C2030320 reports:
Memory safety bugs. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1536243%2C1745382%2C1851073%2C1893400%2C1963301%2C2001319%2C2002899%2C2012436%2C2014435%2C2016901%2C2019916%2C2020486%2C2020612%2C2020817%2C2021788%2C2022051%2C2022367%2C2022431%2C2023302%2C2023670%2C2024225%2C2024238%2C2024240%2C2024265%2C2024367%2C2024369%2C2024424%2C2024760%2C2025281%2C2025361%2C2025387%2C2025466%2C2025954%2C2025958%2C2026278%2C2026292%2C2026297%2C2026378%2C2027148%2C2027287%2C2027341%2C2027384%2C2027427%2C2027694%2C2027993%2C2028009%2C2028270%2C2028416%2C2028524%2C2029295%2C2029301%2C2029461%2C2029699%2C2029800%2C2029801 reports:
Memory safety bugs. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
https://bugzilla.mozilla.org/show_bug.cgi?id=2027564 reports:
Incorrect boundary conditions, integer overflow in the Audio/Video: Playback component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2026571 reports:
Information disclosure in the IP Protection component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2025583 reports:
Denial-of-service in the Audio/Video: Playback component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2023343 reports:
Other issue in the JavaScript Engine component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2022746 reports:
Invalid pointer in the Audio/Video: Playback component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2022726 reports:
Other issue in the Networking: DNS component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2021770 reports:
Incorrect boundary conditions in the WebRTC: Networking component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2021768 reports:
Incorrect boundary conditions in the WebRTC component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2016915 reports:
Mitigation bypass in the DOM: Security component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2015959 reports:
Denial-of-service due to integer overflow in the Graphics: WebGPU component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2026089 reports:
Incorrect boundary conditions in the Libraries component in NSS.
https://bugzilla.mozilla.org/show_bug.cgi?id=2025067 reports:
Mitigation bypass in the DOM: Security component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2024220 reports:
Other issue in the Storage: IndexedDB component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2023753 reports:
Privilege escalation in the Debugger component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2023615 reports:
Mitigation bypass in the Networking: Cookies component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2023209 reports:
Other issue in the Libraries component in NSS.
https://bugzilla.mozilla.org/show_bug.cgi?id=2023207 reports:
Incorrect boundary conditions in the Libraries component in NSS.
https://bugzilla.mozilla.org/show_bug.cgi?id=2022419 reports:
Information disclosure in the Form Autofill component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2022162 reports:
Incorrect boundary conditions in the DOM: Device Interfaces component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2021666 reports:
Mitigation bypass in the File Handling component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2021080 reports:
Spoofing issue in the DOM: Core & HTML component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2017857 reports:
Privilege escalation in the Networking component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2016923 reports:
Mitigation bypass in the Networking: Cookies component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2016164 reports:
Use-after-free in the Widget: Cocoa component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2013619 reports:
Use-after-free in the JavaScript: WebAssembly component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2013588 reports:
Invalid pointer in the JavaScript: WebAssembly component.
https://bugzilla.mozilla.org/show_bug.cgi?id=1880429 reports:
Mitigation bypass in the DOM: postMessage component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2027541 reports:
Use-after-free in the JavaScript Engine component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2027501 reports:
Incorrect boundary conditions in the WebRTC component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2027499 reports:
Incorrect boundary conditions in the WebRTC component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2025883 reports:
Uninitialized memory in the Audio/Video: Web Codecs component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2023407 reports:
Privilege escalation in the Graphics: WebRender component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2022610 reports:
Information disclosure due to uninitialized memory in the Graphics: Canvas2D component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2022604 reports:
Uninitialized memory in the Audio/Video: Web Codecs component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2021769 reports:
Use-after-free in the WebRTC component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2014596 reports:
Use-after-free in the DOM: Core & HTML component.
The X.Org project reports:
libXpm uses a number of internal helper functions to parse the XPM file format. One of these internal functions, xpmNextString(), checks for the NULL terminator when looking for the end of the current string but not when looking for the beginning of the next string. A small XPM file with a malformed color table definition may cause the function xpmNextWord(), called from xpmParseColors() following a call to xpmNextString(), to start past the actual end of the file, causing an out-of-bound read.
https://github.com/libexpat/libexpat/pull/1183 reports:
libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.
https://github.com/mm2/Little-CMS/commit/da6110b1d14abc394633a388209abd5ebedd7ab0 reports:
Little CMS (lcms2) through 2.18 has an integer overflow in CubeSize in cmslut.c because the overflow check is performed after the multiplication.
Gitlab reports:
Cross-Site Request Forgery issue in GraphQL API impacts GitLab CE/EE GitLab
Improper Resolution of Path Equivalence issue in Web IDE asset impacts GitLab CE/EE
Cross-site Scripting issue in Storybook impacts GitLab CE/EE
Denial of Service issue in discussions endpoint impacts GitLab CE/EE
Denial of Service issue in Jira import impacts GitLab CE/EE
Denial of Service issue in notes endpoint impacts GitLab CE/EE
Denial of Service issue in GraphQL API impacts GitLab CE/EE
Insufficient Session Expiration issue in virtual registry credentials validation impacts GitLab CE/E
Improper Access Control issue in issue description renderer impacts GitLab CE/EE
Improper Restriction of Rendered UI Layers or Frames issue in Mermaid sandbox impacts GitLab CE/EE
Improper Access Control issue in project fork relationship API impacts GitLab CE/EE
Gert Doering reports:
[Security fixes in 2.7.2]
- fix race condition in TLS handshake that could lead to leaking of packet data from a previous handshake under specific circumstances (CVE-2026-40215)
- fix server [termination] on receiving a suitably malformed packet with a valid tls-crypt-v2 key (CVE-2026-35058)
In order to apply a particular protection key to an address range, the kernel must update the corresponding page table entries. The subroutine which handled this failed to take into account the presence of 1GB largepage mappings created using the shm_create_largepage(3) interface. In particular, it would always treat a page directory page entry as pointing to another page table page.
The bug can be abused by an unprivileged user to cause pmap_pkru_update_range() to treat userspace memory as a page table page, and thus overwrite memory to which the application would otherwise not have access.
The implementation of TIOCNOTTY failed to clear a back-pointer from the structure representing the controlling terminal to the calling process' session. If the invoking process then exits, the terminal structure may end up containing a pointer to freed memory.
A malicious process can abuse the dangling pointer to grant itself root privileges.
https://bugzilla.mozilla.org/show_bug.cgi?id=2009552 reports:
Integer overflow in the Libraries component in NSS.
ejabberd team reports:
This release adds new options that limit max memory used by XML parser used to process XMPP payloads, to prevent potential Denial of Service attack. The default values for pre-auth provide sufficient protection for ejabberd against non-authenticated users on c2s and s2s, so there is no need to change your configuration.
Tim Wojtulewicz of Corelight reports:
A series of DNS messages containing long DNS compression chains can cause Zeek to spend a long time processing packets and potentially crash. Due to the fact that these packets can be received from remote hosts, this is a DoS risk.
A specially-crafted LDAP search request can cause Zeek to spend a long time processing the packet, resulting in Zeek silently dropping the LDAP analyzer for the connection. Due to the fact that these packets can be received from remote hosts, this is an evasion risk.
A specially-crafted series of ASN.1 messages in LDAP packets can cause Zeek to spend a long time processing the packets, resulting in Zeek silently dropping the LDAP analyzer for the connection. Due to the fact that these packets can be received from remote hosts, this is an evasion risk.
