Chrome Releases reports:

This update includes 1 security fix:

• [491421267] High CVE-2026-3909: Out of bounds write in Skia. Reported by Google Threat Analysis Group on 2026-03-10

Chrome Releases reports:

This update includes 2 security fixes:

• [491421267] High CVE-2026-3909: Out of bounds write in Skia. Reported by Google on 2026-03-10
• [491410818] High CVE-2026-3910: Inappropriate implementation in V8. Reported by Google on 2026-03-10

Chrome Releases reports:

This update includes 29 security fixes:

• [483445078] Critical CVE-2026-3913: Heap buffer overflow in WebML. Reported by Tobias Wienand on 2026-02-10
• [481776048] High CVE-2026-3914: Integer overflow in WebML. Reported by cinzinga on 2026-02-04
• [483971526] High CVE-2026-3915: Heap buffer overflow in WebML. Reported by Tobias Wienand on 2026-02-12
• [482828615] High CVE-2026-3916: Out of bounds read in Web Speech. Reported by Grischa Hauser on 2026-02-09
• [483569512] High CVE-2026-3917: Use after free in Agents. Reported by Syn4pse on 2026-02-11
• [483853103] High CVE-2026-3918: Use after free in WebMCP. Reported by Syn4pse on 2026-02-12
• [444176961] High CVE-2026-3919: Use after free in Extensions. Reported by Huinian Yang (@vmth6) of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2025-09-10
• [482875307] High CVE-2026-3920: Out of bounds memory access in WebML. Reported by Google on 2026-02-09
• [484946544] High CVE-2026-3921: Use after free in TextEncoding. Reported by Pranamya Keshkamat & Cantina.xyz on 2026-02-17
• [485397139] High CVE-2026-3922: Use after free in MediaStream. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-18
• [485935314] High CVE-2026-3923: Use after free in WebMIDI. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-20
• [487338366] High CVE-2026-3924: Use after free in WindowDialog. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-25
• [418214610] Medium CVE-2026-3925: Incorrect security UI in LookalikeChecks. Reported by NDevTK and Alesandro Ortiz on 2025-05-17
• [478659010] Medium CVE-2026-3926: Out of bounds read in V8. Reported by qymag1c on 2026-01-26
• [474948986] Medium CVE-2026-3927: Incorrect security UI in PictureInPicture. Reported by Barath Stalin K on 2026-01-11
• [435980394] Medium CVE-2026-3928: Insufficient policy enforcement in Extensions. Reported by portsniffer443 on 2025-08-03
• [477180001] Medium CVE-2026-3929: Side-channel information leakage in ResourceTiming. Reported by Povcfe of Tencent Security Xuanwu Lab on 2026-01-20
• [476898368] Medium CVE-2026-3930: Unsafe navigation in Navigation. Reported by Povcfe of Tencent Security Xuanwu Lab on 2026-01-19
• [417599694] Medium CVE-2026-3931: Heap buffer overflow in Skia. Reported by Huinian Yang (@vmth6) of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2025-05-14
• [478296121] Medium CVE-2026-3932: Insufficient policy enforcement in PDF. Reported by Ayato Shitomi on 2026-01-23
• [478783560] Medium CVE-2026-3934: Insufficient policy enforcement in ChromeDriver. Reported by Povcfe of Tencent Security Xuanwu Lab on 2026-01-26
• [479326680] Medium CVE-2026-3935: Incorrect security UI in WebAppInstalls. Reported by Barath Stalin K on 2026-01-28
• [481920229] Medium CVE-2026-3936: Use after free in WebView. Reported by Am4deu$ on 2026-02-05
• [473118648] Low CVE-2026-3937: Incorrect security UI in Downloads. Reported by Abhishek Kumar on 2026-01-03
• [474763968] Low CVE-2026-3938: Insufficient policy enforcement in Clipboard. Reported by vicevirus on 2026-01-10
• [40058077] Low CVE-2026-3939: Insufficient policy enforcement in PDF. Reported by NDevTK on 2021-11-30
• [470574526] Low CVE-2026-3940: Insufficient policy enforcement in DevTools. Reported by Jorian Woltjer, Mian, bug_blitzer on 2025-12-21
• [474670215] Low CVE-2026-3941: Insufficient policy enforcement in DevTools. Reported by Lyra Rebane (rebane2001) on 2026-01-10
• [475238879] Low CVE-2026-3942: Incorrect security UI in PictureInPicture. Reported by Barath Stalin K on 2026-01-12

The OpenSSL project reports:

TLS 1.3 server may choose unexpected key agreement group (Low)

An OpenSSL TLS 1.3 server may fail to negotiate the expected preferred key exchange group when its key exchange group configuration includes the default by using the "DEFAULT" keyword.

https://bugzilla.mozilla.org/show_bug.cgi?id=2014593 reports:

Undefined behavior in the DOM: Core & HTML component.

https://bugzilla.mozilla.org/show_bug.cgi?id=2018400 reports:

Same-origin policy bypass in the CSS Parsing and Computation component.

https://bugzilla.mozilla.org/buglist.cgi?bug_id=2017513%2C2017622%2C2019341 reports:

Memory safety bugs present in Firefox 148.0.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

Gitlab reports:

Cross-site Scripting issue in Markdown placeholder processing impacts GitLab CE/EE

Denial of Service issue in GraphQL API impacts GitLab CE/EE

Denial of Service issue in repository archive endpoint impacts GitLab CE/EE

Denial of Service issue in protected branches API impacts GitLab CE/EE

Denial of Service issue in webhook custom headers impacts GitLab CE/EE

Denial of Service issue in webhook endpoint impacts GitLab CE/EE

Improper Neutralization of CRLF Sequences issue impacts GitLab CE/EE

Improper Access Control issue in runners API impacts GitLab CE/EE

Improper Access Control issue in snippet rendering impacts GitLab CE/EE

Information Disclosure issue in inaccessible issues impacts GitLab CE/EE

Missing Authorization issue in Group Import impacts GitLab CE/EE

Incorrect Reference issue in repository download impacts GitLab CE/EE

Incorrect Authorization issue in Virtual Registry impacts GitLab EE

Improper Escaping of Output issue in Datadog integration impacts GitLab CE/EE

The curl project reports:

Multiple vulnerabilities

The curl project reports:

• use after free in SMB connection reuse
• wrong proxy connection reuse with credentials
• token leak with redirect and netrc
• bad reuse of HTTP Negotiate connection

The GStreamer project reports multiple security vulnerabilities fixed in the 1.28.1 release:

Twelve security vulnerabilities were addressed, including:

• Out-of-bounds reads and writes in the H.266 video parser, WAV parser, MP4 and ASF demuxers, and DVB subtitle decoder.
• Integer overflows in the RIFF parser and Huffman table handling in the JPEG parser.
• Stack buffer overflows in the RTP QDM2 depayloader and H.266 parser.

These could lead to application crashes or potentially arbitrary code execution.

During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed.

CVE-2026-2809: Memory safety bug in the JavaScript: WebAssembly component.

CVE-2026-2808: Integer overflow in the JavaScript: Standard Library component.

CVE-2026-2807: Memory safety bugs present in Firefox 147 and Thunderbird 147

CVE-2026-2806: Uninitialized memory in the Graphics: Text component.

CVE-2026-2805: Invalid pointer in the DOM: Core & HTML component.

CVE-2026-2804: Use-after-free in the JavaScript: WebAssembly component.

CVE-2026-2803: Information disclosure, mitigation bypass in the Settings UI component.

CVE-2026-2802: Race condition in the JavaScript: GC component.

CVE-2026-2801: Incorrect boundary conditions in the JavaScript: WebAssembly component.

CVE-2026-2799: Use-after-free in the DOM: Core & HTML component.

CVE-2026-2798: Use-after-free in the DOM: Core & HTML component.

CVE-2026-2797: Use-after-free in the JavaScript: GC component.

CVE-2026-2796: JIT miscompilation in the JavaScript: WebAssembly component

CVE-2026-2795: Use-after-free in the JavaScript: GC component.

Gitlab reports:

Cross-site Scripting issue in Mermaid sandbox impacts GitLab CE/EE

Denial of Service issue in container registry impacts GitLab CE/EE

Denial of Service issue in Jira events endpoint impacts GitLab CE/EE

Regular Expression Denial of Service issue in GitLab merge requests impacts GitLab CE/EE

Missing rate limit in Bitbucket Server importer impacts GitLab CE/EE

Denial of Service issue in CI trigger API impacts GitLab CE/EE

Denial of Service issue in token decoder impacts GitLab CE/EE

Improper Access Control issue in Conan package registry impacts GitLab EE

Access Control issue in CI job mutation impacts GitLab CE/EE

Mailpit author reports:

The Link Check API (/api/v1/message/{ID}/link-check) is vulnerable to Server-Side Request Forgery (SSRF). The server performs HTTP HEAD requests to every URL found in an email without validating target hosts or filtering private/internal IP addresses. The response returns status codes and status text per link, making this a non-blind SSRF. In the default configuration (no authentication on SMTP or API), this is fully exploitable remotely with zero user interaction.

Problem Description:

The rtsock_msg_buffer() function serializes routing information into a buffer. As a part of this, it copies sockaddr structures into a sockaddr_storage structure on the stack. It assumes that the source sockaddr length field had already been validated, but this is not necessarily the case, and it's possible for a malicious userspace program to craft a request which triggers a 127-byte overflow.

In practice, this overflow immediately overwrites the canary for the rtsock_msg_buffer() stack frame, resulting in a panic once the function returns.

Impact:

The bug allows an unprivileged user to crash the kernel by triggering a stack buffer overflow in rtsock_msg_buffer(). In particular, the overflow will corrupt a stack canary value that is verified when the function returns; this mitigates the impact of the stack overflow by triggering a kernel panic.

Other kernel bugs may exist which allow userspace to find the canary value and thus defeat the mitigation, at which point local privilege escalation may be possible.

Problem Description:

If two sibling jails are restricted to separate filesystem trees, which is to say that neither of the two jail root directories is an ancestor of the other, jailed processes may nonetheless be able to access a shared directory via a nullfs mount, if the administrator has configured one.

In this case, cooperating processes in the two jails may establish a connection using a unix domain socket and exchange directory descriptors with each other.

When performing a filesystem name lookup, at each step of the lookup, the kernel checks whether the lookup would descend below the jail root of the current process. If the jail root directory is not encountered, the lookup continues.

Impact:

In a configuration where processes in two different jails are able to exchange file descriptors using a unix domain socket, it is possible for a jailed process to receive a directory for a descriptor that is below that process' jail root. This enables full filesystem access for a jailed process, breaking the chroot.

Note that the system administrator is still responsible for ensuring that an unprivileged user on the jail host is not able to pass directory descriptors to a jailed process, even in a patched kernel.

The Vaultwarden project reports:

• GHSA-w9f8-m526-h7fh. This vulnerability would allow an attacker to access a cipher from a different user (fully encrypted) if they already know its internal UUID.
• GHSA-h4hq-rgvh-wh27. This vulnerability allows an attacker with manager-level access within an organization to modify collections they can access, even if they do not have management permissions for them.
• GHSA-r32r-j5jq-3w4m. This vulnerability allows an attacker with manager-level access within an organization to modify collections they are not assigned.

Cary Phillips reports:

[openexr] v3.4.5 [...] fixes an incorrect size check in istream_nonparallel_read that could lead to a buffer overflow on invalid input data.

Jenkins Security Advisory:

Description

(High) SECURITY-3669 / CVE-2026-27099

Stored XSS vulnerability in node offline cause description

(Medium) SECURITY-3658 / CVE-2026-27100

Build information disclosure vulnerability through Run Parameter

https://bugzilla.mozilla.org/show_bug.cgi?id=2014390 reports:

Heap buffer overflow in libvpx.

Chrome Releases reports:

This update includes 3 security fixes:

• [477033835] High CVE-2026-2648: Heap buffer overflow in PDFium. Reported by soiax on 2026-01-19
• [481074858] High CVE-2026-2649: Integer overflow in V8. Reported by JunYoung Park(@candymate) of KAIST Hacking Lab on 2026-02-03
• [476461867] Medium CVE-2026-2650: Heap buffer overflow in Media. Reported by Google on 2026-01-18

PowerDNS Team reports:

2025-07: Internal logic flaw in cache management can lead to a denial of service in Recursor

2025-08: Insufficient validation of incoming notifies over TCP can lead to a denial of service in Recursor

2026-01: Crafted zones can lead to increased resource usage in Recursor

2026-01: This problem can be triggered by publishing and querying a crafted zone that causes large memory usage.

https://github.com/pnggroup/libpng/security/advisories/GHSA-g8hp-mq4h-rqm3 reports:

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.

