The Prosody team reports:
Traffic patterns were discovered which can cause Prosody to consume excessive amounts of memory with much smaller amounts of incoming traffic. This traffic can be sent by unauthenticated connections. It was discovered that mod_proxy65’s access control was broken and incomplete due to two bugs.
The issue with unpausing connections was discovered and disclosed by Max Hearnden.
H.Merijn Brand - Tux <linux@tux.freedom.nl> reports:
Text::CSV_XS versions before 1.62 for Perl have a use-after-free when registered callbacks extend the Perl argument stack, which may enable type confusion or memory corruption. The Parse, print, getline, and getline_all methods invoke registered callbacks (for example after_parse, before_print, or on_error) and cache the Perl argument stack pointer across the call. If a callback extends the argument stack enough to trigger a reallocation, the return value is written through the stale pointer into the freed buffer, and the caller reads the original $self argument as the return value instead. Calling code that expects parsed data from getline_all receives the Text::CSV_XS object in its place, leading to logic errors or crashes. Text::CSV_XS objects used without any registered callbacks are not affected.
When processing the header of an incoming message, libnv failed to properly validate the message size.
The lack of validation allows a malicious program to write outside the bounds of a heap allocation. This can trigger a crash or system panic, and it may be possible for an unprivileged user to exploit the bug to elevate their privileges.
When exchanging data over a socket, libnv uses select(2) to wait for data to arrive. However, it does not verify whether the provided socket descriptor fits in select(2)'s file descriptor set size limit of FD_SETSIZE (1024).
An attacker who is able to force a libnv application to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, can trigger stack corruption. If the target application is setuid-root, then this could be used to elevate local privileges.
As dhclient is building an environment to pass to dhclient-script, it may need to resize the array of string pointers. The code which expands the array incorrectly calculates its new size when requesting memory, resulting in a heap buffer overrun.
A specially crafted packet can cause dhclient to overrun its buffer of environment entries. This can result in a crash, but it may be possible to leverage this bug to achieve remote code execution.
Incorrect packet validation allowed unbounded recursion parsing SCTP chunk parameters. This can eventually result in a stack overflow and panic.
Remote attackers can craft packets which cause affected systems to panic. This affects any system where pf is configured to process traffic, independent of the configured ruleset.
An operator precedence bug in the kernel results in a scenario where a buffer overflow causes attacker-controlled data to overwrite adjacent execve(2) argument buffers.
The bug may be exploitable by an unprivileged user to obtain superuser privileges.
The BOOTP file field is written to the lease file without escaping embedded double-quotes, allowing injection of arbitrary dhclient.conf directives. When the lease file is subsequently re-parsed by dhclient, e.g., after a system restart, an attacker-controlled field from the lease is passed to dhclient-script(8), which evaluates it.
A rogue DHCP server may be able to execute arbirary code as root on a system running dhclient.
Cary Phillips reports:
[OpenEXR v3.4.11 is a p]atch release that addresses the following security vulnerabilities:
- CVE-2026-42217 Shift exponent overflow in readVariableLengthInteger() (ImfIDManifest.cpp)
- CVE-2026-42216 Out-of-bounds read in IDManifest::init() during prefix expansion
- CVE-2026-41142 Integer overflow in ImageChannel::resize leads to heap OOB write via OpenEXRUtil public API
- OSS-fuzz 504280155 Heap-buffer-overflow in DwaCompressor_uncompress
- OSS-fuzz 505062709 Null-dereference READ in Imf_3_3::prefixFromLayerName
https://bugzilla.mozilla.org/show_bug.cgi?id=2029461 reports:
Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component.
https://bugzilla.mozilla.org/buglist.cgi?bug_id=2021904%2C2022731%2C2027158%2C2027733%2C2027973%2C2027976%2C2028231%2C2028731%2C2028886%2C2029067%2C2029700%2C2029724%2C2029806%2C2029814%2C2030108%2C2030111%2C2031524%2C2031921%2C2032040 reports:
Memory safety bugs. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
https://bugzilla.mozilla.org/show_bug.cgi?id=2027433 reports:
Information disclosure due to incorrect boundary conditions in the Audio/Video component.
https://bugzilla.mozilla.org/buglist.cgi?bug_id=2029419%2C2029717%2C2029769%2C2029886 reports:
Memory safety bugs. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
https://bugzilla.mozilla.org/show_bug.cgi?id=2027433 reports:
Information disclosure due to incorrect boundary conditions in the Audio/Video component.
https://bugzilla.mozilla.org/buglist.cgi?bug_id=2010727%2C2019004%2C2019224%2C2019547%2C2020378%2C2022381%2C2022608%2C2022785%2C2023120%2C2023128%2C2023140%2C2023279%2C2023836%2C2023882%2C2023925%2C2023950%2C2023959%2C2023965%2C2024243%2C2024245%2C2024247%2C2024253%2C2024346%2C2024357%2C2024416%2C2024420%2C2024429%2C2024432%2C2024455%2C2024466%2C2024468%2C2024476%2C2024664%2C2024666%2C2024669%2C2024670%2C2024671%2C2024761%2C2024918%2C2025292%2C2025332%2C2025348%2C2025384%2C2025395%2C2025458%2C2025461%2C2025463%2C2025481%2C2025483%2C2025485%2C2025494%2C2025506%2C2025511%2C2025513%2C2025520%2C2026277%2C2026282%2C2026288%2C2026289%2C2026311%2C2026312%2C2026869%2C2027152%2C2027161%2C2027238%2C2027261%2C2027269%2C2027274%2C2027280%2C2027281%2C2027300%2C2027302%2C2027331%2C2027339%2C2027340%2C2027738%2C2027975%2C2028000%2C2028011%2C2028289%2C2028525%2C2028728%2C2028887%2C2028888%2C2028896%2C2029063%2C2029064%2C2029290%2C2029291%2C2029294%2C2029300%2C2029304%2C2029316%2C2029317%2C2029401%2C2029415%2C2029430%2C2029457%2C2029727%2C2029735%2C2029743%2C2029752%2C2029754%2C2029776%2C2029809%2C2030324%2C2030370 reports:
Memory safety bugs present. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1935995%2C1999158%2C2015952%2C2021909%2C2022026%2C2022041%2C2022088%2C2022276%2C2022335%2C2022338%2C2022373%2C2022597%2C2022874%2C2023276%2C2023544%2C2023551%2C2023599%2C2023608%2C2023814%2C2024233%2C2024239%2C2024241%2C2024242%2C2024250%2C2024251%2C2024343%2C2024422%2C2024425%2C2024440%2C2024442%2C2024446%2C2024458%2C2024463%2C2024478%2C2024650%2C2024653%2C2024654%2C2024655%2C2024656%2C2024661%2C2024662%2C2024668%2C2024919%2C2025278%2C2025349%2C2025350%2C2025354%2C2025360%2C2025363%2C2025370%2C2025379%2C2025381%2C2025399%2C2025400%2C2025403%2C2025407%2C2025415%2C2025420%2C2025427%2C2025429%2C2025430%2C2025479%2C2025489%2C2025493%2C2025497%2C2025502%2C2025515%2C2025517%2C2025526%2C2025609%2C2025948%2C2025949%2C2025951%2C2025953%2C2025955%2C2025962%2C2025969%2C2025970%2C2025971%2C2025973%2C2025976%2C2025977%2C2026280%2C2026285%2C2026293%2C2026296%2C2026310%2C2027237%2C2027260%2C2027268%2C2027277%2C2027284%2C2027291%2C2027293%2C2027298%2C2027330%2C2027342%2C2027345%2C2027359%2C2027365%2C2027378%2C2027754%2C2027959%2C2027962%2C2027964%2C2027971%2C2027974%2C2027979%2C2027982%2C2027995%2C2028001%2C2028267%2C2028268%2C2028275%2C2028288%2C2028290%2C2028291%2C2028528%2C2028551%2C2028627%2C2028879%2C2028889%2C2029061%2C2029071%2C2029283%2C2029296%2C2029314%2C2029323%2C2029411%2C2029423%2C2029424%2C2029425%2C2029427%2C2029436%2C2029440%2C2029449%2C2029450%2C2029458%2C2029462%2C2029468%2C2029472%2C2029690%2C2029707%2C2029708%2C2029728%2C2029802%2C2029896%2C2029906%2C2030106%2C2030118%2C2030123%2C2030135%2C2030230%2C2030320 reports:
Memory safety bugs. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1536243%2C1745382%2C1851073%2C1893400%2C1963301%2C2001319%2C2002899%2C2012436%2C2014435%2C2016901%2C2019916%2C2020486%2C2020612%2C2020817%2C2021788%2C2022051%2C2022367%2C2022431%2C2023302%2C2023670%2C2024225%2C2024238%2C2024240%2C2024265%2C2024367%2C2024369%2C2024424%2C2024760%2C2025281%2C2025361%2C2025387%2C2025466%2C2025954%2C2025958%2C2026278%2C2026292%2C2026297%2C2026378%2C2027148%2C2027287%2C2027341%2C2027384%2C2027427%2C2027694%2C2027993%2C2028009%2C2028270%2C2028416%2C2028524%2C2029295%2C2029301%2C2029461%2C2029699%2C2029800%2C2029801 reports:
Memory safety bugs. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
https://bugzilla.mozilla.org/show_bug.cgi?id=2027564 reports:
Incorrect boundary conditions, integer overflow in the Audio/Video: Playback component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2026571 reports:
Information disclosure in the IP Protection component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2025583 reports:
Denial-of-service in the Audio/Video: Playback component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2023343 reports:
Other issue in the JavaScript Engine component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2022746 reports:
Invalid pointer in the Audio/Video: Playback component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2022726 reports:
Other issue in the Networking: DNS component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2021770 reports:
Incorrect boundary conditions in the WebRTC: Networking component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2021768 reports:
Incorrect boundary conditions in the WebRTC component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2016915 reports:
Mitigation bypass in the DOM: Security component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2015959 reports:
Denial-of-service due to integer overflow in the Graphics: WebGPU component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2026089 reports:
Incorrect boundary conditions in the Libraries component in NSS.