Cary Phillips reports:
OpenEXR 3.4.10 is a patch release that addresses the following security vulnerabilities:
- CVE-2026-39886 HTJ2K Signed Integer Overflow in ht_undo_impl()
- CVE-2026-40244 Integer overflow in DWA setupChannelData planarUncRle pointer arithmetic (missed variant of CVE-2026-34589)
- CVE-2026-40250 Integer overflow in DWA decoder outBufferEnd pointer arithmetic (missed variant of CVE-2026-34589)
xrdp project reports:
This release includes 8 security fixes:
- CVE-2026-32105
- CVE-2026-32107
- CVE-2026-32623
- CVE-2026-32624
- CVE-2026-33145
- CVE-2026-32516
- CVE-2026-32689
- CVE-2026-35512
The Strawberry GraphQL project reports:
Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a 'connection_init' handshake has been completed before processing start (subscription) messages. This allows a remote attacker to skip the 'on_ws_connect' authentication hook entirely by connecting with the graphql-ws subprotocol and sending a start message directly, without ever sending 'connection_init'. The graphql-transport-ws subprotocol handler is not affected, as it correctly gates subscription operations on a connection_acknowledged flag. However, both subprotocols are enabled by default in all framework integrations that support websockets, and the subprotocol is selected by the client via the Sec-WebSocket-Protocol header. Any application relying on 'on_ws_connect' for authentication or authorization is affected.
Strawberry GraphQL's WebSocket subscription handlers for both the 'graphql-transport-ws' and legacy 'graphql-ws' protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without enforcing any limit on the number of active subscriptions per connection. An unauthenticated attacker can open a single WebSocket connection, send connection_init, and then flood subscribe messages with unique IDs. Each message unconditionally spawns a new 'asyncio.Task' and async generator, causing linear memory growth and event loop saturation. This leads to server degradation or an OOM crash.
Mozilla reports:
Memory safety bugs present in Firefox ESR, Firefox ESR , Thunderbird ESR, and Thunderbird. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
https://github.com/ethereum/go-ethereum/security/advisories reports:
- DoS via malicious p2p message (CVE-2026-26313)
- DoS via malicious p2p message (CVE-2026-26314)
- Improper ECIES Public Key Validation in RLPx Handshake (CVE-2026-26315)
Chrome Releases reports:
This update includes 31 security fixes:
- [490170083] Critical CVE-2026-6296: Heap buffer overflow in ANGLE. Reported by cinzinga on 2026-03-05
- [493628982] Critical CVE-2026-6297: Use after free in Proxy. Reported by heapracer on 2026-03-17
- [495700484] Critical CVE-2026-6298: Heap buffer overflow in Skia. Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-03-24
- [497053588] Critical CVE-2026-6299: Use after free in Prerender. Reported by Google on 2026-03-28
- [497724498] Critical CVE-2026-6358: Use after free in XR. Reported by Jihyeon Jeong (Compsec Lab, Seoul National University / Research Intern) on 2026-03-30
- [490251701] High CVE-2026-6359: Use after free in Video. Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-03-06
- [491994185] High CVE-2026-6300: Use after free in CSS. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-12
- [495273999] High CVE-2026-6301: Type Confusion in Turbofan. Reported by qymag1c on 2026-03-23
- [495477995] High CVE-2026-6302: Use after free in Video. Reported by Syn4pse on 2026-03-24
- [496282147] High CVE-2026-6303: Use after free in Codecs. Reported by Google on 2026-03-25
- [496393742] High CVE-2026-6304: Use after free in Graphite. Reported by Google on 2026-03-26
- [496618639] High CVE-2026-6305: Heap buffer overflow in PDFium. Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-03-26
- [496907110] High CVE-2026-6306: Heap buffer overflow in PDFium. Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-03-27
- [497404188] High CVE-2026-6307: Type Confusion in Turbofan. Reported by Project WhatForLunch (@pjwhatforlunch) on 2026-03-29
- [497412658] High CVE-2026-6308: Out of bounds read in Media. Reported by Google on 2026-03-29
- [497846428] High CVE-2026-6309: Use after free in Viz. Reported by Google on 2026-03-30
- [497880137] High CVE-2026-6360: Use after free in FileSystem. Reported by asjidkalam on 2026-03-31
- [497969820] High CVE-2026-6310: Use after free in Dawn. Reported by Google on 2026-03-31
- [498201025] High CVE-2026-6311: Uninitialized Use in Accessibility. Reported by Google on 2026-03-31
- [498269651] High CVE-2026-6312: Insufficient policy enforcement in Passwords. Reported by Google on 2026-03-31
- [498765210] High CVE-2026-6313: Insufficient policy enforcement in CORS. Reported by Google on 2026-04-02
- [498782145] High CVE-2026-6314: Out of bounds write in GPU. Reported by Google on 2026-04-02
- [499247910] High CVE-2026-6315: Use after free in Permissions. Reported by Google on 2026-04-03
- [499384399] High CVE-2026-6316: Use after free in Forms. Reported by Google on 2026-04-03
- [500036290] High CVE-2026-6361: Heap buffer overflow in PDFium. Reported by Google on 2026-04-06
- [500066234] High CVE-2026-6362: Use after free in Codecs. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-04-07
- [500091052] High CVE-2026-6317: Use after free in Cast. Reported by Google on 2026-04-06
- [495751197] Medium CVE-2026-6363: Type Confusion in V8. Reported by Google on 2026-03-24
- [495996858] Medium CVE-2026-6318: Use after free in Codecs. Reported by Syn4pse on 2026-03-25
- [499018889] Medium CVE-2026-6319: Use after free in Payments. Reported by pwn2addr on 2026-04-02
- [502103414] Medium CVE-2026-6364: Out of bounds read in Skia. Reported by Google Threat Intelligence on 2026-04-13
Composer project reports:
Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
X.Org project reports:
Multiple issues have been found in the X server and Xwayland implementations published by X.Org for which we are releasing security fixes for in xorg-server-21.1.22 and xwayland-24.1.10.
X.Org project reports:
Multiple issues have been found in the X server and Xwayland implementations published by X.Org for which we are releasing security fixes for in xorg-server-21.1.22 and xwayland-24.1.10.
Seth Larson reports:
[CVE-2026-4786] Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open()
There is a HIGH severity vulnerability affecting CPython.
Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.
Seth Larson reports:
There is a CRITICAL severity vulnerability affecting CPython.
Use-after-free (UAF) was possible in the lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile when a memory allocation fails with a MemoryError and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.
The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a MemoryError is raised during decompression. Using the helper functions to one-shot decompress data such as lzma.decompress(), bz2.decompress(), gzip.decompress(), and zlib.decompress() are not affected as a new decompressor instance is created for each call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.
The Vaultwarden project reports:
GHSA-937x-3j8m-7w7p Unconfirmed Owner Can Purge Entire Organization Vault.
GHSA-569v-845w-g82p Cross-Org Group Binding Enables Unauthorized Read And Write Access Into Another Organization
GHSA-6j4w-g4jh-xjfx Refresh tokens not invalidated on security stamp rotation
Seth Larson reports:
HTTP proxy via "CONNECT" tunneling doesn't sanitize CR/LF (CVE-2026-1502).
Stan Ulbrych reports:
configparser.RawConfigParser.{OPTCRE,OPTCRE_NV} regexes [are] vulnerable to quadratic backtracking.
https://github.com/ormar-orm/ormar/security/advisories reports:
- SQL Injection in aggregate functions min() and max()
- Pydantic Validation Bypass via __pk_only__ and __excluded__ Kwargs Injection in Model Constructor
PrymEvol and Quang Luong reports:
A flaw was found in the libtiff library. A remote attacker could exploit a signed integer overflow vulnerability in the putcontig8bitYCbCr44tile function by providing a specially crafted TIFF file. This flaw can lead to an out-of-bounds heap write due to incorrect memory pointer calculations, potentially causing a denial of service (application crash) or arbitrary code execution.
https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html reports:
- CVE-2026-0396: HTML injection in the web dashboard
- CVE-2026-0397: Information disclosure via CORS misconfiguration
- CVE-2026-24028: Out-of-bounds read when parsing DNS packets via Lua
- CVE-2026-24029: DNS over HTTPS ACL bypass
- CVE-2026-24030: Unbounded memory allocation for DoQ and DoH3
- CVE-2026-27853: Out-of-bounds write when rewriting large DNS packets
- CVE-2026-27854: Use after free when parsing EDNS options in Lua
https://mbed-tls.readthedocs.io/en/latest/security-advisories/ reports:
- Client impersonation while resuming a TLS 1.3 session (CVE-2026-34873)
- Entropy on Linux can fall back to /dev/urandom (CVE-2026-34871)
- PSA random generator cloning (CVE-2026-25835)
- Compiler-induced constant-time violations (CVE-2025-66442)
- Null pointer dereference when setting a distinguished name (CVE-2026-34874)
- Buffer overflow in FFDH public key export (CVE-2026-34875)
- FFDH: lack of contributory behaviour due to improper input validation (CVE-2026-34872)
- Signature Algorithm Injection (CVE-2026-25834)
- CCM multipart finish tag-length validation bypass (CVE-2026-34876)
- Risk of insufficient protection of serialized session or context data leading to potential memory safety issues (CVE-2026-34877)
- Buffer underflow in x509_inet_pton_ipv6() (CVE-2026-25833)
Chrome Releases reports:
This update includes multiple security fixes:
Critical:
- CVE-2026-5858: Heap buffer overflow in WebML.