The traefik project reports:

There is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service

https://github.com/dun/munge/security/advisories/GHSA-r9cr-jf4v-75gh reports:

MUNGE is an authentication service for creating and validating user credentials. From 0.5 to 0.5.17, local attacker can exploit a buffer overflow vulnerability in munged (the MUNGE authentication daemon) to leak cryptographic key material from process memory. With the leaked key material, the attacker could forge arbitrary MUNGE credentials to impersonate any user (including root) to services that rely on MUNGE for authentication. The vulnerability allows a buffer overflow by sending a crafted message with an oversized address length field, corrupting munged's internal state and enabling extraction of the MAC subkey used for credential verification. This vulnerability is fixed in 0.5.18.

Chrome Releases reports:

This update includes 1 security fix:

• [483569511] High CVE-2026-2441: Use after free in CSS. Reported by Shaheen Fazim on 2026-02-11

expat team reports:

Update contains 2 security fixes:

• CVE-2026-24515: NULL dereference in function XML_ExternalEntityParserCreate
• CVE-2026-25210: missing check for integer overflow in function doContent

The PostgreSQL project reports:

Improper validation of type oidvector in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely.

Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database.

Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database.

Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database.

Heap buffer overflow in PostgreSQL pg_trgm allows a database user to achieve unknown impacts via a crafted input string. The attacker has limited control over the byte patterns to be written, but we have not ruled out the viability of attacks that lead to privilege escalation.

https://jira.mongodb.org/browse/SERVER-113685 reports:

An authorized user may disable the MongoDB server by issuing a query against a collection that contains an invalid compound wildcard index.

https://jira.mongodb.org/browse/SERVER-99119 reports:

An authorized user may trigger a server crash by running a $geoNear pipeline with certain invalid index hints.

https://jira.mongodb.org/browse/SERVER-114126 reports:

Complex queries can cause excessive memory usage in MongoDB Query Planner resulting in an Out-Of-Memory Crash.

https://jira.mongodb.org/browse/SERVER-102364 reports:

MongoDB Server may experience an out-of-memory failure while evaluating expressions that produce deeply nested documents. The issue arises in recursive functions because the server does not periodically check the depth of the expression.

https://jira.mongodb.org/browse/SERVER-113532 reports:

Inserting certain large documents into a replica set could lead to replica set secondaries not being able to fetch the oplog from the primary. This could stall replication inside the replica set leading to server crash.

Gitlab reports:

Incomplete Validation issue in Web IDE impacts GitLab CE/EE

Denial of Service issue in GraphQL introspection impacts GitLab CE/EE

Denial of Service issue in JSON validation middleware impacts GitLab CE/EE

Cross-site Scripting issue in Code Flow impacts GitLab CE/EE

HTML Injection issue in test case titles impacts GitLab CE/EE

Denial of Service issue in Markdown processor impacts GitLab CE/EE

Denial of Service issue in Markdown Preview impacts GitLab CE/EE

Denial of Service issue in dashboard impacts GitLab EE

Server-Side Request Forgery issue in Virtual Registry impacts GitLab EE

Improper Validation issue in diff parser impacts GitLab CE/EE

Server-Side Request Forgery issue in Git repository import impacts GitLab CE/EE

Authorization Bypass issue in iterations API impacts GitLab EE

Missing Authorization issue in GLQL API impacts GitLab CE/EE

Stored HTML Injection issue in project label impacts GitLab CE/EE

Authorization Bypass issue in Pipeline Schedules API impacts GitLab CE/EE

Problem Description:

Due to a programming error, blocklistd leaks a socket descriptor for each adverse event report it receives.

Once a certain number of leaked sockets is reached, blocklistd becomes unable to run the helper script: a child process is forked, but this child dereferences a null pointer and crashes before it is able to exec the helper. At this point, blocklistd still records adverse events but is unable to block new addresses or unblock addresses whose database entries have expired.

Once a second, much higher number of leaked sockets is reached, blocklistd becomes unable to receive new adverse event reports.

Impact:

An attacker may take advantage of this by triggering a large number of adverse events from sacrificial IP addresses to effectively disable blocklistd before launching an attack.

Even in the absence of attacks or probes by would-be attackers, adverse events will occur regularly in the course of normal operations, and blocklistd will gradually run out file descriptors and become ineffective.

The accumulation of open sockets may have knock-on effects on other parts of the system, resulting in a general slowdown until blocklistd is restarted.

Chrome Releases reports:

This update includes 2 security fixes:

• [478942410] High CVE-2026-1861: Heap buffer overflow in libvpx. Reported by Google on 2026-01-26
• [479726070] High CVE-2026-1862: Type Confusion in V8. Reported by Chaoyuan Peng (@ret2happy) on 2026-01-29

The Roundcube project reports:

Unspecified CSS injection vulnerability.

Remote image blocking bypass via SVG content.

Qt qtwebengine-chromium repo reports:

Backports for 7 security bugs in Chromium:

• CVE-2025-13638: Prevent media element GC in callbacks in WebMediaPlayerMS
• CVE-2025-13639: Improve validation of SDP direction in remote description
• CVE-2025-13720: Avoid downcasting Hash and Integrity reports
• CVE-2025-14174: Metal: Don't use pixelsDepthPitch to size buffers
• CVE-2025-14765: Polyfill unary negation and abs for amd mesa frontend
• CVE-2026-0908: Use CheckedNumerics in HandleAllocator
• CVE-2026-1504: Block opaque 416 responses to non-range requests

An XSS vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials.

Authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-image URL (/share/img/{token}). When processing such requests, the server attempts to create an extremely large resized image, causing uncontrolled memory growth. This triggers the Linux OOM killer, terminates the Navidrome process, and results in a full service outage.

The traefik project reports:

There is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up goroutines and file descriptors indefinitely when the ACME TLS challenge is enabled.A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entrypoint.

The Python project announces a new release with several security fixes:

• CVE-2026-1299: gh-144125: BytesGenerator will now refuse to serialize (write) headers that are unsafely folded or delimited; see verify_generated_headers. (Contributed by Bas Bloemsaat and Petr Viktorin in gh-121650).
• gh-143935: Fixed a bug in the folding of comments when flattening an email message using a modern email policy. Comments consisting of a very long sequence of non-foldable characters could trigger a forced line wrap that omitted the required leading space on the continuation line, causing the remainder of the comment to be interpreted as a new header field. This enabled header injection with carefully crafted inputs.
• gh-143925: Reject control characters in data: URL media types.
• gh-143919: Reject control characters in http.cookies.Morsel fields and values.
• CVE-2026-0865: gh-143916: Reject C0 control characters within wsgiref.headers.Headers fields, values, and parameters.

Denis Skvortsov, Security Researcher at Kaspersky reports:

xrdp before v0.10.5 contains an unauthenticated stack-based buffer overflow vulnerability. The issue stems from improper bounds checking when processing user domain information during the connection sequence. If exploited, the vulnerability could allow remote attackers to execute arbitrary code on the target system.

Tim Wojtulewicz of Corelight reports:

Zeek's HTTP analyzer can be tricked into interpreting Transfer-Encoding or Content-Length headers set in MIME entities within HTTP bodies and change the analyzer behavior.

Chrome Releases reports:

This update includes 1 security fix:

• [474435504] High CVE-2026-1504: Inappropriate implementation in Background Fetch API. Reported by Luan Herrera (@lbherrera_) on 2026-01-09

https://bugzilla.mozilla.org/show_bug.cgi?id=2007302 reports:

Mitigation bypass in the Privacy: Anti-Tracking component.

Use-after-free in the Layout: Scrolling and Overflow component.

Problem Description:

By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks.

If a privileged user within a jail is able to nullfs-mount directories, a limitation of the kernel's path lookup logic allows that user to escape the jail's chroot, yielding access to the full filesystem of the host or parent jail.

Impact:

In a jail configured to allow nullfs(4) mounts from within the jail, the jailed root user can escape the jail's filesystem root.

The OpenSSL project reports:

• Improper validation of PBMAC1 parameters in PKCS#12 MAC verification (CVE-2025-11187)
• Stack buffer overflow in CMS AuthEnvelopedData parsing (CVE-2025-15467)
• NULL dereference in SSL_CIPHER_find() function on unknown cipher ID (CVE-2025-15468)
• "openssl dgst" one-shot codepath silently truncates inputs >16MB (CVE-2025-15469)
• TLS 1.3 CompressedCertificate excessive memory allocation (CVE-2025-66199)
• Heap out-of-bounds write in BIO_f_linebuffer on short writes (CVE-2025-68160)
• Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (CVE-2025-69418)
• Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (CVE-2025-69419)
• Missing ASN1_TYPE validation in TS_RESP_verify_response() function (CVE-2025-69420)
• NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (CVE-2025-69421)
• Missing ASN1_TYPE validation in PKCS#12 parsing (CVE-2026-22795)
• ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (CVE-2026-22796)

Oracle reports:

Oracle reports multiple vulnerabilities in its MySQL server products.

https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx reports:

wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.46.1 and below, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.

Chrome Releases reports:

This update includes 1 security fix:

• [473851441] High CVE-2026-1220: Race in V8. Reported by @p1nky4745 on 2026-01-07

Gitlab reports:

Denial of Service issue in Jira Connect integration impacts GitLab CE/EE

Incorrect Authorization issue in Releases API impacts GitLab CE/EE

Unchecked Return Value issue in authentication services impacts GitLab CE/EE

Infinite Loop issue in Wiki redirects impacts GitLab CE/EE

Denial of Service issue in API endpoint impacts GitLab CE/EE

Mailpit author reports:

Ensure SMTP TO & FROM addresses are RFC 5322 compliant and prevent header injection (GHSA-54wq-72mp-cq7c)

Prevent Server-Side Request Forgery (SSRF) via HTML Check API (GHSA-6jxm-fv7w-rw5j)

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

A flaw was found in the crypto/x509 package in the Go standard library. This vulnerability allows a certificate validation bypass via an excluded subdomain constraint in a certificated chain as it does not restrict the usage of wildcard SANs in the leaf certificate.

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

Memory safety bugs present in Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

Denial-of-service in the DOM: Service Workers component.

Information disclosure in the XML component.

Sandbox escape in the Messaging System component.

Memory safety bugs present in firefox-esr 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146.

Spoofing issue in the DOM: Copy & Paste and Drag & Drop component.

Clickjacking issue and information disclosure in the PDF Viewer component.

Use-after-free in the JavaScript: GC component.

Use-after-free in the JavaScript Engine component.

Information disclosure in the Networking component.

Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component.

Incorrect boundary conditions in the Graphics component.

Use-after-free in the IPC component.

Sandbox escape due to integer overflow in the Graphics component.

Sandbox escape due to incorrect boundary conditions in the Graphics component.

Mitigation bypass in the DOM: Security component.

Chrome Releases reports:

This update includes 10 security fixes:

• [458914193] High CVE-2026-0899: Out of bounds memory access in V8. Reported by @p1nky4745 on 2025-11-08
• [465730465] High CVE-2026-0900: Inappropriate implementation in V8. Reported by Google on 2025-12-03
• [40057499] High CVE-2026-0901: Inappropriate implementation in Blink. Reported by Irvan Kurniawan (sourc7) on 2021-10-04
• [469143679] Medium CVE-2026-0902: Inappropriate implementation in V8. Reported by 303f06e3 on 2025-12-16
• [444803530] Medium CVE-2026-0903: Insufficient validation of untrusted input in Downloads. Reported by Azur on 2025-09-13
• [452209495] Medium CVE-2026-0904: Incorrect security UI in Digital Credentials. Reported by Hafiizh on 2025-10-15
• [465466773] Medium CVE-2026-0905: Insufficient policy enforcement in Network. Reported by Google on 2025-12-02
• [467448811] Low CVE-2026-0906: Incorrect security UI. Reported by Khalil Zhani on 2025-12-10
• [444653104] Low CVE-2026-0907: Incorrect security UI in Split View. Reported by Hafiizh on 2025-09-12
• [452209503] Low CVE-2026-0908: Use after free in ANGLE. Reported by Glitchers BoB 14th. on 2025-10-15

https://github.com/pypa/virtualenv/security/advisories/GHSA-597g-3phw-6986 reports:

virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1.

oss-security@ list reports:

Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string.