https://bugzilla.mozilla.org/show_bug.cgi?id=2025067 reports:
Mitigation bypass in the DOM: Security component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2024220 reports:
Other issue in the Storage: IndexedDB component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2023753 reports:
Privilege escalation in the Debugger component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2023615 reports:
Mitigation bypass in the Networking: Cookies component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2023209 reports:
Other issue in the Libraries component in NSS.
https://bugzilla.mozilla.org/show_bug.cgi?id=2023207 reports:
Incorrect boundary conditions in the Libraries component in NSS.
https://bugzilla.mozilla.org/show_bug.cgi?id=2022419 reports:
Information disclosure in the Form Autofill component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2022162 reports:
Incorrect boundary conditions in the DOM: Device Interfaces component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2021666 reports:
Mitigation bypass in the File Handling component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2021080 reports:
Spoofing issue in the DOM: Core & HTML component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2017857 reports:
Privilege escalation in the Networking component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2016923 reports:
Mitigation bypass in the Networking: Cookies component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2016164 reports:
Use-after-free in the Widget: Cocoa component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2013619 reports:
Use-after-free in the JavaScript: WebAssembly component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2013588 reports:
Invalid pointer in the JavaScript: WebAssembly component.
https://bugzilla.mozilla.org/show_bug.cgi?id=1880429 reports:
Mitigation bypass in the DOM: postMessage component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2027541 reports:
Use-after-free in the JavaScript Engine component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2027501 reports:
Incorrect boundary conditions in the WebRTC component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2027499 reports:
Incorrect boundary conditions in the WebRTC component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2025883 reports:
Uninitialized memory in the Audio/Video: Web Codecs component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2023407 reports:
Privilege escalation in the Graphics: WebRender component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2022610 reports:
Information disclosure due to uninitialized memory in the Graphics: Canvas2D component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2022604 reports:
Uninitialized memory in the Audio/Video: Web Codecs component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2021769 reports:
Use-after-free in the WebRTC component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2014596 reports:
Use-after-free in the DOM: Core & HTML component.
The X.Org project reports:
libXpm uses a number of internal helper functions to parse the XPM file format. One of these internal functions, xpmNextString(), checks for the NULL terminator when looking for the end of the current string but not when looking for the beginning of the next string. A small XPM file with a malformed color table definition may cause the function xpmNextWord(), called from xpmParseColors() following a call to xpmNextString(), to start past the actual end of the file, causing an out-of-bound read.
https://github.com/libexpat/libexpat/pull/1183 reports:
libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.
https://github.com/mm2/Little-CMS/commit/da6110b1d14abc394633a388209abd5ebedd7ab0 reports:
Little CMS (lcms2) through 2.18 has an integer overflow in CubeSize in cmslut.c because the overflow check is performed after the multiplication.
Gitlab reports:
Cross-Site Request Forgery issue in GraphQL API impacts GitLab CE/EE GitLab
Improper Resolution of Path Equivalence issue in Web IDE asset impacts GitLab CE/EE
Cross-site Scripting issue in Storybook impacts GitLab CE/EE
Denial of Service issue in discussions endpoint impacts GitLab CE/EE
Denial of Service issue in Jira import impacts GitLab CE/EE
Denial of Service issue in notes endpoint impacts GitLab CE/EE
Denial of Service issue in GraphQL API impacts GitLab CE/EE
Insufficient Session Expiration issue in virtual registry credentials validation impacts GitLab CE/E
Improper Access Control issue in issue description renderer impacts GitLab CE/EE
Improper Restriction of Rendered UI Layers or Frames issue in Mermaid sandbox impacts GitLab CE/EE
Improper Access Control issue in project fork relationship API impacts GitLab CE/EE
Gert Doering reports:
[Security fixes in 2.7.2]
- fix race condition in TLS handshake that could lead to leaking of packet data from a previous handshake under specific circumstances (CVE-2026-40215)
- fix server [termination] on receiving a suitably malformed packet with a valid tls-crypt-v2 key (CVE-2026-35058)
In order to apply a particular protection key to an address range, the kernel must update the corresponding page table entries. The subroutine which handled this failed to take into account the presence of 1GB largepage mappings created using the shm_create_largepage(3) interface. In particular, it would always treat a page directory page entry as pointing to another page table page.
The bug can be abused by an unprivileged user to cause pmap_pkru_update_range() to treat userspace memory as a page table page, and thus overwrite memory to which the application would otherwise not have access.
The implementation of TIOCNOTTY failed to clear a back-pointer from the structure representing the controlling terminal to the calling process' session. If the invoking process then exits, the terminal structure may end up containing a pointer to freed memory.
A malicious process can abuse the dangling pointer to grant itself root privileges.
https://bugzilla.mozilla.org/show_bug.cgi?id=2009552 reports:
Integer overflow in the Libraries component in NSS.
ejabberd team reports:
This release adds new options that limit max memory used by XML parser used to process XMPP payloads, to prevent potential Denial of Service attack. The default values for pre-auth provide sufficient protection for ejabberd against non-authenticated users on c2s and s2s, so there is no need to change your configuration.
Tim Wojtulewicz of Corelight reports:
A series of DNS messages containing long DNS compression chains can cause Zeek to spend a long time processing packets and potentially crash. Due to the fact that these packets can be received from remote hosts, this is a DoS risk.
A specially-crafted LDAP search request can cause Zeek to spend a long time processing the packet, resulting in Zeek silently dropping the LDAP analyzer for the connection. Due to the fact that these packets can be received from remote hosts, this is an evasion risk.
A specially-crafted series of ASN.1 messages in LDAP packets can cause Zeek to spend a long time processing the packets, resulting in Zeek silently dropping the LDAP analyzer for the connection. Due to the fact that these packets can be received from remote hosts, this is an evasion risk.
Cary Phillips reports:
OpenEXR 3.4.10 is a patch release that addresses the following security vulnerabilities:
- CVE-2026-39886 HTJ2K Signed Integer Overflow in ht_undo_impl()
- CVE-2026-40244 Integer overflow in DWA setupChannelData planarUncRle pointer arithmetic (missed variant of CVE-2026-34589)
- CVE-2026-40250 Integer overflow in DWA decoder outBufferEnd pointer arithmetic (missed variant of CVE-2026-34589)
xrdp project reports:
This release includes 8 security fixes:
- CVE-2026-32105
- CVE-2026-32107
- CVE-2026-32623
- CVE-2026-32624
- CVE-2026-33145
- CVE-2026-32516
- CVE-2026-32689
- CVE-2026-35512
The Strawberry GraphQL project reports:
Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a 'connection_init' handshake has been completed before processing start (subscription) messages. This allows a remote attacker to skip the 'on_ws_connect' authentication hook entirely by connecting with the graphql-ws subprotocol and sending a start message directly, without ever sending 'connection_init'. The graphql-transport-ws subprotocol handler is not affected, as it correctly gates subscription operations on a connection_acknowledged flag. However, both subprotocols are enabled by default in all framework integrations that support websockets, and the subprotocol is selected by the client via the Sec-WebSocket-Protocol header. Any application relying on 'on_ws_connect' for authentication or authorization is affected.
Strawberry GraphQL's WebSocket subscription handlers for both the 'graphql-transport-ws' and legacy 'graphql-ws' protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without enforcing any limit on the number of active subscriptions per connection. An unauthenticated attacker can open a single WebSocket connection, send connection_init, and then flood subscribe messages with unique IDs. Each message unconditionally spawns a new 'asyncio.Task' and async generator, causing linear memory growth and event loop saturation. This leads to server degradation or an OOM crash.