- CVE-2026-5859: Integer overflow in WebML.
High:
- CVE-2026-5860: Use after free in WebRTC.
- CVE-2026-5861: Use after free in V8.
- CVE-2026-5862: Inappropriate implementation in V8.
- CVE-2026-5863: Inappropriate implementation in V8.
- CVE-2026-5864: Heap buffer overflow in WebAudio.
- CVE-2026-5865: Type Confusion in V8.
- CVE-2026-5866: Use after free in Media.
- CVE-2026-5867: Heap buffer overflow in WebML.
- CVE-2026-5868: Heap buffer overflow in ANGLE.
- CVE-2026-5869: Heap buffer overflow in WebML.
- CVE-2026-5870: Integer overflow in Skia.
- CVE-2026-5871: Type Confusion in V8.
- CVE-2026-5872: Use after free in Blink.
- CVE-2026-5873: Out of bounds read and write in V8.
Medium:
- CVE-2026-5874: Use after free in PrivateAI.
- CVE-2026-5875: Policy bypass in Blink.
- CVE-2026-5876: Side-channel information leakage in Navigation.
- CVE-2026-5877: Use after free in Navigation.
- CVE-2026-5878: Incorrect security UI in Blink.
- CVE-2026-5879: Insufficient validation of untrusted input in ANGLE.
- CVE-2026-5880: Incorrect security UI in browser UI.
- CVE-2026-5881: Policy bypass in LocalNetworkAccess.
- CVE-2026-5882: Incorrect security UI in Fullscreen.
- CVE-2026-5883: Use after free in Media.
- CVE-2026-5884: Insufficient validation of untrusted input in Media.
- CVE-2026-5885: Insufficient validation of untrusted input in WebML.
- CVE-2026-5886: Out of bounds read in WebAudio.
- CVE-2026-5887: Insufficient validation of untrusted input in Downloads.
- CVE-2026-5888: Uninitialized Use in WebCodecs.
- CVE-2026-5889: Cryptographic Flaw in PDFium.
- CVE-2026-5890: Race in WebCodecs.
- CVE-2026-5891: Insufficient policy enforcement in browser UI.
- CVE-2026-5892: Insufficient policy enforcement in PWAs.
- CVE-2026-5893: Race in V8.
Low:
- CVE-2026-5894: Inappropriate implementation in PDF.
- CVE-2026-5895: Incorrect security UI in Omnibox.
- CVE-2026-5896: Policy bypass in Audio.
- CVE-2026-5897: Incorrect security UI in Downloads.
- CVE-2026-5898: Incorrect security UI in Omnibox.
- CVE-2026-5899: Incorrect security UI in History Navigation.
- CVE-2026-5900: Policy bypass in Downloads.
- CVE-2026-5901: Policy bypass in DevTools.
- CVE-2026-5902: Race in Media.
- CVE-2026-5903: Policy bypass in IFrameSandbox.
- CVE-2026-5904: Use after free in V8.
- CVE-2026-5905: Incorrect security UI in Permissions.
- CVE-2026-5906: Incorrect security UI in Omnibox.
- CVE-2026-5907: Insufficient data validation in Media.
- CVE-2026-5908: Integer overflow in Media.
- CVE-2026-5909: Integer overflow in Media.
- CVE-2026-5910: Integer overflow in Media.
- CVE-2026-5911: Policy bypass in ServiceWorkers.
- CVE-2026-5912: Integer overflow in WebRTC.
- CVE-2026-5913: Out of bounds read in Blink.
- CVE-2026-5914: Type Confusion in CSS.
- CVE-2026-5915: Insufficient validation of untrusted input in WebML.
- CVE-2026-5918: Inappropriate implementation in Navigation.
- CVE-2026-5919: Insufficient validation of untrusted input in WebSockets.
https://bugzilla.mozilla.org/buglist.cgi?bug_id=2025475%2C2025477 reports:
Memory safety bugs present in Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
https://bugzilla.mozilla.org/buglist.cgi?bug_id=2022369%2C2023026%2C2023545%2C2023555%2C2023958%2C2025422%2C2025468%2C2025492%2C2025505 reports:
Memory safety bugs present in Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
https://bugzilla.mozilla.org/show_bug.cgi?id=2022554 reports:
Incorrect boundary conditions in the Graphics: WebGPU component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2017867 reports:
Incorrect boundary conditions, integer overflow in the Graphics: Text component.
Gitlab reports:
Exposed Method issue in websocket connections impacts GitLab CE/EE
Denial of Service issue in Terraform state lock API impacts GitLab CE/EE
Denial of Service issue in GraphQL API impacts GitLab CE/EE
Denial of Service issue in CSV import impacts GitLab CE/EE
Denial of Service issue in GraphQL SBOM API impacts GitLab EE
Code Injection issue in Code Quality reports impacts GitLab EE
Cross-site Scripting issue in analytics dashboards impacts GitLab EE
Incorrect Authorization issue in vulnerability flags AI detection API impacts GitLab EE
Information Disclosure issue in certain GraphQl query impacts GitLab EE
Improper Access Control issue in Environments API impacts GitLab EE
Information Disclosure issue in CSV export impacts GitLab CE/EE
Missing Authorization issue in custom role permissions impacts GitLab CE/EE
The OpenSSL project reports:
Seven vulnerabilities in OpenSSL library. Highest classification Moderate.
https://github.com/nghttp2/nghttp2/security/advisories/GHSA-6933-cjhr-5qg6 reports:
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.
https://jira.mongodb.org/browse/SERVER-101758 reports:
A user with access to the cluster with a limited set of privilege actions can trigger a crash of amongod process during the limited and unpredictable window when the cluster is being promoted from a replica set to a sharded cluster. This may cause a denial of service by taking down the primary of the replica set.
Cary Phillips reports:
[OpenEXR 3.4.9] addresses the following CVEs:
- CVE-2026-34589 DWA Lossy Decoder Heap Out-of-Bounds Write
- CVE-2026-34588 Signed 32-bit Overflow in PIZ Decoder Leads to OOB Read/Write
- CVE-2026-34380 Signed integer overflow (undefined behavior) in undo_pxr24_impl may allow bounds-check bypass in PXR24 decompression
- CVE-2026-34379 Misaligned write in LossyDctDecoder_execute leading to undefined behavior (DWA/DWAB decompression)
- CVE-2026-34378 Signed integer overflow in generic_unpack() when parsing EXR files with crafted negative dataWindow.min.x
https://github.com/python/cpython/pull/143931 reports:
The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().
Python Software Foundation Security Developer reports:
The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.
Python Software Foundation Security Developer reports:
The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.