Gitlab reports:

Stored Cross-site Scripting issue in GitLab Flavored Markdown placeholders impacts GitLab CE/EE

Cross-site Scripting issue in Web IDE impacts GitLab CE/EE

Missing Authorization issue in Duo Workflows API impacts GitLab EE

Missing Authorization issue in AI GraphQL mutation impacts GitLab EE

Denial of Service issue in import functionality impacts GitLab CE/EE

Insufficient Access Control Granularity issue in GraphQL runnerUpdate mutation impacts GitLab CE/EE

Information Disclosure issue in Mermaid diagram rendering impacts GitLab CE/EE

Mailpit author reports:

The Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability.

An attacker can host a malicious website that, when visited by a developer running Mailpit locally, establishes a WebSocket connection to the victim's Mailpit instance (default ws://localhost:8025). This allows the attacker to intercept sensitive data such as email contents, headers, and server statistics in real-time.

phpMyFAQ team reports:

Stored cross-site scripting (XSS) and unauthenticated config backup download vulnerability

Chrome Releases reports:

This update includes 1 security fix:

• [463155954] High CVE-2026-0628: Insufficient policy enforcement in WebView tag. Reported by Gal Weizman on 2025-11-23

Libsodium maintainer reports:

The function crypto_core_ed25519_is_valid_point(), a low-level function used to check if a given elliptic curve point is valid, was supposed to reject points that aren't in the main cryptographic group, but some points were slipping through.

Mailpit author reports:

A Server-Side Request Forgery (SSRF) vulnerability exists in Mailpit's /proxy endpoint that allows attackers to make requests to internal network resources.

The /proxy endpoint allows requests to internal network resources. While it validates http:// and https:// schemes, it does not block internal IP addresses, allowing attackers to access internal services and APIs.

net-snmp development team reports:

A specially crafted packet to an net-snmp snmptrapd daemon can cause a buffer overflow and the daemon to crash.

The GStreamer Security Center reports:

Multiple out-of-bounds reads in the MIDI parser that can cause crashes for certain input files.

https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/13.0.2.md reports:

Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositories. This is also fixed for 11 LTS in 11.0.7 and later.

The fluidsynth authors report:

A race condition during unloading of a DLS file can trigger a heap-based use-after-free. A concurrently running thread may be pending to unload a DLS file, leading to use of freed memory, if the synthesizer is being concurrently destroyed, or samples of the (unloaded) DLS file are concurrently used to synthesize audio. Realistically, both scenarios will result in a denial of service. In worst cases, it may result in arbitrary code execution in the context of an application using FluidSynth.

https://jira.mongodb.org/browse/SERVER-115508 reports:

Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client.

The traefik project reports:

There is a potential vulnerability in Traefik NGINX provider managing the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. The provider inverts the semantics of the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to "on" (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected.

The traefik project reports:

There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path; if the request path contains an encoded restricted character from the following set ('/', '', 'Null', ';', '?', '#'), it is possible to target a backend, exposed using another router, by-passing the middlewares chain.

vulndb reports:

A vulnerability, which was classified as critical, was found in smb4k up to 4.0.4. Affected is some unknown functionality of the component Mount Helper. The manipulation with an unknown input leads to a access control vulnerability. CWE is classifying the issue as CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. This is going to have an impact on integrity, and availability. The advisory is available at seclists.org. The exploitability is told to be easy. Local access is required to approach this attack. The technical details are unknown and an exploit is not available.

https://bugzilla.mozilla.org/show_bug.cgi?id=2000597 reports:

Use-after-free in the Disability Access APIs component.

https://bugzilla.mozilla.org/buglist.cgi?bug_id=1996570%2C1999700 reports:

Memory safety bugs present in Firefox 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

Chrome Releases reports:

This update includes 2 security fixes:

• [448294721] High CVE-2025-14765: Use after free in WebGPU. Reported by Anonymous on 2025-09-30
• [466786677] High CVE-2025-14766: Out of bounds read and write in V8. Reported by Shaheen Fazim on 2025-12-08

smallstep reports:

An attacker can bypass authorization checks and force a Step CA ACME or SCEP provisioner to create certificates without completing certain protocol authorization checks.

Problem Description:

The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement messages; the option body is passed to resolvconf(8) unmodified.

resolvconf(8) is a shell script which does not validate its input. A lack of quoting meant that shell commands pass as input to resolvconf(8) may be executed.

Impact:

Systems running rtsol(8) or rtsold(8) are vulnerable to remote code execution from systems on the same network segment. In particular, router advertisement messages are not routable and should be dropped by routers, so the attack does not cross network boundaries.

Problem Description:

In some cases, the `tcp-setmss` handler may free the packet data and throw an error without halting the rule processing engine. A subsequent rule can then allow the traffic after the packet data is gone, resulting in a NULL pointer dereference.

Impact:

Maliciously crafted packets sent from a remote host may result in a Denial of Service (DoS) if the `tcp-setmss` directive is used and a subsequent rule would allow the traffic to pass.

The Roundcube project reports:

Cross-Site-Scripting vulnerability via SVG’s animate tag

Information Disclosure vulnerability in the HTML style sanitizer

https://nextjs.org/blog/security-update-2025-12-11 reports:

Description

(Medium) Source Code Exposure: CVE-2025-55183

A specifically crafted HTTP request can cause a Server Function to return the compiled source code of other Server Functions in your application. This could reveal business logic. Secrets could also be exposed if they are defined directly in your code (rather than accessed via environment variables at runtime) and referenced within a Server Function. Depending on your bundler configuration, these values may be inlined into the compiled function output.

(High) Denial of Service: CVE-2025-55184

A specifically crafted HTTP request can be sent to any App Router endpoint that, when deserialized, can cause an infinite loop that hangs the server process and prevents future HTTP requests from being served.

varnish developers report:

Common usage of vmod-digest is for basic HTTP authentication, in which case it may be possible for an attacker to circumvent the authentication check. If the decoded result string is somehow being made visible to the attacker (for example the result of the decoding is added to a response header), then there is the potential for information disclosure from reading out of band workspace data.

Jenkins Security Advisory:

Description

(High) SECURITY-3630 / CVE-2025-67635

Denial of service vulnerability in HTTP-based CLI

(Medium) SECURITY-1809 / CVE-2025-67636

Missing permission check on password fields

(Medium) SECURITY-783 / CVE-2025-67637 (storage), CVE-2025-67638 (masking)

Build authorization token stored and displayed in plain text

(Low) SECURITY-1166 / CVE-2025-67639

CSRF vulnerability on the login form

https://github.com/c-ares/c-ares/security/advisories/GHSA-jq53-42q6-pqr5 reports:

c-ares is an asynchronous resolver library. Versions 1.32.3 through 1.34.5 terminate a query after maximum attempts when using read_answer() and process_answer(), which can cause a Denial of Service. This issue is fixed in version 1.34.6.

Chrome Releases reports:

This update includes 3 security fixes:

• [466192044] High: Under coordination.
• [460599518] Medium CVE-2025-14372: Use after free in Password Manager. Reported by Weipeng Jiang (@Krace) of VRI on 2025-11-14
• [461532432] Medium CVE-2025-14373: Inappropriate implementation in Toolbar. Reported by Khalil Zhani on 2025-11-18

https://jira.mongodb.org/browse/SERVER-106075 reports:

A post-authenticationflaw in the network two-phase commit protocol used for cross-shard transactions in MongoDB Server may lead to logical data inconsistencies under specific conditions which are not predictable and exist for a very short period of time. This error can cause the transaction coordination logic to misinterpret the transaction as committed, resulting in inconsistent state on those shards. This may lead to low integrity and availability impact.

https://bugzilla.mozilla.org/buglist.cgi?bug_id=1966501%2C1997639 reports:

Memory safety bugs. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

https://bugzilla.mozilla.org/buglist.cgi?bug_id=1963153%2C1985058%2C1995637%2C1997118 reports:

Memory safety bugs. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

https://bugzilla.mozilla.org/show_bug.cgi?id=2000218 reports:

Same-origin policy bypass in the Request Handling component.

https://bugzilla.mozilla.org/show_bug.cgi?id=1997503 reports:

JIT miscompilation in the JavaScript Engine: JIT component.

https://bugzilla.mozilla.org/show_bug.cgi?id=1997018 reports:

Privilege escalation in the Netmonitor component.

https://bugzilla.mozilla.org/show_bug.cgi?id=1996761 reports:

Privilege escalation in the Netmonitor component.

https://bugzilla.mozilla.org/show_bug.cgi?id=1970743 reports:

Spoofing issue in the Downloads Panel component.

https://bugzilla.mozilla.org/show_bug.cgi?id=1840666 reports:

Use-after-free in the Audio/Video: GMP component.

https://bugzilla.mozilla.org/show_bug.cgi?id=1998050 reports:

JIT miscompilation in the JavaScript Engine: JIT component.

https://bugzilla.mozilla.org/show_bug.cgi?id=1996555 reports:

Privilege escalation in the DOM: Notifications component.

https://bugzilla.mozilla.org/show_bug.cgi?id=1996473 reports:

Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component.

https://bugzilla.mozilla.org/show_bug.cgi?id=1992760 reports:

Use-after-free in the WebRTC: Signaling component.

Gitlab reports:

Cross-site scripting issue in Wiki impacts GitLab CE/EE

Improper encoding in vulnerability reports impacts GitLab CE/EE

Cross-site scripting issue in Swagger UI impacts GitLab CE/EE

Denial of service issue in GraphQL endpoints impacts GitLab CE/EE

Authentication bypass issue for WebAuthn users impacts GitLab CE/EE

Denial of service issue in ExifTool processing impacts GitLab CE/EE

Denial of service issue in Commit API impacts GitLab CE/EE

Information disclosure issue in compliance frameworks impacts GitLab EE

Information disclosure through error messages impacts GitLab CE/EE

HTML injection issue in merge request titles impacts GitLab CE/EE

Hugo van Kemenade reports:

Python 3.14.2 and 3.13.11 are now available [... and] come with some bonus security fixes.

• gh-142145: Remove quadratic behavior in node ID cache clearing (CVE-2025-12084)
• gh-119451: Fix a potential denial of service in http.client [only in 3.13; CVE-2025-13836]
• gh-119452: Fix a potential virtual memory allocation denial of service in http.server [affects platforms without fork()]

Chrome Releases reports:

This update includes 13 security fixes:

• [456547591] High CVE-2025-13630: Type Confusion in V8. Reported by Shreyas Penkar (@streypaws) on 2025-10-31
• [448113221] High CVE-2025-13631: Inappropriate implementation in Google Updater. Reported by Jota Domingos on 2025-09-29
• [439058242] High CVE-2025-13632: Inappropriate implementation in DevTools. Reported by Leandro Teles on 2025-08-16
• [458082926] High CVE-2025-13633: Use after free in Digital Credentials. Reported by Chrome on 2025-11-05
• [429140219] Medium CVE-2025-13634: Inappropriate implementation in Downloads. Reported by Eric Lawrence of Microsoft on 2025-07-02
• [457818670] Medium CVE-2025-13720: Bad cast in Loader. Reported by Chrome on 2025-11-04
• [355120682] Medium CVE-2025-13721: Race in v8. Reported by Chrome on 2024-07-23
• [405727341] Low CVE-2025-13635: Inappropriate implementation in Downloads. Reported by Hafiizh on 2025-03-24
• [446181124] Low CVE-2025-13636: Inappropriate implementation in Split View. Reported by Khalil Zhani on 2025-09-20
• [392375329] Low CVE-2025-13637: Inappropriate implementation in Downloads. Reported by Hafiizh on 2025-01-27
• [448046109] Low CVE-2025-13638: Use after free in Media Stream. Reported by sherkito on 2025-09-29
• [448408148] Low CVE-2025-13639: Inappropriate implementation in WebRTC. Reported by Philipp Hancke on 2025-10-01
• [452071826] Low CVE-2025-13640: Inappropriate implementation in Passwords. Reported by Anonymous on 2025-10-14

https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-r77h-rpp9-w2xm reports:

Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting (XSS) vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's browser during OAuth authentication. This issue has been patched in version 2.25.2.

X.Org reports:

Multiple issues have been found in xkbcomp that have been previously been published as CVEs in libxbkcommon. libxkbcommon is (to some degree) a fork of xkbcomp and some of the code base is identical. These CVEs were published earlier as:

• CVE-2018-15853: Endless recursion in xkbcomp/expr.c resulting in a crash
• CVE-2018-15859: NULL pointer dereference when parsing invalid atoms in ExprResolveLhs resulting in a crash
• CVE-2018-15861: NULL pointer dereference in ExprResolveLhs resulting in a crash
• CVE-2018-15863: NULL pointer dereference in ResolveStateAndPredicate resulting in a crash

https://github.com/pnggroup/libpng/security/advisories/GHSA-9mpm-9pxh-mg4f reports:

Prior to 1.6.52, an out-of-bounds read vulnerability in libpng's simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng's internal state management.