Mozilla reports:
Memory safety bugs present in Firefox ESR, Firefox ESR , Thunderbird ESR, and Thunderbird. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
https://github.com/ethereum/go-ethereum/security/advisories reports:
- DoS via malicious p2p message (CVE-2026-26313)
- DoS via malicious p2p message (CVE-2026-26314)
- Improper ECIES Public Key Validation in RLPx Handshake (CVE-2026-26315)
Chrome Releases reports:
This update includes 31 security fixes:
- [490170083] Critical CVE-2026-6296: Heap buffer overflow in ANGLE. Reported by cinzinga on 2026-03-05
- [493628982] Critical CVE-2026-6297: Use after free in Proxy. Reported by heapracer on 2026-03-17
- [495700484] Critical CVE-2026-6298: Heap buffer overflow in Skia. Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-03-24
- [497053588] Critical CVE-2026-6299: Use after free in Prerender. Reported by Google on 2026-03-28
- [497724498] Critical CVE-2026-6358: Use after free in XR. Reported by Jihyeon Jeong (Compsec Lab, Seoul National University / Research Intern) on 2026-03-30
- [490251701] High CVE-2026-6359: Use after free in Video. Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-03-06
- [491994185] High CVE-2026-6300: Use after free in CSS. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-12
- [495273999] High CVE-2026-6301: Type Confusion in Turbofan. Reported by qymag1c on 2026-03-23
- [495477995] High CVE-2026-6302: Use after free in Video. Reported by Syn4pse on 2026-03-24
- [496282147] High CVE-2026-6303: Use after free in Codecs. Reported by Google on 2026-03-25
- [496393742] High CVE-2026-6304: Use after free in Graphite. Reported by Google on 2026-03-26
- [496618639] High CVE-2026-6305: Heap buffer overflow in PDFium. Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-03-26
- [496907110] High CVE-2026-6306: Heap buffer overflow in PDFium. Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-03-27
- [497404188] High CVE-2026-6307: Type Confusion in Turbofan. Reported by Project WhatForLunch (@pjwhatforlunch) on 2026-03-29
- [497412658] High CVE-2026-6308: Out of bounds read in Media. Reported by Google on 2026-03-29
- [497846428] High CVE-2026-6309: Use after free in Viz. Reported by Google on 2026-03-30
- [497880137] High CVE-2026-6360: Use after free in FileSystem. Reported by asjidkalam on 2026-03-31
- [497969820] High CVE-2026-6310: Use after free in Dawn. Reported by Google on 2026-03-31
- [498201025] High CVE-2026-6311: Uninitialized Use in Accessibility. Reported by Google on 2026-03-31
- [498269651] High CVE-2026-6312: Insufficient policy enforcement in Passwords. Reported by Google on 2026-03-31
- [498765210] High CVE-2026-6313: Insufficient policy enforcement in CORS. Reported by Google on 2026-04-02
- [498782145] High CVE-2026-6314: Out of bounds write in GPU. Reported by Google on 2026-04-02
- [499247910] High CVE-2026-6315: Use after free in Permissions. Reported by Google on 2026-04-03
- [499384399] High CVE-2026-6316: Use after free in Forms. Reported by Google on 2026-04-03
- [500036290] High CVE-2026-6361: Heap buffer overflow in PDFium. Reported by Google on 2026-04-06
- [500066234] High CVE-2026-6362: Use after free in Codecs. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-04-07
- [500091052] High CVE-2026-6317: Use after free in Cast. Reported by Google on 2026-04-06
- [495751197] Medium CVE-2026-6363: Type Confusion in V8. Reported by Google on 2026-03-24
- [495996858] Medium CVE-2026-6318: Use after free in Codecs. Reported by Syn4pse on 2026-03-25
- [499018889] Medium CVE-2026-6319: Use after free in Payments. Reported by pwn2addr on 2026-04-02
- [502103414] Medium CVE-2026-6364: Out of bounds read in Skia. Reported by Google Threat Intelligence on 2026-04-13
Composer project reports:
Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
X.Org project reports:
Multiple issues have been found in the X server and Xwayland implementations published by X.Org for which we are releasing security fixes for in xorg-server-21.1.22 and xwayland-24.1.10.
X.Org project reports:
Multiple issues have been found in the X server and Xwayland implementations published by X.Org for which we are releasing security fixes for in xorg-server-21.1.22 and xwayland-24.1.10.
Seth Larson reports:
[CVE-2026-4786] Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open()
There is a HIGH severity vulnerability affecting CPython.
Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.
Seth Larson reports:
There is a CRITICAL severity vulnerability affecting CPython.
Use-after-free (UAF) was possible in the lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile when a memory allocation fails with a MemoryError and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.
The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a MemoryError is raised during decompression. Using the helper functions to one-shot decompress data such as lzma.decompress(), bz2.decompress(), gzip.decompress(), and zlib.decompress() are not affected as a new decompressor instance is created for each call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.
The Vaultwarden project reports:
GHSA-937x-3j8m-7w7p Unconfirmed Owner Can Purge Entire Organization Vault.
GHSA-569v-845w-g82p Cross-Org Group Binding Enables Unauthorized Read And Write Access Into Another Organization
GHSA-6j4w-g4jh-xjfx Refresh tokens not invalidated on security stamp rotation
Seth Larson reports:
HTTP proxy via "CONNECT" tunneling doesn't sanitize CR/LF (CVE-2026-1502).
Stan Ulbrych reports:
configparser.RawConfigParser.{OPTCRE,OPTCRE_NV} regexes [are] vulnerable to quadratic backtracking.
https://github.com/ormar-orm/ormar/security/advisories reports:
- SQL Injection in aggregate functions min() and max()
- Pydantic Validation Bypass via __pk_only__ and __excluded__ Kwargs Injection in Model Constructor
PrymEvol and Quang Luong reports:
A flaw was found in the libtiff library. A remote attacker could exploit a signed integer overflow vulnerability in the putcontig8bitYCbCr44tile function by providing a specially crafted TIFF file. This flaw can lead to an out-of-bounds heap write due to incorrect memory pointer calculations, potentially causing a denial of service (application crash) or arbitrary code execution.
https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html reports:
- CVE-2026-0396: HTML injection in the web dashboard
- CVE-2026-0397: Information disclosure via CORS misconfiguration
- CVE-2026-24028: Out-of-bounds read when parsing DNS packets via Lua
- CVE-2026-24029: DNS over HTTPS ACL bypass
- CVE-2026-24030: Unbounded memory allocation for DoQ and DoH3
- CVE-2026-27853: Out-of-bounds write when rewriting large DNS packets
- CVE-2026-27854: Use after free when parsing EDNS options in Lua
https://mbed-tls.readthedocs.io/en/latest/security-advisories/ reports:
- Client impersonation while resuming a TLS 1.3 session (CVE-2026-34873)
- Entropy on Linux can fall back to /dev/urandom (CVE-2026-34871)
- PSA random generator cloning (CVE-2026-25835)
- Compiler-induced constant-time violations (CVE-2025-66442)
- Null pointer dereference when setting a distinguished name (CVE-2026-34874)
- Buffer overflow in FFDH public key export (CVE-2026-34875)
- FFDH: lack of contributory behaviour due to improper input validation (CVE-2026-34872)
- Signature Algorithm Injection (CVE-2026-25834)
- CCM multipart finish tag-length validation bypass (CVE-2026-34876)
- Risk of insufficient protection of serialized session or context data leading to potential memory safety issues (CVE-2026-34877)
- Buffer underflow in x509_inet_pton_ipv6() (CVE-2026-25833)
Chrome Releases reports:
This update includes multiple security fixes:
- Critical CVE-2026-5858: Heap buffer overflow in WebML.
- Critical CVE-2026-5859: Integer overflow in WebML.
- High CVE-2026-5860: Use after free in WebRTC.
- High CVE-2026-5861: Use after free in V8.
- High CVE-2026-5862: Inappropriate implementation in V8.
- High CVE-2026-5863: Inappropriate implementation in V8.
- High CVE-2026-5864: Heap buffer overflow in WebAudio.
- High CVE-2026-5865: Type Confusion in V8.
- High CVE-2026-5866: Use after free in Media.
- High CVE-2026-5867: Heap buffer overflow in WebML.
- High CVE-2026-5868: Heap buffer overflow in ANGLE.
- High CVE-2026-5869: Heap buffer overflow in WebML.
- High CVE-2026-5870: Integer overflow in Skia.
- High CVE-2026-5871: Type Confusion in V8.
- High CVE-2026-5872: Use after free in Blink.
- High CVE-2026-5873: Out of bounds read and write in V8.
- Medium CVE-2026-5874: Use after free in PrivateAI.
- Medium CVE-2026-5875: Policy bypass in Blink.
- Medium CVE-2026-5876: Side-channel information leakage in Navigation.
- Medium CVE-2026-5877: Use after free in Navigation.
- Medium CVE-2026-5878: Incorrect security UI in Blink.
- Medium CVE-2026-5879: Insufficient validation of untrusted input in ANGLE.