Chrome Releases reports:
This update includes 21 security fixes:
- [493952652] High CVE-2026-5273: Use after free in CSS. Reported by Anonymous on 2026-03-18
- [491732188] High CVE-2026-5272: Heap buffer overflow in GPU. Reported by inspector-ambitious on 2026-03-11
- [488596746] High CVE-2026-5274: Integer overflow in Codecs. Reported by heapracer (@heapracer) on 2026-03-01
- [489494022] High CVE-2026-5275: Heap buffer overflow in ANGLE. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-04
- [489711638] High CVE-2026-5276: Insufficient policy enforcement in WebUSB. Reported by Ariel Simon on 2026-03-04
- [489791424] High CVE-2026-5277: Integer overflow in ANGLE. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-05
- [490254128] High CVE-2026-5278: Use after free in Web MIDI. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-06
- [490642836] High CVE-2026-5279: Object corruption in V8. Reported by Hyeonjun Ahn (@_deayzl) on 2026-03-08
- [491515787] High CVE-2026-5280: Use after free in WebCodecs. Reported by heapracer (@heapracer) on 2026-03-11
- [491518608] High CVE-2026-5281: Use after free in Dawn. Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-03-10
- [491655161] High CVE-2026-5282: Out of bounds read in WebCodecs. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-11
- [492131521] High CVE-2026-5283: Inappropriate implementation in ANGLE. Reported by sweetchip on 2026-03-12
- [492139412] High CVE-2026-5284: Use after free in Dawn. Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-03-12
- [492228019] High CVE-2026-5285: Use after free in WebGL. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-13
- [493900619] High CVE-2026-5286: Use after free in Dawn. Reported by sweetchip on 2026-03-18
- [494644471] High CVE-2026-5287: Use after free in PDF. Reported by Syn4pse on 2026-03-21
- [495507390] High CVE-2026-5288: Use after free in WebView. Reported by Google on 2026-03-23
- [495931147] High CVE-2026-5289: Use after free in Navigation. Reported by Google on 2026-03-25
- [496205576] High CVE-2026-5290: Use after free in Compositing. Reported by Google on 2026-03-25
- [490118036] Medium CVE-2026-5291: Inappropriate implementation in WebGL. Reported by heapracer (@heapracer) on 2026-03-06
- [492213293] Medium CVE-2026-5292: Out of bounds read in WebCodecs. Reported by Google on 2026-03-12
The traefik project releases a new version addressing multiple CVEs:
- CVE-2026-33433 (BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField)
- CVE-2026-33186 (authorization bypass via missing leading slash in :path)
The Roundcube project reports:
.
Gitlab reports:
Improper Handling of Parameters issue in Jira Connect installations impacts GitLab CE/EE
Cross-Site Request Forgery issue in GLQL API impacts GitLab CE/EE
HTML Injection in vulnerability report impacts GitLab EE
Denial of Service issue in GraphQL API impacts GitLab CE/EE
Improper Access Control issue in WebAuthn 2FA impacts GitLab CE/EE
Improper Access Control issue in GraphQL query impacts GitLab EE
Denial of Service issue in CI configuration processing impacts GitLab CE/EE
Denial of Service issue in webhook configuration impacts GitLab CE/EE
Cross-site Scripting issue in Mermaid diagram renderer impacts GitLab CE/EE
Improper Access Control issue in Merge Requests impacts GitLab CE/EE
Access Control issue in GraphQL API impacts GitLab EE
Incorrect Authorization issue in authorization caching impacts GitLab EE
Jenkins Security Advisory 2026-03-18:
- SECURITY-3657 / CVE-2026-33001: Arbitrary file write vulnerability through specially crafted archives in Jenkins (High)
- SECURITY-3674 / CVE-2026-33002: DNS rebinding vulnerability in WebSocket CLI origin validation in Jenkins (High)
CVE-2026-4729: Memory safety bugs
CVE-2026-4728: Spoofing issue in the Privacy: Anti-Tracking component.
CVE-2026-4727: Denial-of-service in the Libraries component in NSS.
CVE-2026-4726: Denial-of-service in the XML component.
CVE-2026-4725: Sandbox escape due to use-after-free in the Graphics: Canvas2D component.
CVE-2026-4724: Undefined behavior in the Audio/Video component.
CVE-2026-4723: Use-after-free in the JavaScript Engine component.
CVE-2026-4722: Privilege escalation in the IPC component.
CVE-2026-4721: Memory safety bugs. Potential arbitrary code execution.
CVE-2026-4709: Incorrect boundary conditions in the Audio/Video: GMP component.
CVE-2026-4707: Incorrect boundary conditions in the Graphics: Canvas2D component.
CVE-2026-4706: Incorrect boundary conditions in the Graphics: Canvas2D component.
CVE-2026-4699: Incorrect boundary conditions in the Layout: Text and Fonts component.
CVE-2026-4698: JIT miscompilation in the JavaScript Engine: JIT component.
CVE-2026-4696: Use-after-free in the Layout: Text and Fonts component.
CVE-2026-4694: Incorrect boundary conditions, integer overflow in the Graphics component.
CVE-2026-4693: Incorrect boundary conditions in the Audio/Video: Playback component.
CVE-2026-4692: Sandbox escape in the Responsive Design Mode component.
CVE-2026-4691: Use-after-free in the CSS Parsing and Computation component.
CVE-2026-4690: Sandbox escape due to integer overflow in the XPCOM component.
CVE-2026-4689: Sandbox escape due to integer overflow in the XPCOM component.
CVE-2026-4687: Sandbox escape in the Telemetry component.
CVE-2026-4686: Incorrect boundary conditions in the Graphics: Canvas2D component.
CVE-2026-4685: Incorrect boundary conditions in the Graphics: Canvas2D component.
CVE-2026-4684: Race condition, use-after-free in the Graphics: WebRender component.
CVE-2026-4688: Sandbox escape due to use-after-free in Disability Access APIs.
CVE-2026-4695: Incorrect boundary conditions in the Audio/Video: Web Codecs component.
CVE-2026-4697: Incorrect boundary conditions in the Audio/Video: Web Codecs component.
CVE-2026-4700: Mitigation bypass in the Networking: HTTP component.
CVE-2026-4701: Use-after-free in the JavaScript Engine component.
CVE-2026-4702: JIT miscompilation in the JavaScript Engine component.
CVE-2026-4704: Denial-of-service in the WebRTC: Signaling component.
CVE-2026-4705: Undefined behavior in the WebRTC: Signaling component.
CVE-2026-4708: Incorrect boundary conditions in the Graphics component.
CVE-2026-4710: Incorrect boundary conditions in the Audio/Video component.
CVE-2026-4711: Use-after-free in the Widget: Cocoa component.
CVE-2026-4712: Information disclosure in the Widget: Cocoa component.
CVE-2026-4713: Incorrect boundary conditions in the Graphics component.
CVE-2026-4714: Incorrect boundary conditions in the Audio/Video component.
CVE-2026-4715: Uninitialized memory in the Graphics: Canvas2D component.
CVE-2026-4716: Incorrect boundary conditions and uninitialized memory in the JavaScript Engine.
CVE-2026-4717: Privilege escalation in the Netmonitor component.
CVE-2026-4718: Undefined behavior in the WebRTC: Signaling component.
CVE-2026-4719: Incorrect boundary conditions in the Graphics: Text component.
CVE-2026-4720: Memory safety bugs
Each RPCSEC_GSS data packet is validated by a routine which checks a signature in the packet. This routine copies a portion of the packet into a stack buffer, but fails to ensure that the buffer is sufficiently large, and a malicious client can trigger a stack overflow. Notably, this does not require the client to authenticate itself first.
As kgssapi.ko's RPCSEC_GSS implementation is vulnerable, remote code execution in the kernel is possible by an authenticated user that is able to send packets to the kernel's NFS server while kgssapi.ko is loaded into the kernel.
In userspace, applications which have librpcgss_sec loaded and run an RPC server are vulnerable to remote code execution from any client able to send it packets. We are not aware of any such applications in the FreeBSD base system.
On a system exposing an NVMe/TCP target, a remote client can trigger a kernel panic by sending a CONNECT command for an I/O queue with a bogus or stale CNTLID.
An attacker with network access to the NVMe/TCP target can trigger an unauthenticated Denial of Service condition on the affected machine.
When a challenge ACK is to be sent tcp_respond() constructs and sends the challenge ACK and consumes the mbuf that is passed in. When no challenge ACK should be sent the function returns and leaks the mbuf.
If an attacker is either on path with an established TCP connection, or can themselves establish a TCP connection, to an affected FreeBSD machine, they can easily craft and send packets which meet the challenge ACK criteria and cause the FreeBSD host to leak an mbuf for each crafted packet in excess of the configured rate limit settings i.e. with default settings, crafted packets in excess of the first 5 sent within a 1s period will leak an mbuf.