The libvirt project reports:

See changelog for details.

The Apache httpd project reports:

See changelog or 2.4 vulnerabilities for details.

The Go project reports:

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out.

Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

https://jira.mongodb.org/browse/SERVER-103582 reports:

A user with access to the cluster with a limited set of privilege actions may be able to terminate queries that are being executed by other users. This may cause a denial of service by preventing a fraction of queries from successfully completing.

https://jira.mongodb.org/browse/SERVER-108565 reports:

Inconsistent object size validation in time series processing logic may result in later processing of oversized BSON documents leading to an assert failing and process termination.

https://jira.mongodb.org/browse/SERVER-101180 reports:

MongoDB Server may experience an invariant failure during batched delete operations when handling documents. The issue arises when the server mistakenly assumes the presence of multiple documents in a batch based solely on document size exceeding BSONObjMaxSize.

wolfSSL blog reports:

This release includes multiple fixes across TLS 1.2, TLS 1.3, X25519, XChaCha20-Poly1305, and PSK processing. Highlights include:

• A timing-side-channel issue in X25519 specifically affecting Xtensa-based ESP32 devices. Low-memory X25519 implementations are now the default for Xtensa.
• A medium-severity TLS 1.3 server-side DoS risk from repeated KeyShareEntry values in malicious ClientHello messages.
• Several TLS 1.3 downgrade-related issues (PFS downgrades, signature algorithm downgrades, and duplicate extension parsing).
• A memory leak risk in TLS 1.2 certificate digest handling.
• XChaCha20-Poly1305 decryption bounds-check fix and constant-time improvements in PSK binder verification.

https://jira.mongodb.org/browse/SERVER-105783 reports:

Clients may successfully perform a TLS handshake with a MongoDB server despite presenting a client certificate not aligning with the documented Extended Key Usage (EKU) requirements. A certificate that specifies extendedKeyUsage but is missing extendedKeyUsage = clientAuth may still be successfully authenticated via the TLS handshake as a client. This issue is specific to MongoDB servers running on Windows or Apple as the expected validation behavior functions correctly on Linux systems. Additionally, MongoDB servers may successfully establish egress TLS connections with servers that present server certificates not aligning with the documented Extended Key Usage (EKU) requirements. A certificate that specifies extendedKeyUsage but is missing extendedKeyUsage = serverAuth may still be successfully authenticated via the TLS handshake as a server. This issue is specific to MongoDB servers running on Apple as the expected validation behavior functions correctly on both Linux and Windows systems.

https://github.com/pnggroup/libpng/security/advisories/GHSA-7wv6-48j4-hj3g reports:

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files.

• From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51.
• From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component alpha 257 required by the simplified PNG API.
• From version 1.6.0 to before 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_write_image_8bit function when processing 8-bit images through the simplified write API with convert_to_8bit enabled. The vulnerability affects 8-bit grayscale+alpha, RGB/RGBA, and images with incomplete row data. A conditional guard incorrectly allows 8-bit input to enter code expecting 16-bit input, causing reads up to 2 bytes beyond allocated buffer boundaries.
• Prior to version 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_do_quantize function when processing PNG files with malformed palette indices. The vulnerability occurs when palette_lookup array bounds are not validated against externally-supplied image data, allowing an attacker to craft a PNG file with out-of-range palette indices that trigger out-of-bounds memory access.

Gitlab reports:

Race condition issue in CI/CD cache impacts GitLab CE/EE

Denial of Service issue in JSON input validation middleware impacts GitLab CE/EE

Authentication bypass issue in account registration impacts GitLab CE/EE

Denial of Service issue in HTTP response processing impacts GitLab CE/EE

Improper authorization issue in markdown rendering impacts GitLab EE

Information disclosure issue in terraform registry impacts GitLab CE/EE

GnuTLS reports:

When a PKCS#11 token is initialized with gnutls_pkcs11_token_init function and it is passed a token label longer than 32 characters, it may write past the boundary of stack allocated memory.

Chrome Releases reports:

This update includes 2 security fixes:

• [460017370] High CVE-2025-13223: Type Confusion in V8. Reported by Clément Lecigne of Google's Threat Analysis Group on 2025-11-12
• [450328966] High CVE-2025-13224: Type Confusion in V8. Reported by Google Big Sleep on 2025-10-09

Alon Bar-Lev reports:

util: fix deserialize buffer overflow. thanks to Aarnav Bos.

Mikhail Khachaiants reports:

socket: reject mismatched address family in get_addr_generic.

Add a family check to prevent copying address data of the wrong type, which could cause buffer over-read when parsing routes or endpoints.

Arne Schwabe reports:

Fix memcmp check for the hmac verification in the 3way handshake being inverted This is a stupid mistake but causes all hmac cookies to be accepted, thus breaking source IP address validation. As a consequence, TLS sessions can be openend and state can be consumed in the server from IP addresses that did not initiate an initial connection.

While at it, fix check to only allow [t-2;t] timeslots, disallowing HMACs coming in from a future timeslot.

Pieter Marsman reports:

pdfminer.six will execute arbitrary code from a malicious pickle file if provided with a malicious PDF file. The CMapDB._load_data() function in pdfminer.six uses pickle.loads() to deserialize pickle files. These pickle files are supposed to be part of the pdfminer.six distribution stored in the cmap/ directory, but a malicious PDF can specify an alternative directory and filename as long as the filename ends in .pickle.gz. A malicious, zipped pickle file can then contain code which will automatically execute when the PDF is processed.

Trifecta Tech Foundation reports:

With Defaults targetpw (or Defaults rootpw) enabled, the password of the target account (or root account) instead of the invoking user is used for authentication. sudo-rs prior to 0.2.10 incorrectly recorded the invoking user’s UID instead of the authenticated-as user's UID in the authentication timestamp. Any later sudo invocation on the same terminal while the timestamp was still valid would use that timestamp, potentially bypassing new authentication even if the policy would have required it.

Trifecta Tech Foundation reports:

When typing partial passwords but not pressing return for a long time, a password timeout can occur. When this happens, the keys pressed are replayed onto the console.

https://www.postgresql.org/support/security/CVE-2025-12818/ reports:

• Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq.
• Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail.

SUSE Security Team reports:

A Execution with Unnecessary Privileges vulnerability in lightdm-kde-greeter allows escalation from the service user to root. This issue affects lightdm-kde-greeter before 6.0.4.

https://bugzilla.mozilla.org/buglist.cgi?bug_id=1987237%2C1990079%2C1991715%2C1994994 reports:

Memory safety bugs. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

https://bugzilla.mozilla.org/show_bug.cgi?id=1994441 reports:

• Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component.
• Incorrect boundary conditions in the Graphics: WebGPU component.
• JIT miscompilation in the JavaScript Engine: JIT component.
• Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component.
• Incorrect boundary conditions in the Graphics: WebGPU component.
• Incorrect boundary conditions in the Graphics: WebGPU component.

https://bugzilla.mozilla.org/show_bug.cgi?id=1995686 reports:

• Use-after-free in the WebRTC: Audio/Video component.
• Same-origin policy bypass in the DOM: Workers component.
• Mitigation bypass in the DOM: Security component.
• Same-origin policy bypass in the DOM: Notifications component.
• Incorrect boundary conditions in the JavaScript: WebAssembly component.
• Spoofing issue in Firefox.
• Use-after-free in the Audio/Video component.
• Mitigation bypass in the DOM: Core and HTML component.
• Race condition in the Graphics component.

Gitlab reports:

Cross-site scripting issue in k8s proxy impacts GitLab CE/EE

Incorrect Authorization issue in workflows impacts GitLab EE

Information Disclosure issue in GraphQL subscriptions impacts GitLab CE/EE

Information Disclosure issue in access control impacts GitLab CE/EE

Prompt Injection issue in GitLab Duo review impacts GitLab EE

Client Side Path Traversal issue in branch names impacts GitLab EE

Information Disclosure issue in packages API endpoint impacts GitLab CE/EE

Improper Access Control issue in GitLab Pages impacts GitLab CE/EE

Denial of service issue in markdown impacts GitLab CE/EE

privatebin reports:

Dragging a file whose filename contains HTML is reflected verbatim into the page via the drag-and-drop helper, so any user who drops a crafted file on PrivateBin will execute arbitrary JavaScript within their own session (self-XSS). This allows an attacker who can entice a victim to drag or otherwise attach such a file to exfiltrate plaintext, encryption keys, or stored pastes before they are encrypted or sent.

Chrome Releases reports:

This update includes 1 security fix:

• [457351015] High CVE-2025-13042: Inappropriate implementation in V8. Reported by 303f06e3 on 2025-11-03

Chrome Releases reports:

This update includes 5 security fixes:

• [443906252] High CVE-2025-12725: Out of bounds write in WebGPU. Reported by Anonymous on 2025-09-09
• [447172715] High CVE-2025-12726: Inappropriate implementation in Views. Reported by Alesandro Ortiz on 2025-09-25
• [454485895] High CVE-2025-12727: Inappropriate implementation in V8. Reported by 303f06e3 on 2025-10-23
• [452392032] Medium CVE-2025-12728: Inappropriate implementation in Omnibox. Reported by Hafiizh on 2025-10-16
• [454354281] Medium CVE-2025-12729: Inappropriate implementation in Omnibox. Reported by Khalil Zhani on 2025-10-23

Aous Naman reports several vulnerabilities fixed in OpenJPH versions up to 0.24.5 and credits Cary Phillips for reporting them from the OSS-fuzz project.

[0.24.5] Addresses OpenEXR OSS-fuzz issue 5747129672073216 that can cause heap corruption.

[0.24.4...] we now check that the ATK marker segment length (Latk) makes sense. The issue was identified in OpenEXR fuzzing.

[0.24.3] This is an important bug fix. It protects against illegally long QCD and QCC marker segments. It was discovered during OpenEXR fussing; thanx to [Cary Phillips].

Cary Phillips reports:

Patch release that addresses several bugs, primarily involving properly rejecting corrupt input data.

He goes on to report various relevant items including heap buffer overflows, use-after-free, use of uninitialized memory and other bugs, several of them found by OSS-fuzz, and some also found in OpenJPH.

https://jira.mongodb.org/browse/SERVER-101230 reports:

The KMIP response parser built into mongo binaries is overly tolerant of certain malformed packets, and may parse them into invalid objects. Later reads of this object can result in read access violations.

https://access.redhat.com/errata/RHSA-2025:19432 reports:

CVE-2025-62229: A flaw was found in the X.Org X server and Xwayland when processing X11 Present extension notifications. Improper error handling during notification creation can leave dangling pointers that lead to a use-after-free condition. This can cause memory corruption or a crash, potentially allowing an attacker to execute arbitrary code or cause a denial of service.

CVE-2025-62230: A flaw was discovered in the X.Org X servers X Keyboard (Xkb) extension when handling client resource cleanup. The software frees certain data structures without properly detaching related resources, leading to a use-after-free condition. This can cause memory corruption or a crash when affected clients disconnect.

CVE-2025-62231: A flaw was identified in the X.Org X servers X Keyboard (Xkb) extension where improper bounds checking in the XkbSetCompatMap() function can cause an unsigned short overflow. If an attacker sends specially crafted input data, the value calculation may overflow, leading to memory corruption or a crash.

Google Big Sleep reports:

A user can run the XACKDEL command with multiple ID's and trigger a stack buffer overflow, which may potentially lead to remote code execution. The problem exists in Redis 8.2 or newer. The code doesn't handle the case where the number of ID's exceeds the STREAMID_STATIC_VECTOR_LEN, and skips a reallocation, which leads to a stack buffer overflow. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing XACKDEL operation. This can be done using ACL to restrict XACKDEL command.

https://bugzilla.mozilla.org/show_bug.cgi?id=1975837 reports:

Denial-of-service due to out-of-memory in the Graphics: WebRender component.

https://bugzilla.mozilla.org/show_bug.cgi?id=1979782 reports:

Same-origin policy bypass in the Graphics: Canvas2D component.

https://bugzilla.mozilla.org/show_bug.cgi?id=1987246 reports:

Sandbox escape due to integer overflow in the Graphics: Canvas2D component.

https://bugzilla.mozilla.org/show_bug.cgi?id=1981502 reports:

Information disclosure in the Networking: Cache component.

https://bugzilla.mozilla.org/show_bug.cgi?id=1665334 reports:

Spoofing issue in the Site Permissions component.

https://bugzilla.mozilla.org/show_bug.cgi?id=1980788 reports:

Integer overflow in the SVG component.

https://bugzilla.mozilla.org/show_bug.cgi?id=1979502 reports:

Incorrect boundary conditions in the JavaScript: GC component.

https://bugzilla.mozilla.org/show_bug.cgi?id=1978453 reports:

Mitigation bypass in the Web Compatibility: Tooling component.

https://bugzilla.mozilla.org/show_bug.cgi?id=1970490 reports:

Same-origin policy bypass in the Layout component.

https://bugzilla.mozilla.org/show_bug.cgi?id=1986185 reports:

Sandbox escape due to undefined behavior, invalid pointer in the Graphics: Canvas2D component.

https://bugzilla.mozilla.org/show_bug.cgi?id=1984825 reports:

Sandbox escape due to use-after-free in the Graphics: Canvas2D component.