- Medium CVE-2026-5880: Incorrect security UI in browser UI.
- Medium CVE-2026-5881: Policy bypass in LocalNetworkAccess.
- Medium CVE-2026-5882: Incorrect security UI in Fullscreen.
- Medium CVE-2026-5883: Use after free in Media.
- Medium CVE-2026-5884: Insufficient validation of untrusted input in Media.
- Medium CVE-2026-5885: Insufficient validation of untrusted input in WebML.
- Medium CVE-2026-5886: Out of bounds read in WebAudio.
- Medium CVE-2026-5887: Insufficient validation of untrusted input in Downloads.
- Medium CVE-2026-5888: Uninitialized Use in WebCodecs.
- Medium CVE-2026-5889: Cryptographic Flaw in PDFium.
- Medium CVE-2026-5890: Race in WebCodecs.
- Medium CVE-2026-5891: Insufficient policy enforcement in browser UI.
- Medium CVE-2026-5892: Insufficient policy enforcement in PWAs.
- Medium CVE-2026-5893: Race in V8.
- Low CVE-2026-5894: Inappropriate implementation in PDF.
- Low CVE-2026-5895: Incorrect security UI in Omnibox.
- Low CVE-2026-5896: Policy bypass in Audio.
- Low CVE-2026-5897: Incorrect security UI in Downloads.
- Low CVE-2026-5898: Incorrect security UI in Omnibox.
- Low CVE-2026-5899: Incorrect security UI in History Navigation.
- Low CVE-2026-5900: Policy bypass in Downloads.
- Low CVE-2026-5901: Policy bypass in DevTools.
- Low CVE-2026-5902: Race in Media.
- Low CVE-2026-5903: Policy bypass in IFrameSandbox.
- Low CVE-2026-5904: Use after free in V8.
- Low CVE-2026-5905: Incorrect security UI in Permissions.
- Low CVE-2026-5906: Incorrect security UI in Omnibox.
- Low CVE-2026-5907: Insufficient data validation in Media.
- Low CVE-2026-5908: Integer overflow in Media.
- Low CVE-2026-5909: Integer overflow in Media.
- Low CVE-2026-5910: Integer overflow in Media.
- Low CVE-2026-5911: Policy bypass in ServiceWorkers.
- Low CVE-2026-5912: Integer overflow in WebRTC.
- Low CVE-2026-5913: Out of bounds read in Blink.
- Low CVE-2026-5914: Type Confusion in CSS.
- Low CVE-2026-5915: Insufficient validation of untrusted input in WebML.
- Low CVE-2026-5918: Inappropriate implementation in Navigation.
- Low CVE-2026-5919: Insufficient validation of untrusted input in WebSockets.
https://bugzilla.mozilla.org/buglist.cgi?bug_id=2025475%2C2025477 reports:
Memory safety bugs present in Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
https://bugzilla.mozilla.org/buglist.cgi?bug_id=2022369%2C2023026%2C2023545%2C2023555%2C2023958%2C2025422%2C2025468%2C2025492%2C2025505 reports:
Memory safety bugs present in Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
https://bugzilla.mozilla.org/show_bug.cgi?id=2022554 reports:
Incorrect boundary conditions in the Graphics: WebGPU component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2017867 reports:
Incorrect boundary conditions, integer overflow in the Graphics: Text component.
Gitlab reports:
Exposed Method issue in websocket connections impacts GitLab CE/EE
Denial of Service issue in Terraform state lock API impacts GitLab CE/EE
Denial of Service issue in GraphQL API impacts GitLab CE/EE
Denial of Service issue in CSV import impacts GitLab CE/EE
Denial of Service issue in GraphQL SBOM API impacts GitLab EE
Code Injection issue in Code Quality reports impacts GitLab EE
Cross-site Scripting issue in analytics dashboards impacts GitLab EE
Incorrect Authorization issue in vulnerability flags AI detection API impacts GitLab EE
Information Disclosure issue in certain GraphQl query impacts GitLab EE
Improper Access Control issue in Environments API impacts GitLab EE
Information Disclosure issue in CSV export impacts GitLab CE/EE
Missing Authorization issue in custom role permissions impacts GitLab CE/EE
The OpenSSL project reports:
Seven vulnerabilities in OpenSSL library. Highest classification Moderate.
https://github.com/nghttp2/nghttp2/security/advisories/GHSA-6933-cjhr-5qg6 reports:
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.
https://jira.mongodb.org/browse/SERVER-101758 reports:
A user with access to the cluster with a limited set of privilege actions can trigger a crash of amongod process during the limited and unpredictable window when the cluster is being promoted from a replica set to a sharded cluster. This may cause a denial of service by taking down the primary of the replica set.
Cary Phillips reports:
[OpenEXR 3.4.9] addresses the following CVEs:
- CVE-2026-34589 DWA Lossy Decoder Heap Out-of-Bounds Write
- CVE-2026-34588 Signed 32-bit Overflow in PIZ Decoder Leads to OOB Read/Write
- CVE-2026-34380 Signed integer overflow (undefined behavior) in undo_pxr24_impl may allow bounds-check bypass in PXR24 decompression
- CVE-2026-34379 Misaligned write in LossyDctDecoder_execute leading to undefined behavior (DWA/DWAB decompression)
- CVE-2026-34378 Signed integer overflow in generic_unpack() when parsing EXR files with crafted negative dataWindow.min.x
https://github.com/python/cpython/pull/143931 reports:
The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().
Python Software Foundation Security Developer reports:
The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.
Python Software Foundation Security Developer reports:
The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.
Chrome Releases reports:
This update includes 21 security fixes:
- [493952652] High CVE-2026-5273: Use after free in CSS. Reported by Anonymous on 2026-03-18
- [491732188] High CVE-2026-5272: Heap buffer overflow in GPU. Reported by inspector-ambitious on 2026-03-11
- [488596746] High CVE-2026-5274: Integer overflow in Codecs. Reported by heapracer (@heapracer) on 2026-03-01
- [489494022] High CVE-2026-5275: Heap buffer overflow in ANGLE. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-04
- [489711638] High CVE-2026-5276: Insufficient policy enforcement in WebUSB. Reported by Ariel Simon on 2026-03-04
- [489791424] High CVE-2026-5277: Integer overflow in ANGLE. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-05
- [490254128] High CVE-2026-5278: Use after free in Web MIDI. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-06
- [490642836] High CVE-2026-5279: Object corruption in V8. Reported by Hyeonjun Ahn (@_deayzl) on 2026-03-08
- [491515787] High CVE-2026-5280: Use after free in WebCodecs. Reported by heapracer (@heapracer) on 2026-03-11
- [491518608] High CVE-2026-5281: Use after free in Dawn. Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-03-10
- [491655161] High CVE-2026-5282: Out of bounds read in WebCodecs. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-11
- [492131521] High CVE-2026-5283: Inappropriate implementation in ANGLE. Reported by sweetchip on 2026-03-12
- [492139412] High CVE-2026-5284: Use after free in Dawn. Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-03-12
- [492228019] High CVE-2026-5285: Use after free in WebGL. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-13
- [493900619] High CVE-2026-5286: Use after free in Dawn. Reported by sweetchip on 2026-03-18
- [494644471] High CVE-2026-5287: Use after free in PDF. Reported by Syn4pse on 2026-03-21
- [495507390] High CVE-2026-5288: Use after free in WebView. Reported by Google on 2026-03-23
- [495931147] High CVE-2026-5289: Use after free in Navigation. Reported by Google on 2026-03-25
- [496205576] High CVE-2026-5290: Use after free in Compositing. Reported by Google on 2026-03-25
- [490118036] Medium CVE-2026-5291: Inappropriate implementation in WebGL. Reported by heapracer (@heapracer) on 2026-03-06
- [492213293] Medium CVE-2026-5292: Out of bounds read in WebCodecs. Reported by Google on 2026-03-12
The traefik project releases a new version addressing multiple CVEs:
- CVE-2026-33433 (BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField)
- CVE-2026-33186 (authorization bypass via missing leading slash in :path)
The Roundcube project reports:
.
Gitlab reports:
Improper Handling of Parameters issue in Jira Connect installations impacts GitLab CE/EE
Cross-Site Request Forgery issue in GLQL API impacts GitLab CE/EE
HTML Injection in vulnerability report impacts GitLab EE
Denial of Service issue in GraphQL API impacts GitLab CE/EE
Improper Access Control issue in WebAuthn 2FA impacts GitLab CE/EE
Improper Access Control issue in GraphQL query impacts GitLab EE
Denial of Service issue in CI configuration processing impacts GitLab CE/EE
Denial of Service issue in webhook configuration impacts GitLab CE/EE
Cross-site Scripting issue in Mermaid diagram renderer impacts GitLab CE/EE
Improper Access Control issue in Merge Requests impacts GitLab CE/EE
Access Control issue in GraphQL API impacts GitLab EE
Incorrect Authorization issue in authorization caching impacts GitLab EE
Jenkins Security Advisory 2026-03-18:
- SECURITY-3657 / CVE-2026-33001: Arbitrary file write vulnerability through specially crafted archives in Jenkins (High)
- SECURITY-3674 / CVE-2026-33002: DNS rebinding vulnerability in WebSocket CLI origin validation in Jenkins (High)
CVE-2026-4729: Memory safety bugs
CVE-2026-4728: Spoofing issue in the Privacy: Anti-Tracking component.