Technically, off-path attackers can also exploit this problem by guessing the IP addresses, TCP port numbers and in some cases the sequence numbers of established connections and spoofing packets towards a FreeBSD machine, but this is harder to do effectively.
Chrome Releases reports:
This update includes 8 security fixes:
- [485397284] High CVE-2026-4673: Heap buffer overflow in WebAudio. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-18
- [488188166] High CVE-2026-4674: Out of bounds read in CSS. Reported by Syn4pse on 2026-02-27
- [488270257] High CVE-2026-4675: Heap buffer overflow in WebGL. Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-02-27
- [488613135] High CVE-2026-4676: Use after free in Dawn. Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-03-01
- [490533968] High CVE-2026-4677: Out of bounds read in WebAudio. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-07
- [491164019] High CVE-2026-4678: Use after free in WebGPU. Reported by Google on 2026-03-10
- [491516670] High CVE-2026-4679: Integer overflow in Fonts. Reported by GF, Un3xploitable Of DeadSec on 2026-03-11
- [491869946] High CVE-2026-4680: Use after free in FedCM. Reported by Shaheen Fazim on 2026-03-12
Chrome Releases reports:
This update includes 26 security fixes:
- [475877320] Critical CVE-2026-4439: Out of bounds memory access in WebGL. Reported by Goodluck on 2026-01-15
- [485935305] Critical CVE-2026-4440: Out of bounds read and write in WebGL. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-20
- [489381399] Critical CVE-2026-4441: Use after free in Base. Reported by Google on 2026-03-03
- [484751092] High CVE-2026-4442: Heap buffer overflow in CSS. Reported by Syn4pse on 2026-02-16
- [485292589] High CVE-2026-4443: Heap buffer overflow in WebAudio. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-18
- [486349161] High CVE-2026-4444: Stack buffer overflow in WebRTC. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-21
- [486421953] High CVE-2026-4445: Use after free in WebRTC. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-22
- [486421954] High CVE-2026-4446: Use after free in WebRTC. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-22
- [486657483] High CVE-2026-4447: Inappropriate implementation in V8. Reported by Erge on 2026-02-23
- [486972661] High CVE-2026-4448: Heap buffer overflow in ANGLE. Reported by M. Fauzan Wijaya (Gh05t666nero) on 2026-02-23
- [487117772] High CVE-2026-4449: Use after free in Blink. Reported by Syn4pse on 2026-02-24
- [487746373] High CVE-2026-4450: Out of bounds write in V8. Reported by qymag1c on 2026-02-26
- [487768779] High CVE-2026-4451: Insufficient validation of untrusted input in Navigation. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-26
- [487977696] High CVE-2026-4452: Integer overflow in ANGLE. Reported by cinzinga on 2026-02-26
- [488400770] High CVE-2026-4453: Integer overflow in Dawn. Reported by sweetchip on 2026-02-27
- [488585488] High CVE-2026-4454: Use after free in Network. Reported by heapracer (@heapracer) on 2026-03-01
- [488585504] High CVE-2026-4455: Heap buffer overflow in PDFium. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-01
- [488617440] High CVE-2026-4456: Use after free in Digital Credentials API. Reported by sean wong on 2026-02-28
- [488803413] High CVE-2026-4457: Type Confusion in V8. Reported by Zhenpeng (Leo) Lin at depthfirst on 2026-03-01
- [489619753] High CVE-2026-4458: Use after free in Extensions. Reported by Shaheen Fazim on 2026-03-04
- [490246422] High CVE-2026-4459: Out of bounds read and write in WebAudio. Reported by Jihyeon Jeong (Compsec Lab, Seoul National University / Research Intern) on 2026-03-06
- [490254124] High CVE-2026-4460: Out of bounds read in Skia. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-06
- [490558172] High CVE-2026-4461: Inappropriate implementation in V8. Reported by Google on 2026-03-07
- [491080830] High CVE-2026-4462: Out of bounds read in Blink. Reported by heapracer (@heapracer) on 2026-03-09
- [491358681] High CVE-2026-4463: Heap buffer overflow in WebRTC. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-10
- [487208468] Medium CVE-2026-4464: Integer overflow in ANGLE. Reported by heesun on 2026-02-24
The traefik project releases a new version addressing multiple CVEs:
- CVE-2026-32595 (BasicAuth Middleware Timing Attack)
- CVE-2026-32305 (Potential mTLS Bypass via Fragmented TLS ClientHello)
- CVE-2026-32695 (Details not yet available)
https://community.ui.com/releases/Security-Advisory-Bulletin-062-062/c29719c0-405e-4d4a-8f26-e343e99f931b reports:
An Authenticated NoSQL Injection vulnerability found in UniFi Network Application could allow a malicious actor with authenticated access to the network to escalate privileges.
A malicious actor with access to the network could exploit a Path Traversal vulnerability found in the UniFi Network Application to access files on the underlying system that could be manipulated to access an underlying account.
The Roundcube project reports:
pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
password could get changed without providing the old password
IMAP Injection + CSRF bypass in mail search
remote image blocking bypass via various SVG animate attributes
remote image blocking bypass via a crafted body background attribute
fixed position mitigation bypass via use of !important
XSS issue in a HTML attachment preview
SSRF + Information Disclosure via stylesheet links to a local network hosts
Homebox reports:
Chrome Releases reports:
This update includes 1 security fix:
- [491421267] High CVE-2026-3909: Out of bounds write in Skia. Reported by Google Threat Analysis Group on 2026-03-10
Chrome Releases reports:
This update includes 2 security fixes:
- [491421267] High CVE-2026-3909: Out of bounds write in Skia. Reported by Google on 2026-03-10
- [491410818] High CVE-2026-3910: Inappropriate implementation in V8. Reported by Google on 2026-03-10
Chrome Releases reports:
This update includes 29 security fixes:
- [483445078] Critical CVE-2026-3913: Heap buffer overflow in WebML. Reported by Tobias Wienand on 2026-02-10
- [481776048] High CVE-2026-3914: Integer overflow in WebML. Reported by cinzinga on 2026-02-04
- [483971526] High CVE-2026-3915: Heap buffer overflow in WebML. Reported by Tobias Wienand on 2026-02-12
- [482828615] High CVE-2026-3916: Out of bounds read in Web Speech. Reported by Grischa Hauser on 2026-02-09
- [483569512] High CVE-2026-3917: Use after free in Agents. Reported by Syn4pse on 2026-02-11
- [483853103] High CVE-2026-3918: Use after free in WebMCP. Reported by Syn4pse on 2026-02-12
- [444176961] High CVE-2026-3919: Use after free in Extensions. Reported by Huinian Yang (@vmth6) of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2025-09-10
- [482875307] High CVE-2026-3920: Out of bounds memory access in WebML. Reported by Google on 2026-02-09
- [484946544] High CVE-2026-3921: Use after free in TextEncoding. Reported by Pranamya Keshkamat & Cantina.xyz on 2026-02-17
- [485397139] High CVE-2026-3922: Use after free in MediaStream. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-18
- [485935314] High CVE-2026-3923: Use after free in WebMIDI. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-20
- [487338366] High CVE-2026-3924: Use after free in WindowDialog. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-25
- [418214610] Medium CVE-2026-3925: Incorrect security UI in LookalikeChecks. Reported by NDevTK and Alesandro Ortiz on 2025-05-17
- [478659010] Medium CVE-2026-3926: Out of bounds read in V8. Reported by qymag1c on 2026-01-26
- [474948986] Medium CVE-2026-3927: Incorrect security UI in PictureInPicture. Reported by Barath Stalin K on 2026-01-11
- [435980394] Medium CVE-2026-3928: Insufficient policy enforcement in Extensions. Reported by portsniffer443 on 2025-08-03
- [477180001] Medium CVE-2026-3929: Side-channel information leakage in ResourceTiming. Reported by Povcfe of Tencent Security Xuanwu Lab on 2026-01-20
- [476898368] Medium CVE-2026-3930: Unsafe navigation in Navigation. Reported by Povcfe of Tencent Security Xuanwu Lab on 2026-01-19
- [417599694] Medium CVE-2026-3931: Heap buffer overflow in Skia. Reported by Huinian Yang (@vmth6) of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2025-05-14
- [478296121] Medium CVE-2026-3932: Insufficient policy enforcement in PDF. Reported by Ayato Shitomi on 2026-01-23
- [478783560] Medium CVE-2026-3934: Insufficient policy enforcement in ChromeDriver. Reported by Povcfe of Tencent Security Xuanwu Lab on 2026-01-26
- [479326680] Medium CVE-2026-3935: Incorrect security UI in WebAppInstalls. Reported by Barath Stalin K on 2026-01-28
- [481920229] Medium CVE-2026-3936: Use after free in WebView. Reported by Am4deu$ on 2026-02-05
- [473118648] Low CVE-2026-3937: Incorrect security UI in Downloads. Reported by Abhishek Kumar on 2026-01-03
- [474763968] Low CVE-2026-3938: Insufficient policy enforcement in Clipboard. Reported by vicevirus on 2026-01-10
- [40058077] Low CVE-2026-3939: Insufficient policy enforcement in PDF. Reported by NDevTK on 2021-11-30
- [470574526] Low CVE-2026-3940: Insufficient policy enforcement in DevTools. Reported by Jorian Woltjer, Mian, bug_blitzer on 2025-12-21
- [474670215] Low CVE-2026-3941: Insufficient policy enforcement in DevTools. Reported by Lyra Rebane (rebane2001) on 2026-01-10
- [475238879] Low CVE-2026-3942: Incorrect security UI in PictureInPicture. Reported by Barath Stalin K on 2026-01-12
The OpenSSL project reports:
TLS 1.3 server may choose unexpected key agreement group (Low)
An OpenSSL TLS 1.3 server may fail to negotiate the expected preferred key exchange group when its key exchange group configuration includes the default by using the "DEFAULT" keyword.