Unsupported versions: [...] End of life: 2025-10-31.

PowerDNS Team reports:

It has been brought to our attention that the Recursor does not apply strict enough validation of received delegation information. The malicious delegation information can be sent by an attacker spoofing packets.

Chrome Releases reports:

This update includes 20 security fixes:

• [447613211] High CVE-2025-12428: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2025-09-26
• [450618029] High CVE-2025-12429: Inappropriate implementation in V8. Reported by Aorui Zhang on 2025-10-10
• [442860743] High CVE-2025-12430: Object lifecycle issue in Media. Reported by round.about on 2025-09-04
• [436887350] High CVE-2025-12431: Inappropriate implementation in Extensions. Reported by Alesandro Ortiz on 2025-08-06
• [439522866] High CVE-2025-12432: Race in V8. Reported by Google Big Sleep on 2025-08-18
• [449760249] High CVE-2025-12433: Inappropriate implementation in V8. Reported by Google Big Sleep on 2025-10-07
• [452296415] High CVE-2025-12036: Inappropriate implementation in V8. Reported by Google Big Sleep on 2025-10-15
• [337356054] Medium CVE-2025-12434: Race in Storage. Reported by Lijo A.T on 2024-04-27
• [446463993] Medium CVE-2025-12435: Incorrect security UI in Omnibox. Reported by Hafiizh on 2025-09-21
• [40054742] Medium CVE-2025-12436: Policy bypass in Extensions. Reported by Luan Herrera (@lbherrera_) on 2021-02-08
• [446294487] Medium CVE-2025-12437: Use after free in PageInfo. Reported by Umar Farooq on 2025-09-20
• [433027577] Medium CVE-2025-12438: Use after free in Ozone. Reported by Wei Yuan of MoyunSec VLab on 2025-07-20
• [382234536] Medium CVE-2025-12439: Inappropriate implementation in App-Bound Encryption. Reported by Ari Novick on 2024-12-04
• [430555440] Low CVE-2025-12440: Inappropriate implementation in Autofill. Reported by Khalil Zhani on 2025-07-09
• [444049512] Medium CVE-2025-12441: Out of bounds read in V8. Reported by Google Big Sleep on 2025-09-10
• [452071845] Medium CVE-2025-12443: Out of bounds read in WebXR. Reported by Aisle Research on 2025-10-15
• [390571618] Low CVE-2025-12444: Incorrect security UI in Fullscreen UI. Reported by syrf on 2025-01-18
• [428397712] Low CVE-2025-12445: Policy bypass in Extensions. Reported by Thomas Greiner on 2025-06-29
• [444932667] Low CVE-2025-12446: Incorrect security UI in SplitView. Reported by Hafiizh on 2025-09-14
• [442636157] Low CVE-2025-12447: Incorrect security UI in Omnibox. Reported by Khalil Zhani on 2025-09-03

https://bugzilla.mozilla.org/show_bug.cgi?id=1993113 reports:

Starting with Firefox 142, it was possible for a compromised child process to trigger a use-after-free in the GPU or browser process using WebGPU-related IPC calls. This may have been usable to escape the child process sandbox.

https://github.com/erlang/otp/security/advisories/GHSA-9g37-pgj9-wrhc reports:

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Traversal, File Manipulation. This vulnerability is associated with program files lib/stdlib/src/zip.erl and program routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2unless the memory option is passed. This issue affects OTP from OTP 17.0 until OTP28.0.1, OTP27.3.4.1 and OTP26.2.5.13, corresponding to stdlib from 2.0 until 7.0.1, 6.2.2.1 and 5.2.3.4.

Internet Systems Consortium, Inc. reports:

To trigger the issue, three configuration parameters must have specific settings: "hostname-char-set" must be left at the default setting, which is "[^A-Za-z0-9.-]"; "hostname-char-replacement" must be empty (the default); and "ddns-qualifying-suffix" must NOT be empty (the default is empty). DDNS updates do not need to be enabled for this issue to manifest. A client that sends certain option content would then cause kea-dhcp4 to exit unexpectedly. This addresses CVE-2025-11232 [#4142, #4155].

https://github.com/google/security-research/security/advisories/GHSA-v2c8-vqqp-hv3g reports:

An integer overflow exists in the FTS5 https://sqlite.org/fts5.html extension. It occurs when the size of an array of tombstone pointers is calculated and truncated into a 32-bit integer. A pointer to partially controlled data can then be written out of bounds.

The FreeBSD build enables the FTS5 extension by default.

Michal Čihař reports:

Upon authentication, the user could be associated by e-mail even if the associate_by_email pipeline was not included. This could lead to account compromise when a third-party authentication service does not validate provided e-mail addresses or doesn't require unique e-mail addresses.

http://sqlite3.com reports:

Integer Overflow vulnerability in SQLite SQLite3 v.3.50.0 allows a remote attacker to cause a denial of service via the setupLookaside function

PrivateBin reports:

We've identified an HTML injection/XSS vulnerability in the PrivateBin service that allows the injection of arbitrary HTML markup via the attached filename.

Xu Biang reports:

The eap-mschapv2 plugin doesn't correctly check the length of an EAP-MSCHAPv2 Failure Request packet on the client, which can cause an integer underflow that leads to a crash and, depending on the compiler options, even a heap-based buffer overflow that's potentially exploitable for remote code execution. Affected are all strongSwan versions since 4.2.12.

Chrome Releases reports:

This update includes 1 security fix:

• [452296415] High CVE-2025-12036: Inappropriate implementation in V8. Reported by Google Big Sleep on 2025-10-15

sep@nlnetlabs.nl reports:

NLnet Labs Unbound up to and including version 1.24.0 is vulnerable to possible domain hijack attacks. Promiscuous NS RRSets that complement positive DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. Usually these RRSets are used to update the resolver's knowledge of the zone's name servers. A malicious actor can exploit the possible poisonous effect by injecting NS RRSets (and possibly their respective address records) in a reply. This could be done for example by trying to spoof a packet or fragmentation attacks. Unbound would then proceed to update the NS RRSet data it already has since the new data has enough trust for it, i.e., in-zone data for the delegation point. Unbound 1.24.1 includes a fix that scrubs unsolicited NS RRSets (and their respective address records) from replies mitigating the possible poison effect.

Mateusz Szymaniec and CERT Polska Reports:

RT is vulnerable to XSS via calendar invitations added to a ticket. Thanks to Mateusz Szymaniec and CERT Polska for reporting this finding.

Gareth Watkin-Jones from 4armed reports:

RT is vulnerable to CSV injection via ticket values with special characters that are exported to a TSV from search results. Thanks to Gareth Watkin-Jones from 4armed for reporting this finding.

Problem Description:

Connected sockets are not intended to belong to load-balancing groups. However, the kernel failed to check the connection state of sockets when adding them to load-balancing groups. Furthermore, when looking up the destination socket for an incoming packet, the kernel will match a socket belonging to a load-balancing group even if it is connected.

Connected sockets are only supposed to receive packets originating from the connected host. The above behavior violates this contract.

Impact:

Software which sets SO_REUSEPORT_LB on a socket and then connects it to a host will not observe any problems. However, due to its membership in a load-balancing group, that socket will receive packets originating from any host. This breaks the contract of the connect(2) and implied connect via sendto(2), and may leave the application vulnerable to spoofing attacks.

Gitlab reports:

Improper access control issue in runner API impacts GitLab EE

Denial of service issue in event collection impacts GitLab CE/EE

Denial of service issue in JSON validation impacts GitLab CE/EE

Denial of service issue in upload impacts GitLab CE/EE

Incorrect Authorization issue in pipeline builds impacts GitLab CE

Business logic error issue in group memberships impacts GitLab EE

Missing authorization issue in quick actions impacts GitLab EE

Chrome Releases reports:

This update includes 1 security fix:

• [447192722] High CVE-2025-11756: Use after free in Safe Browsing. Reported by asnine on 2025-09-25

Chrome Releases reports:

This update includes 3 security fixes:

• [443196747] High CVE-2025-11458: Heap buffer overflow in Sync. Reported by raven at KunLun lab on 2025-09-05
• [446722008] High CVE-2025-11460: Use after free in Storage. Reported by Sombra on 2025-09-23
• [441917796] Medium CVE-2025-11211: Out of bounds read in WebCodecs. Reported by Jakob Košir on 2025-08-29

cna@mongodb.com reports:

An authorized user may crash the MongoDB server by causing buffer over-read. This can be done by issuing a DDL operation while queries are being issued, under some conditions.

Icinga reports:

An authorized user with access to Icinga DB Web, can use a custom variable in a filter that is either protected by icingadb/protect/variables or hidden by icingadb/denylist/variables, to guess values assigned to it.

security@mozilla.org reports:

A malicious page could have used the type attribute of an OBJECT tag to override the default browser behavior when encountering a web resource served without a content-type. This could have contributed to an XSS on a site that unsafely serves files without a content-type header.

security@mozilla.org reports:

There was a way to change the value of JavaScript Object properties that were supposed to be non-writeable.

security@mozilla.org reports:

A compromised web process using malicious IPC messages could have caused the privileged browser process to reveal blocks of its memory to the compromised process.

security@mozilla.org reports:

A compromised web process was able to trigger out of bounds reads and writes in a more privileged process using manipulated WebGL textures.

security@mozilla.org reports:

Use-after-free in MediaTrackGraphImpl::GetInstance()

security@mozilla.org reports:

Memory safety bugs. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

security@mozilla.org reports:

Memory safety bugs. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

security@mozilla.org reports:

Memory safety bug. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code.

security@mozilla.org reports:

Sandbox excape due to integer overflow in the Graphics: Canvas2D component

security@mozilla.org reports:

Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

security@mozilla.org reports:

This vulnerability affects Firefox < 143, Firefox ESR < 140.3, Thunderbird < 143, and Thunderbird < 140.3.

security@mozilla.org reports:

Spoofing issue in the Site Permission component

security@mozilla.org reports:

Integer overflow in the SVG component

mino reports:

A privilege escalation vulnerability allows service accounts and STS (Security Token Service) accounts with restricted session policies to bypass their inline policy restrictions when performing "own" account operations, specifically when creating new service accounts for the same user.

Tim Wojtulewicz of Corelight reports:

The KRB analyzer can leak information about hosts in analyzed traffic via external DNS lookups.

security@mozilla.org reports:

JIT miscompilation in the JavaScript Engine: JIT component.