CVE-2026-4727: Denial-of-service in the Libraries component in NSS.
CVE-2026-4726: Denial-of-service in the XML component.
CVE-2026-4725: Sandbox escape due to use-after-free in the Graphics: Canvas2D component.
CVE-2026-4724: Undefined behavior in the Audio/Video component.
CVE-2026-4723: Use-after-free in the JavaScript Engine component.
CVE-2026-4722: Privilege escalation in the IPC component.
CVE-2026-4721: Memory safety bugs. Potential arbitrary code execution.
CVE-2026-4709: Incorrect boundary conditions in the Audio/Video: GMP component.
CVE-2026-4707: Incorrect boundary conditions in the Graphics: Canvas2D component.
CVE-2026-4706: Incorrect boundary conditions in the Graphics: Canvas2D component.
CVE-2026-4699: Incorrect boundary conditions in the Layout: Text and Fonts component.
CVE-2026-4698: JIT miscompilation in the JavaScript Engine: JIT component.
CVE-2026-4696: Use-after-free in the Layout: Text and Fonts component.
CVE-2026-4694: Incorrect boundary conditions, integer overflow in the Graphics component.
CVE-2026-4693: Incorrect boundary conditions in the Audio/Video: Playback component.
CVE-2026-4692: Sandbox escape in the Responsive Design Mode component.
CVE-2026-4691: Use-after-free in the CSS Parsing and Computation component.
CVE-2026-4690: Sandbox escape due to integer overflow in the XPCOM component.
CVE-2026-4689: Sandbox escape due to integer overflow in the XPCOM component.
CVE-2026-4687: Sandbox escape in the Telemetry component.
CVE-2026-4686: Incorrect boundary conditions in the Graphics: Canvas2D component.
CVE-2026-4685: Incorrect boundary conditions in the Graphics: Canvas2D component.
CVE-2026-4684: Race condition, use-after-free in the Graphics: WebRender component.
CVE-2026-4688: Sandbox escape due to use-after-free in Disability Access APIs.
CVE-2026-4695: Incorrect boundary conditions in the Audio/Video: Web Codecs component.
CVE-2026-4697: Incorrect boundary conditions in the Audio/Video: Web Codecs component.
CVE-2026-4700: Mitigation bypass in the Networking: HTTP component.
CVE-2026-4701: Use-after-free in the JavaScript Engine component.
CVE-2026-4702: JIT miscompilation in the JavaScript Engine component.
CVE-2026-4704: Denial-of-service in the WebRTC: Signaling component.
CVE-2026-4705: Undefined behavior in the WebRTC: Signaling component.
CVE-2026-4708: Incorrect boundary conditions in the Graphics component.
CVE-2026-4710: Incorrect boundary conditions in the Audio/Video component.
CVE-2026-4711: Use-after-free in the Widget: Cocoa component.
CVE-2026-4712: Information disclosure in the Widget: Cocoa component.
CVE-2026-4713: Incorrect boundary conditions in the Graphics component.
CVE-2026-4714: Incorrect boundary conditions in the Audio/Video component.
CVE-2026-4715: Uninitialized memory in the Graphics: Canvas2D component.
CVE-2026-4716: Incorrect boundary conditions and uninitialized memory in the JavaScript Engine.
CVE-2026-4717: Privilege escalation in the Netmonitor component.
CVE-2026-4718: Undefined behavior in the WebRTC: Signaling component.
CVE-2026-4719: Incorrect boundary conditions in the Graphics: Text component.
CVE-2026-4720: Memory safety bugs
Each RPCSEC_GSS data packet is validated by a routine which checks a signature in the packet. This routine copies a portion of the packet into a stack buffer, but fails to ensure that the buffer is sufficiently large, and a malicious client can trigger a stack overflow. Notably, this does not require the client to authenticate itself first.
As kgssapi.ko's RPCSEC_GSS implementation is vulnerable, remote code execution in the kernel is possible by an authenticated user that is able to send packets to the kernel's NFS server while kgssapi.ko is loaded into the kernel.
In userspace, applications which have librpcgss_sec loaded and run an RPC server are vulnerable to remote code execution from any client able to send it packets. We are not aware of any such applications in the FreeBSD base system.
On a system exposing an NVMe/TCP target, a remote client can trigger a kernel panic by sending a CONNECT command for an I/O queue with a bogus or stale CNTLID.
An attacker with network access to the NVMe/TCP target can trigger an unauthenticated Denial of Service condition on the affected machine.
When a challenge ACK is to be sent tcp_respond() constructs and sends the challenge ACK and consumes the mbuf that is passed in. When no challenge ACK should be sent the function returns and leaks the mbuf.
If an attacker is either on path with an established TCP connection, or can themselves establish a TCP connection, to an affected FreeBSD machine, they can easily craft and send packets which meet the challenge ACK criteria and cause the FreeBSD host to leak an mbuf for each crafted packet in excess of the configured rate limit settings i.e. with default settings, crafted packets in excess of the first 5 sent within a 1s period will leak an mbuf.
Technically, off-path attackers can also exploit this problem by guessing the IP addresses, TCP port numbers and in some cases the sequence numbers of established connections and spoofing packets towards a FreeBSD machine, but this is harder to do effectively.
Chrome Releases reports:
This update includes 8 security fixes:
- [485397284] High CVE-2026-4673: Heap buffer overflow in WebAudio. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-18
- [488188166] High CVE-2026-4674: Out of bounds read in CSS. Reported by Syn4pse on 2026-02-27
- [488270257] High CVE-2026-4675: Heap buffer overflow in WebGL. Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-02-27
- [488613135] High CVE-2026-4676: Use after free in Dawn. Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-03-01
- [490533968] High CVE-2026-4677: Out of bounds read in WebAudio. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-07
- [491164019] High CVE-2026-4678: Use after free in WebGPU. Reported by Google on 2026-03-10
- [491516670] High CVE-2026-4679: Integer overflow in Fonts. Reported by GF, Un3xploitable Of DeadSec on 2026-03-11
- [491869946] High CVE-2026-4680: Use after free in FedCM. Reported by Shaheen Fazim on 2026-03-12
Chrome Releases reports:
This update includes 26 security fixes:
- [475877320] Critical CVE-2026-4439: Out of bounds memory access in WebGL. Reported by Goodluck on 2026-01-15
- [485935305] Critical CVE-2026-4440: Out of bounds read and write in WebGL. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-20
- [489381399] Critical CVE-2026-4441: Use after free in Base. Reported by Google on 2026-03-03
- [484751092] High CVE-2026-4442: Heap buffer overflow in CSS. Reported by Syn4pse on 2026-02-16
- [485292589] High CVE-2026-4443: Heap buffer overflow in WebAudio. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-18
- [486349161] High CVE-2026-4444: Stack buffer overflow in WebRTC. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-21
- [486421953] High CVE-2026-4445: Use after free in WebRTC. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-22
- [486421954] High CVE-2026-4446: Use after free in WebRTC. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-22
- [486657483] High CVE-2026-4447: Inappropriate implementation in V8. Reported by Erge on 2026-02-23
- [486972661] High CVE-2026-4448: Heap buffer overflow in ANGLE. Reported by M. Fauzan Wijaya (Gh05t666nero) on 2026-02-23
- [487117772] High CVE-2026-4449: Use after free in Blink. Reported by Syn4pse on 2026-02-24
- [487746373] High CVE-2026-4450: Out of bounds write in V8. Reported by qymag1c on 2026-02-26
- [487768779] High CVE-2026-4451: Insufficient validation of untrusted input in Navigation. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-26
- [487977696] High CVE-2026-4452: Integer overflow in ANGLE. Reported by cinzinga on 2026-02-26
- [488400770] High CVE-2026-4453: Integer overflow in Dawn. Reported by sweetchip on 2026-02-27
- [488585488] High CVE-2026-4454: Use after free in Network. Reported by heapracer (@heapracer) on 2026-03-01
- [488585504] High CVE-2026-4455: Heap buffer overflow in PDFium. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-01
- [488617440] High CVE-2026-4456: Use after free in Digital Credentials API. Reported by sean wong on 2026-02-28
- [488803413] High CVE-2026-4457: Type Confusion in V8. Reported by Zhenpeng (Leo) Lin at depthfirst on 2026-03-01
- [489619753] High CVE-2026-4458: Use after free in Extensions. Reported by Shaheen Fazim on 2026-03-04
- [490246422] High CVE-2026-4459: Out of bounds read and write in WebAudio. Reported by Jihyeon Jeong (Compsec Lab, Seoul National University / Research Intern) on 2026-03-06
- [490254124] High CVE-2026-4460: Out of bounds read in Skia. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-06
- [490558172] High CVE-2026-4461: Inappropriate implementation in V8. Reported by Google on 2026-03-07
- [491080830] High CVE-2026-4462: Out of bounds read in Blink. Reported by heapracer (@heapracer) on 2026-03-09
- [491358681] High CVE-2026-4463: Heap buffer overflow in WebRTC. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-10
- [487208468] Medium CVE-2026-4464: Integer overflow in ANGLE. Reported by heesun on 2026-02-24
The traefik project releases a new version addressing multiple CVEs:
- CVE-2026-32595 (BasicAuth Middleware Timing Attack)
- CVE-2026-32305 (Potential mTLS Bypass via Fragmented TLS ClientHello)
- CVE-2026-32695 (Details not yet available)
https://community.ui.com/releases/Security-Advisory-Bulletin-062-062/c29719c0-405e-4d4a-8f26-e343e99f931b reports:
An Authenticated NoSQL Injection vulnerability found in UniFi Network Application could allow a malicious actor with authenticated access to the network to escalate privileges.