https://bugzilla.mozilla.org/show_bug.cgi?id=2014593 reports:
Undefined behavior in the DOM: Core & HTML component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2018400 reports:
Same-origin policy bypass in the CSS Parsing and Computation component.
https://bugzilla.mozilla.org/buglist.cgi?bug_id=2017513%2C2017622%2C2019341 reports:
Memory safety bugs present in Firefox 148.0.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
Gitlab reports:
Cross-site Scripting issue in Markdown placeholder processing impacts GitLab CE/EE
Denial of Service issue in GraphQL API impacts GitLab CE/EE
Denial of Service issue in repository archive endpoint impacts GitLab CE/EE
Denial of Service issue in protected branches API impacts GitLab CE/EE
Denial of Service issue in webhook custom headers impacts GitLab CE/EE
Denial of Service issue in webhook endpoint impacts GitLab CE/EE
Improper Neutralization of CRLF Sequences issue impacts GitLab CE/EE
Improper Access Control issue in runners API impacts GitLab CE/EE
Improper Access Control issue in snippet rendering impacts GitLab CE/EE
Information Disclosure issue in inaccessible issues impacts GitLab CE/EE
Missing Authorization issue in Group Import impacts GitLab CE/EE
Incorrect Reference issue in repository download impacts GitLab CE/EE
Incorrect Authorization issue in Virtual Registry impacts GitLab EE
Improper Escaping of Output issue in Datadog integration impacts GitLab CE/EE
The curl project reports:
Multiple vulnerabilities
The curl project reports:
- use after free in SMB connection reuse
- wrong proxy connection reuse with credentials
- token leak with redirect and netrc
- bad reuse of HTTP Negotiate connection
The GStreamer project reports multiple security vulnerabilities fixed in the 1.28.1 release:
Twelve security vulnerabilities were addressed, including:
- Out-of-bounds reads and writes in the H.266 video parser, WAV parser, MP4 and ASF demuxers, and DVB subtitle decoder.
- Integer overflows in the RIFF parser and Huffman table handling in the JPEG parser.
- Stack buffer overflows in the RTP QDM2 depayloader and H.266 parser.
These could lead to application crashes or potentially arbitrary code execution.
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed.
CVE-2026-2809: Memory safety bug in the JavaScript: WebAssembly component.
CVE-2026-2808: Integer overflow in the JavaScript: Standard Library component.
CVE-2026-2807: Memory safety bugs present in Firefox 147 and Thunderbird 147
CVE-2026-2806: Uninitialized memory in the Graphics: Text component.
CVE-2026-2805: Invalid pointer in the DOM: Core & HTML component.
CVE-2026-2804: Use-after-free in the JavaScript: WebAssembly component.
CVE-2026-2803: Information disclosure, mitigation bypass in the Settings UI component.
CVE-2026-2802: Race condition in the JavaScript: GC component.
CVE-2026-2801: Incorrect boundary conditions in the JavaScript: WebAssembly component.
CVE-2026-2799: Use-after-free in the DOM: Core & HTML component.
CVE-2026-2798: Use-after-free in the DOM: Core & HTML component.
CVE-2026-2797: Use-after-free in the JavaScript: GC component.
CVE-2026-2796: JIT miscompilation in the JavaScript: WebAssembly component
CVE-2026-2795: Use-after-free in the JavaScript: GC component.
Gitlab reports:
Cross-site Scripting issue in Mermaid sandbox impacts GitLab CE/EE
Denial of Service issue in container registry impacts GitLab CE/EE
Denial of Service issue in Jira events endpoint impacts GitLab CE/EE
Regular Expression Denial of Service issue in GitLab merge requests impacts GitLab CE/EE
Missing rate limit in Bitbucket Server importer impacts GitLab CE/EE
Denial of Service issue in CI trigger API impacts GitLab CE/EE
Denial of Service issue in token decoder impacts GitLab CE/EE
Improper Access Control issue in Conan package registry impacts GitLab EE
Access Control issue in CI job mutation impacts GitLab CE/EE
Mailpit author reports:
The Link Check API (/api/v1/message/{ID}/link-check) is vulnerable to Server-Side Request Forgery (SSRF). The server performs HTTP HEAD requests to every URL found in an email without validating target hosts or filtering private/internal IP addresses. The response returns status codes and status text per link, making this a non-blind SSRF. In the default configuration (no authentication on SMTP or API), this is fully exploitable remotely with zero user interaction.
The rtsock_msg_buffer() function serializes routing information into a buffer. As a part of this, it copies sockaddr structures into a sockaddr_storage structure on the stack. It assumes that the source sockaddr length field had already been validated, but this is not necessarily the case, and it's possible for a malicious userspace program to craft a request which triggers a 127-byte overflow.
In practice, this overflow immediately overwrites the canary for the rtsock_msg_buffer() stack frame, resulting in a panic once the function returns.
The bug allows an unprivileged user to crash the kernel by triggering a stack buffer overflow in rtsock_msg_buffer(). In particular, the overflow will corrupt a stack canary value that is verified when the function returns; this mitigates the impact of the stack overflow by triggering a kernel panic.
Other kernel bugs may exist which allow userspace to find the canary value and thus defeat the mitigation, at which point local privilege escalation may be possible.
If two sibling jails are restricted to separate filesystem trees, which is to say that neither of the two jail root directories is an ancestor of the other, jailed processes may nonetheless be able to access a shared directory via a nullfs mount, if the administrator has configured one.
In this case, cooperating processes in the two jails may establish a connection using a unix domain socket and exchange directory descriptors with each other.
When performing a filesystem name lookup, at each step of the lookup, the kernel checks whether the lookup would descend below the jail root of the current process. If the jail root directory is not encountered, the lookup continues.
In a configuration where processes in two different jails are able to exchange file descriptors using a unix domain socket, it is possible for a jailed process to receive a directory for a descriptor that is below that process' jail root. This enables full filesystem access for a jailed process, breaking the chroot.
Note that the system administrator is still responsible for ensuring that an unprivileged user on the jail host is not able to pass directory descriptors to a jailed process, even in a patched kernel.
The Vaultwarden project reports:
- GHSA-w9f8-m526-h7fh. This vulnerability would allow an attacker to access a cipher from a different user (fully encrypted) if they already know its internal UUID.