Gitlab reports:

Incorrect authorization issue in GraphQL mutations impacts GitLab EE

Denial of Service issue in GraphQL blob type impacts GitLab CE/EE

Missing authorization issue in manual jobs impacts GitLab CE/EE

Denial of Service issue in webhook endpoints impacts GitLab CE/EE

Ralph Slooten (Mailpit developer) reports:

An HTTP endpoint was found which exposed expvar runtime information (memory usage, goroutine counts, GC behavior, uptime and potential runtime flags) due to the Prometheus client library dependency.

security@mozilla.org reports:

The vulnerability has been assessed to have moderate impact on affected systems, potentially allowing attackers to exploit incorrect boundary conditions in the JavaScript Garbage Collection component. In Thunderbird specifically, these flaws cannot be exploited through email as scripting is disabled when reading mail, but remain potential risks in browser or browser-like contexts

security@mozilla.org reports:

The vulnerability has been rated as having moderate impact, affecting both confidentiality and integrity with low severity, while having no impact on availability. For Thunderbird specifically, the vulnerability cannot be exploited through email as scripting is disabled when reading mail, but remains a potential risk in browser or browser-like contexts

security@mozilla.org reports:

Sandbox escape due to use-after-free

cna@mongodb.com reports:

An authorized user can cause a crash in the MongoDB Server through a specially crafted $group query. This vulnerability is related to the incorrect handling of certain accumulator functions when additional parameters are specified within the $group operation. This vulnerability could lead to denial of service if triggered repeatedly.

cna@mongodb.com reports:

MongoDB Server may allow upsert operations retried within a transaction to violate unique index constraints, potentially causing an invariant failure and server crash during commit. This issue may be triggered by improper WriteUnitOfWork state management.

cna@mongodb.com reports:

An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers. This issue occurs when a generic argument (lsid) is provided in a case when it is not applicable.

cna@mongodb.com reports:

MongoDB Server may access non-initialized region of memory leading to unexpected behaviour when zero arguments are called in internal aggregation stage.

redis reports:

An authenticated user may use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. The problem exists in all versions of Redis with Lua scripting An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.

redis reports:

An authenticated user may use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user The problem exists in all versions of Redis with Lua scripting. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.

redis reports:

An authenticated user may use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution The problem exists in all versions of Redis with Lua scripting. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.

redis reports:

An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

Qt qtwebengine-chromium repo reports:

Backports for 9 security bugs in Chromium:

• CVE-2025-9866: Determine whether to bypass redirect checks per request
• CVE-2025-10200: Use after free in Serviceworker
• CVE-2025-10201: Inappropriate implementation in Mojo
• CVE-2025-10500: Use after free in Dawn
• CVE-2025-10501: Use after free in WebRTC
• CVE-2025-10502: Heap buffer overflow in ANGLE
• CVE-2025-10890: Side-channel information leakage in V8 (1/2)
• CVE-2025-10891: Integer overflow in V8
• CVE-2025-10892: Integer overflow in V8

Matthias Andree reports:

fetchmail's SMTP client, when configured to authenticate, is susceptible to a protocol violation where, when a trusted but malicious or malfunctioning SMTP server responds to an authentication request with a "334" code but without a following blank on the line, it will attempt to start reading from memory address 0x1 to parse the server's SASL challenge. This address is constant and not under the attacker's control. This event will usually cause a crash of fetchmail.

Chrome Releases reports:

This update includes 21 security fixes:

• [442444724] High CVE-2025-11205: Heap buffer overflow in WebGPU. Reported by Atte Kettunen of OUSPG on 2025-09-02
• [444755026] High CVE-2025-11206: Heap buffer overflow in Video. Reported by Elias Hohl on 2025-09-12
• [428189824] Medium CVE-2025-11207: Side-channel information leakage in Storage. Reported by Alesandro Ortiz on 2025-06-27
• [397878997] Medium CVE-2025-11208: Inappropriate implementation in Media. Reported by Kevin Joensen on 2025-02-20
• [438226517] Medium CVE-2025-11209: Inappropriate implementation in Omnibox. Reported by Hafiizh on 2025-08-13
• [440523110] Medium CVE-2025-11210: Side-channel information leakage in Tab. Reported by Umar Farooq on 2025-08-22
• [441917796] Medium CVE-2025-11211: Out of bounds read in Media. Reported by Kosir Jakob on 2025-08-29
• [420734141] Medium CVE-2025-11212: Inappropriate implementation in Media. Reported by Ameen Basha M K on 2025-05-28
• [443408317] Medium CVE-2025-11213: Inappropriate implementation in Omnibox. Reported by Hafiizh on 2025-09-06
• [439758498] Medium CVE-2025-11215: Off by one error in V8. Reported by Google Big Sleep on 2025-08-19
• [419721056] Low CVE-2025-11216: Inappropriate implementation in Storage. Reported by Farras Givari on 2025-05-23
• [439772737] Low CVE-2025-11219: Use after free in V8. Reported by Google Big Sleep on 2025-08-19

Django reports:

CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB.

CVE-2025-59682: Potential partial directory-traversal via archive.extract().

Oracle reports:

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/Python). Supported versions that are affected are 9.1.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 6.4 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:H).

The OpenSSL project reports reports:

Out-of-bounds read & write in RFC 3211 KEK Unwrap

Timing side-channel in SM2 algorithm on 64-bit ARM

Fix Out-of-bounds read in HTTP client no_proxy handling

The LibreSSL project reports:

An incorrect length check can result in a 4-byte overwrite and an 8-byte overread.

cve@mitre.org reports:

GoldenDict 1.5.0 and 1.5.1 has an exposed dangerous method that allows reading and modifying files when a user adds a crafted dictionary and then searches for any term included in that dictionary.

secalert@redhat.com reports:

A flaw was found in the Udisks daemon, where it allows unprivileged users to create loop devices using the D-BUS system. This is achieved via the loop device handler, which handles requests sent through the D-BUS interface. As two of the parameters of this handle, it receives the file descriptor list and index specifying the file where the loop device should be backed. The function itself validates the index value to ensure it isn't bigger than the maximum value allowed. However, it fails to validate the lower bound, allowing the index parameter to be a negative value. Under these circumstances, an attacker can cause the UDisks daemon to crash or perform a local privilege escalation by gaining access to files owned by privileged users.

Quiche Releases reports:

This update includes 1 security fix:

• High CVE-2025-7054: Infinite loop triggered by connection ID retirement. Reported by Catena cyber on 2025-08-07.

Quiche Releases reports:

This update includes 2 security fixes:

• Medium CVE-2025-4820: Incorrect congestion window growth by optimistic ACK. Reported by Louis Navarre on 2025-06-18.
• High CVE-2025-4821: Incorrect congestion window growth by invalid ACK ranges. Reported by Louis Navarre on 2025-06-18.

Gitlab reports:

Denial of Service issue when uploading specifically crafted JSON files impacts GitLab CE/EE

Denial of Service issue bypassing query complexity limits impacts GitLab CE/EE

Information disclosure issue in virtual registery configuration for low privileged users impacts GitLab CE/EE

Privilege Escalation issue from within the Developer role impacts GitLab EE

Denial of Service issue in GraphQL API via Unbounded Array Parameters impacts GitLab CE/EE

Improper Authorization issue for Project Maintainers when assigning roles impacts GitLab EE

Denial of Service issue in GraphQL API blobSearch impacts GitLab CE/EE

Incorrect ownership assignment via Move Issue drop-down impacts GitLab CE/EE

Denial of Service issue via string conversion methods impacts GitLab CE/EE

Gert Doering reports:

Notable changes beta1 -> beta2 are: [...] add proper input sanitation to DNS strings to prevent an attack coming from a trusted-but-malicous OpenVPN server (CVE: 2025-10680, affects unixoid systems with --dns-updown scripts and windows using the built-in powershell call)

Lev Stipakov writes:

On Linux (and similar platforms), those options are written to a tmp file, which is later sourced by a script running as root. Since options are controlled by the server, it is possible for a malicious server to execute script injection attack [...].

The original report is credited to Stanislav Fort <disclosure@aisle.com>.

security@open-xchange.com reports:

In some circumstances, when DNSdist is configured to use the nghttp2 library to process incoming DNS over HTTPS queries, an attacker might be able to cause a denial of service by crafting a DoH exchange that triggers an unbounded I/O read loop, causing an unexpected consumption of CPU resources. The offending code was introduced in DNSdist 1.9.0-alpha1 so previous versions are not affected.

Chrome Releases reports:

This update includes 4 security fixes:

• [430336833] High CVE-2025-10890: Side-channel information leakage in V8. Reported by Mate Marjanović (SharpEdged) on 2025-07-09
• [443765373] High CVE-2025-10891: Integer overflow in V8. Reported by Google Big Sleep on 2025-09-09
• [444048019] High CVE-2025-10892: Integer overflow in V8. Reported by Google Big Sleep on 2025-09-10

Chrome Releases reports:

This update includes 4 security fixes:

• [445380761] High CVE-2025-10585: Type Confusion in V8. Reported by Google Threat Analysis Group on 2025-09-16
• [435875050] High CVE-2025-10500: Use after free in Dawn. Reported by Giunash (Gyujeong Jin) on 2025-08-03
• [440737137] High CVE-2025-10501: Use after free in WebRTC. Reported by sherkito on 2025-08-23
• [438038775] High CVE-2025-10502: Heap buffer overflow in ANGLE. Reported by Google Big Sleep on 2025-08-12

security-advisories@github.com reports:

The PCRE2 library is a set of C functions that implement regular expression pattern matching. In version 10.45, a heap-buffer-overflow read vulnerability exists in the PCRE2 regular expression matching engine, specifically within the handling of the (*scs:...) (Scan SubString) verb when combined with (*ACCEPT) in src/pcre2_match.c. This vulnerability may potentially lead to information disclosure if the out-of-bounds data read during the memcmp affects the final match result in a way observable by the attacker.

expat security advisory:

libexpat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.

Jenkins Security Advisory:

Description

(High) SECURITY-3618 / CVE-2025-5115

HTTP/2 denial of service vulnerability in bundled Jetty

(Medium) SECURITY-3594 / CVE-2025-59474

Missing permission check allows obtaining agent names

(Medium) SECURITY-3625 / CVE-2025-59475

Missing permission check in authenticated users' profile menu

(Medium) SECURITY-3424 / CVE-2025-59476

Log message injection vulnerability

F5 reports:

When NGINX Unit with the Java Language Module is in use, undisclosed requests can lead to an infinite loop and cause an increase in CPU resource utilization.

OpenPrinting reports:

When the AuthType is set to anything but Basic, if the request contains an Authorization: Basic ... header, the password is not checked.

An unsafe deserialization and validation of printer attributes, causes null dereference in libcups library.

Chrome Releases reports:

This update includes 2 security fixes:

• [440454442] Critical CVE-2025-10200: Use after free in Serviceworker. Reported by Looben Yang on 2025-08-22
• [439305148] High CVE-2025-10201: Inappropriate implementation in Mojo. Reported by Sahan Fernando & Anon on 2025-08-18

Gitlab reports:

Denial of Service issue in SAML Responses impacts GitLab CE/EE

Server-Side Request Forgery issue in Webhook custom header impacts GitLab CE/EE

Denial of Service issue in User-Controllable Fields impacts GitLab CE/EE

Denial of Service issue in endpoint file upload impacts GitLab CE/EE

Denial of Service issue in token listing operations impacts GitLab CE/EE

Information disclosure issue in runner endpoints impacts GitLab CE/EE

Chrome Releases reports:

This update includes 6 security fixes:

• [434513380] High CVE-2025-9864: Use after free in V8. Reported by Pavel Kuzmin of Yandex Security Team on 2025-07-28
• [437147699] Medium CVE-2025-9865: Inappropriate implementation in Toolbar. Reported by Khalil Zhani on 2025-08-07
• [379337758] Medium CVE-2025-9866: Inappropriate implementation in Extensions. Reported by NDevTK on 2024-11-16
• [415496161] Medium CVE-2025-9867: Inappropriate implementation in Downloads. Reported by Farras Givari on 2025-05-04

Kevin Backhouse reports:

A denial-of-service was found in Exiv2 version v0.28.5: a quadratic algorithm in the ICC profile parsing code in jpegBase::readMetadata() can cause Exiv2 to run for a long time. Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The denial-of-service is triggered when Exiv2 is used to read the metadata of a crafted jpg image file.

Kevin Backhouse reports:

An out-of-bounds read was found in Exiv2 versions v0.28.5 and earlier. Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file.

Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as delete.

Django reports:

CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases.

Internet2 reports:

The Shibboleth Service Provider includes a storage API usable for a number of different use cases such as the session cache, replay cache, and relay state management. An ODBC extension plugin is provided with some distributions of the software (notably on Windows).

A SQL injection vulnerability was identified in some of the queries issued by the plugin, and this can be creatively exploited through specially crafted inputs to exfiltrate information stored in the database used by the SP.

Zhengyu Liu, Jianjia Yu, Jelmer van Arnhem report:

We discovered a remote code execution (RCE) vulnerability in the latest release of the Vieb browser (v12.3.0). By luring a user to visit a malicious website, an attacker can achieve arbitrary code execution on the victim’s machine.

Gitlab reports:

Allocation of Resources Without Limits issue in import function impacts GitLab CE/EE

Missing authentication issue in GraphQL endpoint impacts GitLab CE/EE

Allocation of Resources Without Limits issue in GraphQL impacts GitLab CE/EE

Code injection issue in GitLab repositories impacts GitLab CE/EE

Internet Systems Consortium, Inc. reports:

We corrected an issue in `kea-dhcp4` that caused the server to abort if a client sent a broadcast request with particular options, and Kea failed to find an appropriate subnet for that client. This addresses CVE-2025-40779 [#4055, #4048].