A malicious actor with access to the network could exploit a Path Traversal vulnerability found in the UniFi Network Application to access files on the underlying system that could be manipulated to access an underlying account.
The Roundcube project reports:
pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
password could get changed without providing the old password
IMAP Injection + CSRF bypass in mail search
remote image blocking bypass via various SVG animate attributes
remote image blocking bypass via a crafted body background attribute
fixed position mitigation bypass via use of !important
XSS issue in a HTML attachment preview
SSRF + Information Disclosure via stylesheet links to a local network hosts
Homebox reports:
Chrome Releases reports:
This update includes 1 security fix:
- [491421267] High CVE-2026-3909: Out of bounds write in Skia. Reported by Google Threat Analysis Group on 2026-03-10
Chrome Releases reports:
This update includes 2 security fixes:
- [491421267] High CVE-2026-3909: Out of bounds write in Skia. Reported by Google on 2026-03-10
- [491410818] High CVE-2026-3910: Inappropriate implementation in V8. Reported by Google on 2026-03-10
Chrome Releases reports:
This update includes 29 security fixes:
- [483445078] Critical CVE-2026-3913: Heap buffer overflow in WebML. Reported by Tobias Wienand on 2026-02-10
- [481776048] High CVE-2026-3914: Integer overflow in WebML. Reported by cinzinga on 2026-02-04
- [483971526] High CVE-2026-3915: Heap buffer overflow in WebML. Reported by Tobias Wienand on 2026-02-12
- [482828615] High CVE-2026-3916: Out of bounds read in Web Speech. Reported by Grischa Hauser on 2026-02-09
- [483569512] High CVE-2026-3917: Use after free in Agents. Reported by Syn4pse on 2026-02-11
- [483853103] High CVE-2026-3918: Use after free in WebMCP. Reported by Syn4pse on 2026-02-12
- [444176961] High CVE-2026-3919: Use after free in Extensions. Reported by Huinian Yang (@vmth6) of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2025-09-10
- [482875307] High CVE-2026-3920: Out of bounds memory access in WebML. Reported by Google on 2026-02-09
- [484946544] High CVE-2026-3921: Use after free in TextEncoding. Reported by Pranamya Keshkamat & Cantina.xyz on 2026-02-17
- [485397139] High CVE-2026-3922: Use after free in MediaStream. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-18
- [485935314] High CVE-2026-3923: Use after free in WebMIDI. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-20
- [487338366] High CVE-2026-3924: Use after free in WindowDialog. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-25
- [418214610] Medium CVE-2026-3925: Incorrect security UI in LookalikeChecks. Reported by NDevTK and Alesandro Ortiz on 2025-05-17
- [478659010] Medium CVE-2026-3926: Out of bounds read in V8. Reported by qymag1c on 2026-01-26
- [474948986] Medium CVE-2026-3927: Incorrect security UI in PictureInPicture. Reported by Barath Stalin K on 2026-01-11
- [435980394] Medium CVE-2026-3928: Insufficient policy enforcement in Extensions. Reported by portsniffer443 on 2025-08-03
- [477180001] Medium CVE-2026-3929: Side-channel information leakage in ResourceTiming. Reported by Povcfe of Tencent Security Xuanwu Lab on 2026-01-20
- [476898368] Medium CVE-2026-3930: Unsafe navigation in Navigation. Reported by Povcfe of Tencent Security Xuanwu Lab on 2026-01-19
- [417599694] Medium CVE-2026-3931: Heap buffer overflow in Skia. Reported by Huinian Yang (@vmth6) of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2025-05-14
- [478296121] Medium CVE-2026-3932: Insufficient policy enforcement in PDF. Reported by Ayato Shitomi on 2026-01-23
- [478783560] Medium CVE-2026-3934: Insufficient policy enforcement in ChromeDriver. Reported by Povcfe of Tencent Security Xuanwu Lab on 2026-01-26
- [479326680] Medium CVE-2026-3935: Incorrect security UI in WebAppInstalls. Reported by Barath Stalin K on 2026-01-28
- [481920229] Medium CVE-2026-3936: Use after free in WebView. Reported by Am4deu$ on 2026-02-05
- [473118648] Low CVE-2026-3937: Incorrect security UI in Downloads. Reported by Abhishek Kumar on 2026-01-03
- [474763968] Low CVE-2026-3938: Insufficient policy enforcement in Clipboard. Reported by vicevirus on 2026-01-10
- [40058077] Low CVE-2026-3939: Insufficient policy enforcement in PDF. Reported by NDevTK on 2021-11-30
- [470574526] Low CVE-2026-3940: Insufficient policy enforcement in DevTools. Reported by Jorian Woltjer, Mian, bug_blitzer on 2025-12-21
- [474670215] Low CVE-2026-3941: Insufficient policy enforcement in DevTools. Reported by Lyra Rebane (rebane2001) on 2026-01-10
- [475238879] Low CVE-2026-3942: Incorrect security UI in PictureInPicture. Reported by Barath Stalin K on 2026-01-12
The OpenSSL project reports:
TLS 1.3 server may choose unexpected key agreement group (Low)
An OpenSSL TLS 1.3 server may fail to negotiate the expected preferred key exchange group when its key exchange group configuration includes the default by using the "DEFAULT" keyword.
https://bugzilla.mozilla.org/show_bug.cgi?id=2014593 reports:
Undefined behavior in the DOM: Core & HTML component.
https://bugzilla.mozilla.org/show_bug.cgi?id=2018400 reports:
Same-origin policy bypass in the CSS Parsing and Computation component.
https://bugzilla.mozilla.org/buglist.cgi?bug_id=2017513%2C2017622%2C2019341 reports:
Memory safety bugs present in Firefox 148.0.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
Gitlab reports:
Cross-site Scripting issue in Markdown placeholder processing impacts GitLab CE/EE
Denial of Service issue in GraphQL API impacts GitLab CE/EE
Denial of Service issue in repository archive endpoint impacts GitLab CE/EE
Denial of Service issue in protected branches API impacts GitLab CE/EE
Denial of Service issue in webhook custom headers impacts GitLab CE/EE
Denial of Service issue in webhook endpoint impacts GitLab CE/EE
Improper Neutralization of CRLF Sequences issue impacts GitLab CE/EE
Improper Access Control issue in runners API impacts GitLab CE/EE
Improper Access Control issue in snippet rendering impacts GitLab CE/EE
Information Disclosure issue in inaccessible issues impacts GitLab CE/EE
Missing Authorization issue in Group Import impacts GitLab CE/EE
Incorrect Reference issue in repository download impacts GitLab CE/EE
Incorrect Authorization issue in Virtual Registry impacts GitLab EE
Improper Escaping of Output issue in Datadog integration impacts GitLab CE/EE
The curl project reports:
Multiple vulnerabilities
The curl project reports:
- use after free in SMB connection reuse
- wrong proxy connection reuse with credentials
- token leak with redirect and netrc
- bad reuse of HTTP Negotiate connection
The GStreamer project reports multiple security vulnerabilities fixed in the 1.28.1 release:
Twelve security vulnerabilities were addressed, including:
- Out-of-bounds reads and writes in the H.266 video parser, WAV parser, MP4 and ASF demuxers, and DVB subtitle decoder.
- Integer overflows in the RIFF parser and Huffman table handling in the JPEG parser.
- Stack buffer overflows in the RTP QDM2 depayloader and H.266 parser.
These could lead to application crashes or potentially arbitrary code execution.
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed.
CVE-2026-2809: Memory safety bug in the JavaScript: WebAssembly component.
CVE-2026-2808: Integer overflow in the JavaScript: Standard Library component.