- GHSA-h4hq-rgvh-wh27. This vulnerability allows an attacker with manager-level access within an organization to modify collections they can access, even if they do not have management permissions for them.
- GHSA-r32r-j5jq-3w4m. This vulnerability allows an attacker with manager-level access within an organization to modify collections they are not assigned.
Cary Phillips reports:
[openexr] v3.4.5 [...] fixes an incorrect size check in istream_nonparallel_read that could lead to a buffer overflow on invalid input data.
Jenkins Security Advisory:
Description
(High) SECURITY-3669 / CVE-2026-27099
Stored XSS vulnerability in node offline cause description
(Medium) SECURITY-3658 / CVE-2026-27100
Build information disclosure vulnerability through Run Parameter
https://bugzilla.mozilla.org/show_bug.cgi?id=2014390 reports:
Heap buffer overflow in libvpx.
Chrome Releases reports:
This update includes 3 security fixes:
- [477033835] High CVE-2026-2648: Heap buffer overflow in PDFium. Reported by soiax on 2026-01-19
- [481074858] High CVE-2026-2649: Integer overflow in V8. Reported by JunYoung Park(@candymate) of KAIST Hacking Lab on 2026-02-03
- [476461867] Medium CVE-2026-2650: Heap buffer overflow in Media. Reported by Google on 2026-01-18
PowerDNS Team reports:
2025-07: Internal logic flaw in cache management can lead to a denial of service in Recursor
2025-08: Insufficient validation of incoming notifies over TCP can lead to a denial of service in Recursor
2026-01: Crafted zones can lead to increased resource usage in Recursor
2026-01: This problem can be triggered by publishing and querying a crafted zone that causes large memory usage.
https://github.com/pnggroup/libpng/security/advisories/GHSA-g8hp-mq4h-rqm3 reports:
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.
The traefik project reports:
There is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service
https://github.com/dun/munge/security/advisories/GHSA-r9cr-jf4v-75gh reports:
MUNGE is an authentication service for creating and validating user credentials. From 0.5 to 0.5.17, local attacker can exploit a buffer overflow vulnerability in munged (the MUNGE authentication daemon) to leak cryptographic key material from process memory. With the leaked key material, the attacker could forge arbitrary MUNGE credentials to impersonate any user (including root) to services that rely on MUNGE for authentication. The vulnerability allows a buffer overflow by sending a crafted message with an oversized address length field, corrupting munged's internal state and enabling extraction of the MAC subkey used for credential verification. This vulnerability is fixed in 0.5.18.
Chrome Releases reports:
This update includes 1 security fix:
- [483569511] High CVE-2026-2441: Use after free in CSS. Reported by Shaheen Fazim on 2026-02-11
expat team reports:
Update contains 2 security fixes:
- CVE-2026-24515: NULL dereference in function XML_ExternalEntityParserCreate
- CVE-2026-25210: missing check for integer overflow in function doContent
The PostgreSQL project reports:
Improper validation of type oidvector in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely.
Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database.
Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database.
Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database.
Heap buffer overflow in PostgreSQL pg_trgm allows a database user to achieve unknown impacts via a crafted input string. The attacker has limited control over the byte patterns to be written, but we have not ruled out the viability of attacks that lead to privilege escalation.
https://jira.mongodb.org/browse/SERVER-113685 reports:
An authorized user may disable the MongoDB server by issuing a query against a collection that contains an invalid compound wildcard index.
https://jira.mongodb.org/browse/SERVER-99119 reports:
An authorized user may trigger a server crash by running a $geoNear pipeline with certain invalid index hints.
https://jira.mongodb.org/browse/SERVER-114126 reports:
Complex queries can cause excessive memory usage in MongoDB Query Planner resulting in an Out-Of-Memory Crash.
https://jira.mongodb.org/browse/SERVER-102364 reports:
MongoDB Server may experience an out-of-memory failure while evaluating expressions that produce deeply nested documents. The issue arises in recursive functions because the server does not periodically check the depth of the expression.
https://jira.mongodb.org/browse/SERVER-113532 reports:
Inserting certain large documents into a replica set could lead to replica set secondaries not being able to fetch the oplog from the primary. This could stall replication inside the replica set leading to server crash.
Gitlab reports:
Incomplete Validation issue in Web IDE impacts GitLab CE/EE
Denial of Service issue in GraphQL introspection impacts GitLab CE/EE
Denial of Service issue in JSON validation middleware impacts GitLab CE/EE
Cross-site Scripting issue in Code Flow impacts GitLab CE/EE
HTML Injection issue in test case titles impacts GitLab CE/EE
Denial of Service issue in Markdown processor impacts GitLab CE/EE
Denial of Service issue in Markdown Preview impacts GitLab CE/EE
Denial of Service issue in dashboard impacts GitLab EE
Server-Side Request Forgery issue in Virtual Registry impacts GitLab EE
Improper Validation issue in diff parser impacts GitLab CE/EE
Server-Side Request Forgery issue in Git repository import impacts GitLab CE/EE
Authorization Bypass issue in iterations API impacts GitLab EE
Missing Authorization issue in GLQL API impacts GitLab CE/EE
Stored HTML Injection issue in project label impacts GitLab CE/EE
Authorization Bypass issue in Pipeline Schedules API impacts GitLab CE/EE
Due to a programming error, blocklistd leaks a socket descriptor for each adverse event report it receives.
Once a certain number of leaked sockets is reached, blocklistd becomes unable to run the helper script: a child process is forked, but this child dereferences a null pointer and crashes before it is able to exec the helper. At this point, blocklistd still records adverse events but is unable to block new addresses or unblock addresses whose database entries have expired.
Once a second, much higher number of leaked sockets is reached, blocklistd becomes unable to receive new adverse event reports.
An attacker may take advantage of this by triggering a large number of adverse events from sacrificial IP addresses to effectively disable blocklistd before launching an attack.
Even in the absence of attacks or probes by would-be attackers, adverse events will occur regularly in the course of normal operations, and blocklistd will gradually run out file descriptors and become ineffective.
The accumulation of open sockets may have knock-on effects on other parts of the system, resulting in a general slowdown until blocklistd is restarted.
Chrome Releases reports:
This update includes 2 security fixes:
- [478942410] High CVE-2026-1861: Heap buffer overflow in libvpx. Reported by Google on 2026-01-26
- [479726070] High CVE-2026-1862: Type Confusion in V8. Reported by Chaoyuan Peng (@ret2happy) on 2026-01-29
The Roundcube project reports:
Unspecified CSS injection vulnerability.
Remote image blocking bypass via SVG content.
Qt qtwebengine-chromium repo reports:
Backports for 7 security bugs in Chromium:
- CVE-2025-13638: Prevent media element GC in callbacks in WebMediaPlayerMS
- CVE-2025-13639: Improve validation of SDP direction in remote description
- CVE-2025-13720: Avoid downcasting Hash and Integrity reports
- CVE-2025-14174: Metal: Don't use pixelsDepthPitch to size buffers
- CVE-2025-14765: Polyfill unary negation and abs for amd mesa frontend
- CVE-2026-0908: Use CheckedNumerics in HandleAllocator
- CVE-2026-1504: Block opaque 416 responses to non-range requests
An XSS vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials.
Authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-image URL (/share/img/{token}). When processing such requests, the server attempts to create an extremely large resized image, causing uncontrolled memory growth. This triggers the Linux OOM killer, terminates the Navidrome process, and results in a full service outage.
The traefik project reports:
There is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up goroutines and file descriptors indefinitely when the ACME TLS challenge is enabled.A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entrypoint.
The Python project announces a new release with several security fixes:
- CVE-2026-1299: gh-144125: BytesGenerator will now refuse to serialize (write) headers that are unsafely folded or delimited; see verify_generated_headers. (Contributed by Bas Bloemsaat and Petr Viktorin in gh-121650).
- gh-143935: Fixed a bug in the folding of comments when flattening an email message using a modern email policy. Comments consisting of a very long sequence of non-foldable characters could trigger a forced line wrap that omitted the required leading space on the continuation line, causing the remainder of the comment to be interpreted as a new header field. This enabled header injection with carefully crafted inputs.