Andy Shaw reports:

When passing values outside of the expected range to QColorTransferGenericFunction it can cause a denial of service, for example, this can happen when passing a specifically crafted ICC profile to QColorSpace::fromICCProfile.

Qt qtwebengine-chromium repo reports:

Backports for 25 security bugs in Chromium:

• CVE-2025-5063: Use after free in Compositing
• CVE-2025-5064: Inappropriate implementation in Background Fetch
• CVE-2025-5065: Inappropriate implementation in FileSystemAccess API
• CVE-2025-5068: Use after free in Blink
• CVE-2025-5280: Out of bounds write in V8
• CVE-2025-5281: Inappropriate implementation in BFCache
• CVE-2025-5283: Use after free in libvpx
• CVE-2025-5419: Out of bounds read and write in V8
• CVE-2025-6191: Integer overflow in V8
• CVE-2025-6192: Use after free in Profiler
• CVE-2025-6554: Type Confusion in V8
• CVE-2025-6556: Insufficient policy enforcement in Loader
• CVE-2025-6557: Insufficient data validation in DevTools
• CVE-2025-6558: Incorrect validation of untrusted input in ANGLE and GPU
• CVE-2025-7656: Integer overflow in V8
• CVE-2025-7657: Use after free in WebRTC
• CVE-2025-8010: Type Confusion in V8
• CVE-2025-8576: Use after free in Extensions
• CVE-2025-8578: Use after free in Cast
• CVE-2025-8580: Inappropriate implementation in Filesystems
• CVE-2025-8582: Insufficient validation of untrusted input in DOM
• CVE-2025-8879: Heap buffer overflow in libaom
• CVE-2025-8880: Race in V8
• CVE-2025-8881: Inappropriate implementation in File Picker
• CVE-2025-8901: Out of bounds write in ANGLE

cve@mitre.org reports:

In SQLite 3.49.0 before 3.49.1, certain argument values to sqlite3_db_config (in the C-language API) can cause a denial of service (application crash). An sz*nBig multiplication is not cast to a 64-bit integer, and consequently some memory allocations may be incorrect.

perl-catalyst project reports:

Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl generate nonces using the Perl Data::UUID library. * Data::UUID does not use a strong cryptographic source for generating UUIDs.* Data::UUID returns v3 UUIDs, which are generated from known information and are unsuitable for security, as per RFC 9562. * The nonces should be generated from a strong cryptographic source, as per RFC 7616.

security@mozilla.org reports:

Memory safety bugs present in Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

security@mozilla.org reports:

Memory safety bugs present in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

security@mozilla.org reports:

Spoofing issue in the Address Bar component.

security@mozilla.org reports:

'Denial-of-service due to out-of-memory in the Graphics: WebRender component.'

security@mozilla.org reports:

Uninitialized memory in the JavaScript Engine component.

security@mozilla.org reports:

'Same-origin policy bypass in the Graphics: Canvas2D component.'

security@mozilla.org reports:

An attacker was able to perform memory corruption in the GMP process which processes encrypted media. This process is also heavily sandboxed, but represents slightly different privileges from the content process.

F5 reports:

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_mail_smtp_module that might allow an unauthenticated attacker to over-read NGINX SMTP authentication process memory; as a result, the server side may leak arbitrary bytes sent in a request to the authentication server. This issue happens during the NGINX SMTP authentication process and requires the attacker to make preparations against the target system to extract the leaked data. The issue affects NGINX only if (1) it is built with the ngx_mail_smtp_module, (2) the smtp_auth directive is configured with method "none," and (3) the authentication server returns the "Auth-Wait" response header.

Chrome Releases reports:

This update includes 6 security fixes:

• [432035817] High CVE-2025-8879: Heap buffer overflow in libaom. Reported by Anonymous on 2025-07-15
• [433533359] High CVE-2025-8880: Race in V8. Reported by Seunghyun Lee (@0x10n) on 2025-07-23
• [435139154] High CVE-2025-8901: Out of bounds write in ANGLE. Reported by Google Big Sleep on 2025-07-30
• [433800617] Medium CVE-2025-8881: Inappropriate implementation in File Picker. Reported by Alesandro Ortiz on 2025-07-23
• [435623339] Medium CVE-2025-8882: Use after free in Aura. Reported by Umar Farooq on 2025-08-01

PostgreSQL project reports:

Tighten security checks in planner estimation functions.

Prevent pg_dump scripts from being used to attack the user running the restore.

Convert newlines to spaces in names included in comments in pg_dump output.

Gitlab reports:

Cross-site scripting issue in blob viewer impacts GitLab CE/EE

Cross-site scripting issue in labels impacts GitLab CE/EE

Cross-site scripting issue in Workitem impacts GitLab CE/EE

Improper Handling of Permissions issue in project API impacts GitLab CE/EE

Incorrect Privilege Assignment issue in delete issues operation impacts GitLab CE/EE

Allocation of Resources Without Limits issue in release name creation impacts GitLab CE/EE

Incorrect Authorization issue in jobs API impacts GitLab CE/EE

Authorization issue in Merge request approval policy impacts GitLab EE

Inefficient Regular Expression Complexity issue in wiki impacts GitLab CE/EE

Allocation of Resources Without Limits issue in Mattermost integration impacts GitLab CE/EE

Incorrect Permission Assignment issue in ID token impacts GitLab CE/EE

Insufficient Access Control issue in IP Restriction impacts GitLab EE

Varnish Development Team reports:

A denial of service attack can be performed on Varnish Cache servers that have the HTTP/2 protocol turned on. An attacker can create a large number of streams and immediately reset them without ever reaching the maximum number of concurrent streams allowed for the session, causing the Varnish server to consume unnecessary resources processing requests for which the response will not be delivered.

This attack is a variant of the HTTP/2 Rapid Reset Attack, which was partially handled as VSV00013.

p5-Authen-SASL project reports:

Authen::SASL::Perl::DIGEST_MD5 versions 2.04 through 2.1800 for Perl generates the cnonce insecurely.

The cnonce (client nonce) is generated from an MD5 hash of the PID, the epoch time and the built-in rand function. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.

According to RFC 2831, The cnonce-value is an opaque quoted string value provided by the client and used by both client and server to avoid chosen plaintext attacks, and to provide mutual authentication. The security of the implementation depends on a good choice. It is RECOMMENDED that it contain at least 64 bits of entropy.

Chrome Releases reports:

This update includes 12 security fixes:

• [414760982] Medium CVE-2025-8576: Use after free in Extensions. Reported by asnine on 2025-04-30
• [384050903] Medium CVE-2025-8577: Inappropriate implementation in Picture In Picture. Reported by Umar Farooq on 2024-12-14
• [423387026] Medium CVE-2025-8578: Use after free in Cast. Reported by Fayez on 2025-06-09
• [407791462] Low CVE-2025-8579: Inappropriate implementation in Gemini Live in Chrome. Reported by Alesandro Ortiz on 2025-04-02
• [411544197] Low CVE-2025-8580: Inappropriate implementation in Filesystems. Reported by Huuuuu on 2025-04-18
• [416942878] Low CVE-2025-8581: Inappropriate implementation in Extensions. Reported by Vincent Dragnea on 2025-05-11
• [40089450] Low CVE-2025-8582: Insufficient validation of untrusted input in DOM. Reported by Anonymous on 2017-10-31
• [373794472] Low CVE-2025-8583: Inappropriate implementation in Permissions. Reported by Shaheen Fazim on 2024-10-16

The Apache httpd project reports:

'RewriteCond expr' always evaluates to true in 2.4.64.

Problem Description:

An integer overflow in the archive_read_format_rar_seek_data() function may lead to a double free problem.

Impact:

Exploiting a double free vulnerability can cause memory corruption. This in turn could enable a threat actor to execute arbitrary code. It might also result in denial of service.

cve-coordination@google.com reports:

An integer overflow can be triggered in SQLites `concat_ws()` function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap Buffer overflow of size ~4GB can be triggered. This can result in arbitrary code execution.

Deluan Quintão reports:

A permission verification flaw in Navidrome allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modifying, and deleting transcoding settings.

cve-coordination@google.com reports:

An integer overflow in the sqlite3KeyInfoFromExprList function in SQLite versions 3.39.2 through 3.41.1 allows an attacker with the ability to execute arbitrary SQL statements to cause a denial of service or disclose sensitive information from process memory via a crafted SELECT statement with a large number of expressions in the ORDER BY clause.

Lib-Crypt-CBC project reports:

Crypt::CBC versions between 1.21 and 3.05 for Perl may use the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. This issue affects operating systems where "/dev/urandom'" is unavailable. In that case, Crypt::CBC will fallback to use the insecure rand() function.

cmpilato reports:

The ViewVC standalone web server (standalone.py) is a script provided in the ViewVC distribution for the purposes of quickly testing a ViewVC configuration. This script can in particular configurations expose the contents of the host server's filesystem though a directory traversal-style attack.

Manu reports:

The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet.

An attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv library parses such a packet, the name decompression process consumes a large amount of CPU resources, as the library does not limit the resulting length of the name.

This resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition.

security@mozilla.org reports:

Memory safety bugs present in Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

Focus incorrectly truncated URLs towards the beginning instead of around the origin.

security@mozilla.org reports:

Memory safety bugs present in Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

security@mozilla.org reports:

In some cases search terms persisted in the URL bar even after navigating away from the search page.

security@mozilla.org reports:

Thunderbird ignored paths when checking the validity of navigations in a frame.

security@mozilla.org reports:

Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the nameless cookie was set over HTTP and the shadowed cookie included the `Secure` attribute.

security@mozilla.org reports:

Thunderbird cached CORS preflight responses across IP address changes. This allowed circumventing CORS with DNS rebinding.

security@mozilla.org reports:

Memory safety bugs present in Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

security@mozilla.org reports:

Memory safety bugs present in Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

security@mozilla.org reports:

The JavaScript engine did not handle closed generators correctly and it was possible to resume them leading to a nullptr deref.

security@mozilla.org reports:

XSLT document loading did not correctly propagate the source document which bypassed its CSP.

security@mozilla.org reports:

The `username:password` part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials.

security@mozilla.org reports:

Insufficient escaping in the Copy as cURL feature could potentially be used to trick a user into executing unexpected code.

security@mozilla.org reports:

Thunderbird executed `javascript:` URLs when used in `object` and `embed` tags.

security@mozilla.org reports:

On arm64, a WASM `br_table` instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and incorrect computation of the branch address.

security@mozilla.org reports:

On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits.

cve@mitre.org reports:

A flaw exists in gdk-pixbuf within the gdk_pixbuf__jpeg_image_load_increment function (io-jpeg.c) and in glib’s g_base64_encode_step (glib/gbase64.c). When processing maliciously crafted JPEG images, a heap buffer overflow can occur during Base64 encoding, allowing out-of-bounds reads from heap memory, potentially causing application crashes or arbitrary code execution.

PowerDNS Team reports:

An attacker spoofing answers to ECS enabled requests sent out by the Recursor has a chance of success higher than non-ECS enabled queries. The updated version include various mitigations against spoofing attempts of ECS enabled queries by chaining ECS enabled requests and enforcing stricter validation of the received answers. The most strict mitigation done when the new setting outgoing.edns_subnet_harden (old style name edns-subnet-harden) is enabled.

Gitlab reports:

Cross-site scripting issue impacts Kubernetes Proxy in GitLab CE/EE

Cross-site scripting issue impacts Kubernetes Proxy in GitLab CE/EE using CDNs

Exposure of Sensitive Information to an Unauthorized Actor issue impacts GitLab CE/EE

Improper Access Control issue impacts GitLab EE

Exposure of Sensitive Information to an Unauthorized Actor issue impacts GitLab CE/EE

Improper Access Control issue impacts GitLab CE/EE

cve-coordination@google.com reports:

There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue.

security-advisories@github.com reports:

7-Zip is a file archiver with a high compression ratio. Zeroes written outside heap buffer in RAR5 handler may lead to memory corruption and denial of service in versions of 7-Zip prior to 25.0.0. Version 25.0.0 contains a fix for the issue.

WasmTime development team reports:

A bug in Wasmtime's implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host (embedder).

sep@nlnetlabs.nl reports:

A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is also vulnerable when compiled with ECS support, i.e., '--enable-subnet', AND configured to send ECS information along with queries to upstream name servers, i.e., at least one of the 'send-client-subnet', 'client-subnet-zone' or 'client-subnet-always-forward' options is used. Resolvers supporting ECS need to segregate outgoing queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies.