CVE-2026-2807: Memory safety bugs present in Firefox 147 and Thunderbird 147
CVE-2026-2806: Uninitialized memory in the Graphics: Text component.
CVE-2026-2805: Invalid pointer in the DOM: Core & HTML component.
CVE-2026-2804: Use-after-free in the JavaScript: WebAssembly component.
CVE-2026-2803: Information disclosure, mitigation bypass in the Settings UI component.
CVE-2026-2802: Race condition in the JavaScript: GC component.
CVE-2026-2801: Incorrect boundary conditions in the JavaScript: WebAssembly component.
CVE-2026-2799: Use-after-free in the DOM: Core & HTML component.
CVE-2026-2798: Use-after-free in the DOM: Core & HTML component.
CVE-2026-2797: Use-after-free in the JavaScript: GC component.
CVE-2026-2796: JIT miscompilation in the JavaScript: WebAssembly component
CVE-2026-2795: Use-after-free in the JavaScript: GC component.
Gitlab reports:
Cross-site Scripting issue in Mermaid sandbox impacts GitLab CE/EE
Denial of Service issue in container registry impacts GitLab CE/EE
Denial of Service issue in Jira events endpoint impacts GitLab CE/EE
Regular Expression Denial of Service issue in GitLab merge requests impacts GitLab CE/EE
Missing rate limit in Bitbucket Server importer impacts GitLab CE/EE
Denial of Service issue in CI trigger API impacts GitLab CE/EE
Denial of Service issue in token decoder impacts GitLab CE/EE
Improper Access Control issue in Conan package registry impacts GitLab EE
Access Control issue in CI job mutation impacts GitLab CE/EE
Mailpit author reports:
The Link Check API (/api/v1/message/{ID}/link-check) is vulnerable to Server-Side Request Forgery (SSRF). The server performs HTTP HEAD requests to every URL found in an email without validating target hosts or filtering private/internal IP addresses. The response returns status codes and status text per link, making this a non-blind SSRF. In the default configuration (no authentication on SMTP or API), this is fully exploitable remotely with zero user interaction.
The rtsock_msg_buffer() function serializes routing information into a buffer. As a part of this, it copies sockaddr structures into a sockaddr_storage structure on the stack. It assumes that the source sockaddr length field had already been validated, but this is not necessarily the case, and it's possible for a malicious userspace program to craft a request which triggers a 127-byte overflow.
In practice, this overflow immediately overwrites the canary for the rtsock_msg_buffer() stack frame, resulting in a panic once the function returns.
The bug allows an unprivileged user to crash the kernel by triggering a stack buffer overflow in rtsock_msg_buffer(). In particular, the overflow will corrupt a stack canary value that is verified when the function returns; this mitigates the impact of the stack overflow by triggering a kernel panic.
Other kernel bugs may exist which allow userspace to find the canary value and thus defeat the mitigation, at which point local privilege escalation may be possible.
If two sibling jails are restricted to separate filesystem trees, which is to say that neither of the two jail root directories is an ancestor of the other, jailed processes may nonetheless be able to access a shared directory via a nullfs mount, if the administrator has configured one.
In this case, cooperating processes in the two jails may establish a connection using a unix domain socket and exchange directory descriptors with each other.
When performing a filesystem name lookup, at each step of the lookup, the kernel checks whether the lookup would descend below the jail root of the current process. If the jail root directory is not encountered, the lookup continues.
In a configuration where processes in two different jails are able to exchange file descriptors using a unix domain socket, it is possible for a jailed process to receive a directory for a descriptor that is below that process' jail root. This enables full filesystem access for a jailed process, breaking the chroot.
Note that the system administrator is still responsible for ensuring that an unprivileged user on the jail host is not able to pass directory descriptors to a jailed process, even in a patched kernel.
The Vaultwarden project reports:
- GHSA-w9f8-m526-h7fh. This vulnerability would allow an attacker to access a cipher from a different user (fully encrypted) if they already know its internal UUID.
- GHSA-h4hq-rgvh-wh27. This vulnerability allows an attacker with manager-level access within an organization to modify collections they can access, even if they do not have management permissions for them.
- GHSA-r32r-j5jq-3w4m. This vulnerability allows an attacker with manager-level access within an organization to modify collections they are not assigned.
Cary Phillips reports:
[openexr] v3.4.5 [...] fixes an incorrect size check in istream_nonparallel_read that could lead to a buffer overflow on invalid input data.
Jenkins Security Advisory:
Description
(High) SECURITY-3669 / CVE-2026-27099
Stored XSS vulnerability in node offline cause description
(Medium) SECURITY-3658 / CVE-2026-27100
Build information disclosure vulnerability through Run Parameter
https://bugzilla.mozilla.org/show_bug.cgi?id=2014390 reports:
Heap buffer overflow in libvpx.
Chrome Releases reports:
This update includes 3 security fixes:
- [477033835] High CVE-2026-2648: Heap buffer overflow in PDFium. Reported by soiax on 2026-01-19
- [481074858] High CVE-2026-2649: Integer overflow in V8. Reported by JunYoung Park(@candymate) of KAIST Hacking Lab on 2026-02-03
- [476461867] Medium CVE-2026-2650: Heap buffer overflow in Media. Reported by Google on 2026-01-18
PowerDNS Team reports:
2025-07: Internal logic flaw in cache management can lead to a denial of service in Recursor
2025-08: Insufficient validation of incoming notifies over TCP can lead to a denial of service in Recursor
2026-01: Crafted zones can lead to increased resource usage in Recursor
2026-01: This problem can be triggered by publishing and querying a crafted zone that causes large memory usage.
https://github.com/pnggroup/libpng/security/advisories/GHSA-g8hp-mq4h-rqm3 reports:
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.
The traefik project reports:
There is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service
https://github.com/dun/munge/security/advisories/GHSA-r9cr-jf4v-75gh reports:
MUNGE is an authentication service for creating and validating user credentials. From 0.5 to 0.5.17, local attacker can exploit a buffer overflow vulnerability in munged (the MUNGE authentication daemon) to leak cryptographic key material from process memory. With the leaked key material, the attacker could forge arbitrary MUNGE credentials to impersonate any user (including root) to services that rely on MUNGE for authentication. The vulnerability allows a buffer overflow by sending a crafted message with an oversized address length field, corrupting munged's internal state and enabling extraction of the MAC subkey used for credential verification. This vulnerability is fixed in 0.5.18.
Chrome Releases reports:
This update includes 1 security fix:
- [483569511] High CVE-2026-2441: Use after free in CSS. Reported by Shaheen Fazim on 2026-02-11
expat team reports:
Update contains 2 security fixes:
- CVE-2026-24515: NULL dereference in function XML_ExternalEntityParserCreate
- CVE-2026-25210: missing check for integer overflow in function doContent
The PostgreSQL project reports:
Improper validation of type oidvector in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely.
Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database.
Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database.
Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database.
Heap buffer overflow in PostgreSQL pg_trgm allows a database user to achieve unknown impacts via a crafted input string. The attacker has limited control over the byte patterns to be written, but we have not ruled out the viability of attacks that lead to privilege escalation.
https://jira.mongodb.org/browse/SERVER-113685 reports:
An authorized user may disable the MongoDB server by issuing a query against a collection that contains an invalid compound wildcard index.
https://jira.mongodb.org/browse/SERVER-99119 reports:
An authorized user may trigger a server crash by running a $geoNear pipeline with certain invalid index hints.
https://jira.mongodb.org/browse/SERVER-114126 reports:
Complex queries can cause excessive memory usage in MongoDB Query Planner resulting in an Out-Of-Memory Crash.
https://jira.mongodb.org/browse/SERVER-102364 reports:
MongoDB Server may experience an out-of-memory failure while evaluating expressions that produce deeply nested documents. The issue arises in recursive functions because the server does not periodically check the depth of the expression.
https://jira.mongodb.org/browse/SERVER-113532 reports:
Inserting certain large documents into a replica set could lead to replica set secondaries not being able to fetch the oplog from the primary. This could stall replication inside the replica set leading to server crash.
Gitlab reports:
Incomplete Validation issue in Web IDE impacts GitLab CE/EE
Denial of Service issue in GraphQL introspection impacts GitLab CE/EE
Denial of Service issue in JSON validation middleware impacts GitLab CE/EE
Cross-site Scripting issue in Code Flow impacts GitLab CE/EE
HTML Injection issue in test case titles impacts GitLab CE/EE
Denial of Service issue in Markdown processor impacts GitLab CE/EE
Denial of Service issue in Markdown Preview impacts GitLab CE/EE
Denial of Service issue in dashboard impacts GitLab EE
Server-Side Request Forgery issue in Virtual Registry impacts GitLab EE
Improper Validation issue in diff parser impacts GitLab CE/EE
Server-Side Request Forgery issue in Git repository import impacts GitLab CE/EE
Authorization Bypass issue in iterations API impacts GitLab EE
Missing Authorization issue in GLQL API impacts GitLab CE/EE
Stored HTML Injection issue in project label impacts GitLab CE/EE
Authorization Bypass issue in Pipeline Schedules API impacts GitLab CE/EE
Due to a programming error, blocklistd leaks a socket descriptor for each adverse event report it receives.