- gh-143925: Reject control characters in data: URL media types.
- gh-143919: Reject control characters in http.cookies.Morsel fields and values.
- CVE-2026-0865: gh-143916: Reject C0 control characters within wsgiref.headers.Headers fields, values, and parameters.
Denis Skvortsov, Security Researcher at Kaspersky reports:
xrdp before v0.10.5 contains an unauthenticated stack-based buffer overflow vulnerability. The issue stems from improper bounds checking when processing user domain information during the connection sequence. If exploited, the vulnerability could allow remote attackers to execute arbitrary code on the target system.
Tim Wojtulewicz of Corelight reports:
Zeek's HTTP analyzer can be tricked into interpreting Transfer-Encoding or Content-Length headers set in MIME entities within HTTP bodies and change the analyzer behavior.
Chrome Releases reports:
This update includes 1 security fix:
- [474435504] High CVE-2026-1504: Inappropriate implementation in Background Fetch API. Reported by Luan Herrera (@lbherrera_) on 2026-01-09
https://bugzilla.mozilla.org/show_bug.cgi?id=2007302 reports:
Mitigation bypass in the Privacy: Anti-Tracking component.
Use-after-free in the Layout: Scrolling and Overflow component.
By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks.
If a privileged user within a jail is able to nullfs-mount directories, a limitation of the kernel's path lookup logic allows that user to escape the jail's chroot, yielding access to the full filesystem of the host or parent jail.
In a jail configured to allow nullfs(4) mounts from within the jail, the jailed root user can escape the jail's filesystem root.
The OpenSSL project reports:
- Improper validation of PBMAC1 parameters in PKCS#12 MAC verification (CVE-2025-11187)
- Stack buffer overflow in CMS AuthEnvelopedData parsing (CVE-2025-15467)
- NULL dereference in SSL_CIPHER_find() function on unknown cipher ID (CVE-2025-15468)
- "openssl dgst" one-shot codepath silently truncates inputs >16MB (CVE-2025-15469)
- TLS 1.3 CompressedCertificate excessive memory allocation (CVE-2025-66199)
- Heap out-of-bounds write in BIO_f_linebuffer on short writes (CVE-2025-68160)
- Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (CVE-2025-69418)
- Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (CVE-2025-69419)
- Missing ASN1_TYPE validation in TS_RESP_verify_response() function (CVE-2025-69420)
- NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (CVE-2025-69421)
- Missing ASN1_TYPE validation in PKCS#12 parsing (CVE-2026-22795)
- ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (CVE-2026-22796)
Oracle reports:
Oracle reports multiple vulnerabilities in its MySQL server products.
https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx reports:
wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.46.1 and below, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.
Chrome Releases reports:
This update includes 1 security fix:
- [473851441] High CVE-2026-1220: Race in V8. Reported by @p1nky4745 on 2026-01-07
Gitlab reports:
Denial of Service issue in Jira Connect integration impacts GitLab CE/EE
Incorrect Authorization issue in Releases API impacts GitLab CE/EE
Unchecked Return Value issue in authentication services impacts GitLab CE/EE
Infinite Loop issue in Wiki redirects impacts GitLab CE/EE
Denial of Service issue in API endpoint impacts GitLab CE/EE
Mailpit author reports:
Ensure SMTP TO & FROM addresses are RFC 5322 compliant and prevent header injection (GHSA-54wq-72mp-cq7c)
Prevent Server-Side Request Forgery (SSRF) via HTML Check API (GHSA-6jxm-fv7w-rw5j)
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
A flaw was found in the crypto/x509 package in the Go standard library. This vulnerability allows a certificate validation bypass via an excluded subdomain constraint in a certificated chain as it does not restrict the usage of wildcard SANs in the leaf certificate.
SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
Memory safety bugs present in Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
Denial-of-service in the DOM: Service Workers component.
Information disclosure in the XML component.
Sandbox escape in the Messaging System component.
Memory safety bugs present in firefox-esr 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146.
Spoofing issue in the DOM: Copy & Paste and Drag & Drop component.
Clickjacking issue and information disclosure in the PDF Viewer component.
Use-after-free in the JavaScript: GC component.
Use-after-free in the JavaScript Engine component.
Information disclosure in the Networking component.
Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component.
Incorrect boundary conditions in the Graphics component.
Use-after-free in the IPC component.
Sandbox escape due to integer overflow in the Graphics component.
Sandbox escape due to incorrect boundary conditions in the Graphics component.
Mitigation bypass in the DOM: Security component.
Chrome Releases reports:
This update includes 10 security fixes:
- [458914193] High CVE-2026-0899: Out of bounds memory access in V8. Reported by @p1nky4745 on 2025-11-08
- [465730465] High CVE-2026-0900: Inappropriate implementation in V8. Reported by Google on 2025-12-03
- [40057499] High CVE-2026-0901: Inappropriate implementation in Blink. Reported by Irvan Kurniawan (sourc7) on 2021-10-04
- [469143679] Medium CVE-2026-0902: Inappropriate implementation in V8. Reported by 303f06e3 on 2025-12-16
- [444803530] Medium CVE-2026-0903: Insufficient validation of untrusted input in Downloads. Reported by Azur on 2025-09-13
- [452209495] Medium CVE-2026-0904: Incorrect security UI in Digital Credentials. Reported by Hafiizh on 2025-10-15
- [465466773] Medium CVE-2026-0905: Insufficient policy enforcement in Network. Reported by Google on 2025-12-02
- [467448811] Low CVE-2026-0906: Incorrect security UI. Reported by Khalil Zhani on 2025-12-10
- [444653104] Low CVE-2026-0907: Incorrect security UI in Split View. Reported by Hafiizh on 2025-09-12
- [452209503] Low CVE-2026-0908: Use after free in ANGLE. Reported by Glitchers BoB 14th. on 2025-10-15
https://github.com/pypa/virtualenv/security/advisories/GHSA-597g-3phw-6986 reports:
virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1.
oss-security@ list reports:
Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string.
Gitlab reports:
Stored Cross-site Scripting issue in GitLab Flavored Markdown placeholders impacts GitLab CE/EE
Cross-site Scripting issue in Web IDE impacts GitLab CE/EE
Missing Authorization issue in Duo Workflows API impacts GitLab EE
Missing Authorization issue in AI GraphQL mutation impacts GitLab EE
Denial of Service issue in import functionality impacts GitLab CE/EE
Insufficient Access Control Granularity issue in GraphQL runnerUpdate mutation impacts GitLab CE/EE
Information Disclosure issue in Mermaid diagram rendering impacts GitLab CE/EE
Mailpit author reports:
The Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability.
An attacker can host a malicious website that, when visited by a developer running Mailpit locally, establishes a WebSocket connection to the victim's Mailpit instance (default ws://localhost:8025). This allows the attacker to intercept sensitive data such as email contents, headers, and server statistics in real-time.
phpMyFAQ team reports:
Stored cross-site scripting (XSS) and unauthenticated config backup download vulnerability
Chrome Releases reports:
This update includes 1 security fix:
- [463155954] High CVE-2026-0628: Insufficient policy enforcement in WebView tag. Reported by Gal Weizman on 2025-11-23
Libsodium maintainer reports:
The function crypto_core_ed25519_is_valid_point(), a low-level function used to check if a given elliptic curve point is valid, was supposed to reject points that aren't in the main cryptographic group, but some points were slipping through.
Mailpit author reports:
A Server-Side Request Forgery (SSRF) vulnerability exists in Mailpit's /proxy endpoint that allows attackers to make requests to internal network resources.
The /proxy endpoint allows requests to internal network resources. While it validates http:// and https:// schemes, it does not block internal IP addresses, allowing attackers to access internal services and APIs.
net-snmp development team reports:
A specially crafted packet to an net-snmp snmptrapd daemon can cause a buffer overflow and the daemon to crash.
The GStreamer Security Center reports:
Multiple out-of-bounds reads in the MIDI parser that can cause crashes for certain input files.