The OpenQuantumSafe project reports:

Secret-dependent branching in HQC reference implementation when compiled with Clang 17-20 for optimizations above -O0

Daiki Ueno reports:

• libgnutls: Fix heap read buffer overrun in parsing X.509 SCTS timestamps Spotted by oss-fuzz and reported by OpenAI Security Research Team, and fix developed by Andrew Hamilton. [GNUTLS-SA-2025-07-07-1, CVSS: medium] [CVE-2025-32989]
• libgnutls: Fix double-free upon error when exporting otherName in SAN Reported by OpenAI Security Research Team. [GNUTLS-SA-2025-07-07-2, CVSS: low] [CVE-2025-32988]
• certtool: Fix 1-byte write buffer overrun when parsing template Reported by David Aitel. [GNUTLS-SA-2025-07-07-3, CVSS: low] [CVE-2025-32990]
• libgnutls: Fix NULL pointer dereference when 2nd Client Hello omits PSK Reported by Stefan Bühler. [GNUTLS-SA-2025-07-07-4, CVSS: medium] [CVE-2025-6395]

Alan Coopersmith reports:

On 6/16/25 15:12, Alan Coopersmith wrote:

BTW, users of libxml2 may also be using its sibling project, libxslt, which currently has no active maintainer, but has three unfixed security issues reported against it according to https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt

2 of the 3 have now been disclosed:

(CVE-2025-7424) libxslt: Type confusion in xmlNode.psvi between stylesheet and source nodes
https://gitlab.gnome.org/GNOME/libxslt/-/issues/139 https://project-zero.issues.chromium.org/issues/409761909

(CVE-2025-7425) libxslt: heap-use-after-free in xmlFreeID caused by `atype` corruption
https://gitlab.gnome.org/GNOME/libxslt/-/issues/140
https://project-zero.issues.chromium.org/issues/410569369

Engineers from Apple & Google have proposed patches in the GNOME gitlab issues, but neither has had a fix applied to the git repo since there is currently no maintainer for libxslt.

Note that a fourth vulnerability was reported on June 18, 2025, which remains undisclosed to date (GNOME libxslt issue 148, link below), see https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt

Iván Chavero reports vs. v1.1.44:

[CVE-2025-11731] Fix: End function node ancestor search at document

Alan Coopersmith reports:

As discussed in https://gitlab.gnome.org/GNOME/libxml2/-/issues/913 the security policy of libxml2 has been changed to disclose vulnerabilities before fixes are available so that people other than the maintainer can contribute to fixing security issues in this library.

As part of this, the following 5 CVE's have been disclosed recently:

(CVE-2025-49794) Heap use after free (UAF) leads to Denial of service (DoS) https://gitlab.gnome.org/GNOME/libxml2/-/issues/931 [...]

(CVE-2025-49795) Null pointer dereference leads to Denial of service (DoS) https://gitlab.gnome.org/GNOME/libxml2/-/issues/932 [...]

(CVE-2025-49796) Type confusion leads to Denial of service (DoS) https://gitlab.gnome.org/GNOME/libxml2/-/issues/933 [...]

For all three of the above, note that upstream is considering removing Schematron support completely, as discussed in https://gitlab.gnome.org/GNOME/libxml2/-/issues/935.

(CVE-2025-6021) Integer Overflow Leading to Buffer Overflow in xmlBuildQName() https://gitlab.gnome.org/GNOME/libxml2/-/issues/926 [...]

(CVE-2025-6170) Stack-based Buffer Overflow in xmllint Shell https://gitlab.gnome.org/GNOME/libxml2/-/issues/941 [...]

The mod_http2 project reports:

a client can increase memory consumption for a HTTP/2 connection via repeated request header names,leading to denial of service

certain proxy configurations whith mod_proxy_http2 as the backend, an assertion can be triggered by certain requests, leading to denial of service

The Apache httpd project reports:

moderate: Apache HTTP Server: HTTP response splitting (CVE-2024-42516)

low: Apache HTTP Server: SSRF with mod_headers setting Content-Type header (CVE-2024-43204)

moderate: Apache HTTP Server: SSRF on Windows due to UNC paths (CVE-2024-43394)

low: Apache HTTP Server: mod_ssl error log variable escaping (CVE-2024-47252)

moderate: Apache HTTP Server: mod_ssl access control bypass with session resumption (CVE-2025-23048)

low: Apache HTTP Server: mod_proxy_http2 denial of service (CVE-2025-49630)

moderate: Apache HTTP Server: mod_ssl TLS upgrade attack (CVE-2025-49812)

moderate: Apache HTTP Server: HTTP/2 DoS by Memory Increase (CVE-2025-53020)

security@apache.org reports:

A race condition on connection close could trigger a JVM crash when using the APR/Native connector leading to a DoS. This was particularly noticeable with client initiated closes of HTTP/2 connections.

An uncontrolled resource consumption vulnerability if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams could result in a DoS.

For some unlikely configurations of multipart upload, an Integer Overflow vulnerability could lead to a DoS via bypassing of size limits.

Gitlab reports:

Cross-site scripting issue impacts GitLab CE/EE

Improper authorization issue impacts GitLab CE/EE

Improper authorization issue impacts GitLab EE

Improper authorization issue impacts GitLab EE

Git development team reports:

CVE-2025-27613: Gitk: When a user clones an untrusted repository and runs Gitk without additional command arguments, any writable file can be created and truncated. The option "Support per-file encoding" must have been enabled. The operation "Show origin of this line" is affected as well, regardless of the option being enabled or not.

CVE-2025-27614: Gitk: A Git repository can be crafted in such a way that a user who has cloned the repository can be tricked into running any script supplied by the attacker by invoking `gitk filename`, where `filename` has a particular structure.

CVE-2025-46835: Git GUI: When a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite any writable file.

CVE-2025-48384: Git: When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout.

CVE-2025-48385: Git: When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution.

CVE-2025-48386: Git: The wincred credential helper uses a static buffer (`target`) as a unique key for storing and comparing against internal storage. This credential helper does not properly bounds check the available space remaining in the buffer before appending to it with `wcsncat()`, leading to potential buffer overflows.

cna@mongodb.com reports:

MongoDB Server's mongos component can become unresponsive to new connections due to incorrect handling of incomplete data. This affects MongoDB when configured with load balancer support. Required Configuration: This affects MongoDB sharded clusters when configured with load balancer support for mongos using HAProxy on specified ports.

cna@mongodb.com reports:

An unauthorized user may leverage a specially crafted aggregation pipeline to access data without proper authorization due to improper handling of the $mergeCursors stage in MongoDB Server. This may lead to access to data without further authorisation.

cna@mongodb.com reports:

MongoDB Server may be susceptible to disruption caused by high memory usage, potentially leading to server crash. This condition is linked to inefficiencies in memory management related to internal operations. In scenarios where certain internal processes persist longer than anticipated, memory consumption can increase, potentially impacting server stability and availability.

cna@mongodb.com reports:

An issue has been identified in MongoDB Server where unredacted queries may inadvertently appear in server logs when certain error conditions are encountered.

security-advisories@github.com reports:

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application/xml, and at least one XML tag is empty (eg <foo></foo>), then a segmentation fault occurs. This issue has been patched in version 2.9.11. A workaround involves setting SecParseXmlIntoArgs to Off.

@julienperriercornet reports:

An unauthenticated connection can cause repeated IP protocol errors, leading to client starvation and, ultimately, a denial of service.

Seunghyun Lee reports:

An authenticated user may use a specially crafted string to trigger a stack/heap out of bounds write on hyperloglog operations, potentially leading to remote code execution.

Simcha Kosman & CyberArk Labs reports:

A user can run the {redis,valkeyu}-check-aof cli and pass a long file path to trigger a stack buffer overflow, which may potentially lead to remote code execution.

Problem Description:

A worker thread could free its input buffer after decoding, while the main thread might still be writing to it. This leads to an use-after-free condition on heap memory.

Impact:

An attacker may use specifically crafted .xz file to cause multi-threaded xz decoder to crash, or potentially run arbitrary code under the credential the decoder was executed.

GStreamer Security Center reports:

It is possible for a malicious third party to trigger a buffer overflow that can result in a crash of the application and possibly also allow code execution through stack manipulation.

security@mozilla.org reports:

An attacker was able to bypass the `connect-src` directive of a Content Security Policy by manipulating subdocuments. This would have also hidden the connections from the Network tab in Devtools.

When Multi-Account Containers was enabled, DNS requests could have bypassed a SOCKS proxy when the domain name was invalid or the SOCKS proxy was not responding.

If a user visited a webpage with an invalid TLS certificate, and granted an exception, the webpage was able to provide a WebAuthn challenge that the user would be prompted to complete. This is in violation of the WebAuthN spec which requires "a secure transport established without errors".

The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP.

If a user saved a response from the Network tab in Devtools using the Save As context menu option, that file may not have been saved with the `.download` file extension. This could have led to the user inadvertently running a malicious executable.

Memory safety bugs present in Firefox 139 and Thunderbird 139. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

security@mozilla.org reports:

Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed.

When a file download is specified via the `Content-Disposition` header, that directive would be ignored if the file was included via a `&lt;embed&gt;` or `&lt;object&gt;` tag, potentially making a website vulnerable to a cross-site scripting attack.

security@mozilla.org reports:

An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.

php.net reports:

• CVE-2025-1735: pgsql extension does not check for errors during escaping
• CVE-2025-6491: NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix
• CVE-2025-1220: Null byte termination in hostnames

security@mozilla.org reports:

A use-after-free in FontFaceSet resulted in a potentially exploitable crash.

Chrome Releases reports:

This update includes 1 security fix:

• [427663123] High CVE-2025-6554: Type Confusion in V8.

Chrome Releases reports:

This update includes 11 security fixes:

• [407328533] Medium CVE-2025-6555: Use after free in Animation. Reported by Lyra Rebane (rebane2001) on 2025-03-30
• [40062462] Low CVE-2025-6556: Insufficient policy enforcement in Loader. Reported by Shaheen Fazim on 2023-01-02
• [406631048] Low CVE-2025-6557: Insufficient data validation in DevTools. Reported by Ameen Basha M K on 2025-03-27

Todd C. Miller reports, crediting Rich Mirch from Stratascale Cyber Research Unit (CRU):

Sudo 1.9.17p1:

• Fixed CVE-2025-32462. Sudo's -h (--host) option could be specified when running a command or editing a file. This could enable a local privilege escalation attack if the sudoers file allows the user to run commands on a different host. For more information, see Local Privilege Escalation via host option.
• Fixed CVE-2025-32463. An attacker can leverage sudo's -R (--chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file. The chroot support has been deprecated an will be removed entirely in a future release. For more information, see Local Privilege Escalation via chroot option.

The X.Org project reports:

• CVE-2025-49176: Integer overflow in Big Requests Extension

  The Big Requests extension allows requests larger than the 16-bit length limit. It uses integers for the request length and checks for the size not to exceed the maxBigRequestSize limit, but does so after translating the length to integer by multiplying the given size in bytes by 4. In doing so, it might overflow the integer size limit before actually checking for the overflow, defeating the purpose of the test.

The X.Org project reports:

• CVE-2025-49175: Out-of-bounds access in X Rendering extension (Animated cursors)

  The X Rendering extension allows creating animated cursors providing a list of cursors. By default, the Xserver assumes at least one cursor is provided while a client may actually pass no cursor at all, which causes an out-of-bound read creating the animated cursor and a crash of the Xserver.

• CVE-2025-49177: Data leak in XFIXES Extension 6 (XFixesSetClientDisconnectMode)

  The handler of XFixesSetClientDisconnectMode does not check the client request length. A client could send a shorter request and read data from a former request.

• CVE-2025-49178: Unprocessed client request via bytes to ignore

  When reading requests from the clients, the input buffer might be shared and used between different clients. If a given client sends a full request with non-zero bytes to ignore, the bytes to ignore may still be non-zero even though the request is full, in which case the buffer could be shared with another client who's request will not be processed because of those bytes to ignore, leading to a possible hang of the other client request.

• CVE-2025-49179: Integer overflow in X Record extension

  The RecordSanityCheckRegisterClients() function in the X Record extension implementation of the Xserver checks for the request length, but does not check for integer overflow. A client might send a very large value for either the number of clients or the number of protocol ranges that will cause an integer overflow in the request length computation, defeating the check for request length.

• CVE-2025-49180: Integer overflow in RandR extension (RRChangeProviderProperty)

  A client might send a request causing an integer overflow when computing the total size to allocate in RRChangeProviderProperty().