Once a certain number of leaked sockets is reached, blocklistd becomes unable to run the helper script: a child process is forked, but this child dereferences a null pointer and crashes before it is able to exec the helper. At this point, blocklistd still records adverse events but is unable to block new addresses or unblock addresses whose database entries have expired.
Once a second, much higher number of leaked sockets is reached, blocklistd becomes unable to receive new adverse event reports.
An attacker may take advantage of this by triggering a large number of adverse events from sacrificial IP addresses to effectively disable blocklistd before launching an attack.
Even in the absence of attacks or probes by would-be attackers, adverse events will occur regularly in the course of normal operations, and blocklistd will gradually run out file descriptors and become ineffective.
The accumulation of open sockets may have knock-on effects on other parts of the system, resulting in a general slowdown until blocklistd is restarted.
Chrome Releases reports:
This update includes 2 security fixes:
- [478942410] High CVE-2026-1861: Heap buffer overflow in libvpx. Reported by Google on 2026-01-26
- [479726070] High CVE-2026-1862: Type Confusion in V8. Reported by Chaoyuan Peng (@ret2happy) on 2026-01-29
The Roundcube project reports:
Unspecified CSS injection vulnerability.
Remote image blocking bypass via SVG content.
Qt qtwebengine-chromium repo reports:
Backports for 7 security bugs in Chromium:
- CVE-2025-13638: Prevent media element GC in callbacks in WebMediaPlayerMS
- CVE-2025-13639: Improve validation of SDP direction in remote description
- CVE-2025-13720: Avoid downcasting Hash and Integrity reports
- CVE-2025-14174: Metal: Don't use pixelsDepthPitch to size buffers
- CVE-2025-14765: Polyfill unary negation and abs for amd mesa frontend
- CVE-2026-0908: Use CheckedNumerics in HandleAllocator
- CVE-2026-1504: Block opaque 416 responses to non-range requests
An XSS vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials.
Authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-image URL (/share/img/{token}). When processing such requests, the server attempts to create an extremely large resized image, causing uncontrolled memory growth. This triggers the Linux OOM killer, terminates the Navidrome process, and results in a full service outage.
The traefik project reports:
There is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up goroutines and file descriptors indefinitely when the ACME TLS challenge is enabled.A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entrypoint.
The Python project announces a new release with several security fixes:
- CVE-2026-1299: gh-144125: BytesGenerator will now refuse to serialize (write) headers that are unsafely folded or delimited; see verify_generated_headers. (Contributed by Bas Bloemsaat and Petr Viktorin in gh-121650).
- gh-143935: Fixed a bug in the folding of comments when flattening an email message using a modern email policy. Comments consisting of a very long sequence of non-foldable characters could trigger a forced line wrap that omitted the required leading space on the continuation line, causing the remainder of the comment to be interpreted as a new header field. This enabled header injection with carefully crafted inputs.
- gh-143925: Reject control characters in data: URL media types.
- gh-143919: Reject control characters in http.cookies.Morsel fields and values.
- CVE-2026-0865: gh-143916: Reject C0 control characters within wsgiref.headers.Headers fields, values, and parameters.
Denis Skvortsov, Security Researcher at Kaspersky reports:
xrdp before v0.10.5 contains an unauthenticated stack-based buffer overflow vulnerability. The issue stems from improper bounds checking when processing user domain information during the connection sequence. If exploited, the vulnerability could allow remote attackers to execute arbitrary code on the target system.
Tim Wojtulewicz of Corelight reports:
Zeek's HTTP analyzer can be tricked into interpreting Transfer-Encoding or Content-Length headers set in MIME entities within HTTP bodies and change the analyzer behavior.
Chrome Releases reports:
This update includes 1 security fix:
- [474435504] High CVE-2026-1504: Inappropriate implementation in Background Fetch API. Reported by Luan Herrera (@lbherrera_) on 2026-01-09
https://bugzilla.mozilla.org/show_bug.cgi?id=2007302 reports:
Mitigation bypass in the Privacy: Anti-Tracking component.
Use-after-free in the Layout: Scrolling and Overflow component.
By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks.
If a privileged user within a jail is able to nullfs-mount directories, a limitation of the kernel's path lookup logic allows that user to escape the jail's chroot, yielding access to the full filesystem of the host or parent jail.
In a jail configured to allow nullfs(4) mounts from within the jail, the jailed root user can escape the jail's filesystem root.
The OpenSSL project reports:
- Improper validation of PBMAC1 parameters in PKCS#12 MAC verification (CVE-2025-11187)
- Stack buffer overflow in CMS AuthEnvelopedData parsing (CVE-2025-15467)
- NULL dereference in SSL_CIPHER_find() function on unknown cipher ID (CVE-2025-15468)
- "openssl dgst" one-shot codepath silently truncates inputs >16MB (CVE-2025-15469)
- TLS 1.3 CompressedCertificate excessive memory allocation (CVE-2025-66199)
- Heap out-of-bounds write in BIO_f_linebuffer on short writes (CVE-2025-68160)
- Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (CVE-2025-69418)
- Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (CVE-2025-69419)
- Missing ASN1_TYPE validation in TS_RESP_verify_response() function (CVE-2025-69420)
- NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (CVE-2025-69421)
- Missing ASN1_TYPE validation in PKCS#12 parsing (CVE-2026-22795)
- ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (CVE-2026-22796)
Oracle reports:
Oracle reports multiple vulnerabilities in its MySQL server products.
https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx reports:
wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.46.1 and below, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.
Chrome Releases reports:
This update includes 1 security fix:
- [473851441] High CVE-2026-1220: Race in V8. Reported by @p1nky4745 on 2026-01-07
Gitlab reports:
Denial of Service issue in Jira Connect integration impacts GitLab CE/EE
Incorrect Authorization issue in Releases API impacts GitLab CE/EE
Unchecked Return Value issue in authentication services impacts GitLab CE/EE
Infinite Loop issue in Wiki redirects impacts GitLab CE/EE
Denial of Service issue in API endpoint impacts GitLab CE/EE
Mailpit author reports:
Ensure SMTP TO & FROM addresses are RFC 5322 compliant and prevent header injection (GHSA-54wq-72mp-cq7c)
Prevent Server-Side Request Forgery (SSRF) via HTML Check API (GHSA-6jxm-fv7w-rw5j)
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
A flaw was found in the crypto/x509 package in the Go standard library. This vulnerability allows a certificate validation bypass via an excluded subdomain constraint in a certificated chain as it does not restrict the usage of wildcard SANs in the leaf certificate.
SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
Memory safety bugs present in Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
Denial-of-service in the DOM: Service Workers component.
Information disclosure in the XML component.
Sandbox escape in the Messaging System component.
Memory safety bugs present in firefox-esr 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146.
Spoofing issue in the DOM: Copy & Paste and Drag & Drop component.
Clickjacking issue and information disclosure in the PDF Viewer component.
Use-after-free in the JavaScript: GC component.
Use-after-free in the JavaScript Engine component.
Information disclosure in the Networking component.
Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component.
Incorrect boundary conditions in the Graphics component.
Use-after-free in the IPC component.
Sandbox escape due to integer overflow in the Graphics component.
Sandbox escape due to incorrect boundary conditions in the Graphics component.
Mitigation bypass in the DOM: Security component.
Chrome Releases reports:
This update includes 10 security fixes:
- [458914193] High CVE-2026-0899: Out of bounds memory access in V8. Reported by @p1nky4745 on 2025-11-08
- [465730465] High CVE-2026-0900: Inappropriate implementation in V8. Reported by Google on 2025-12-03
- [40057499] High CVE-2026-0901: Inappropriate implementation in Blink. Reported by Irvan Kurniawan (sourc7) on 2021-10-04
- [469143679] Medium CVE-2026-0902: Inappropriate implementation in V8. Reported by 303f06e3 on 2025-12-16
- [444803530] Medium CVE-2026-0903: Insufficient validation of untrusted input in Downloads. Reported by Azur on 2025-09-13
- [452209495] Medium CVE-2026-0904: Incorrect security UI in Digital Credentials. Reported by Hafiizh on 2025-10-15
- [465466773] Medium CVE-2026-0905: Insufficient policy enforcement in Network. Reported by Google on 2025-12-02
- [467448811] Low CVE-2026-0906: Incorrect security UI. Reported by Khalil Zhani on 2025-12-10
- [444653104] Low CVE-2026-0907: Incorrect security UI in Split View. Reported by Hafiizh on 2025-09-12
- [452209503] Low CVE-2026-0908: Use after free in ANGLE. Reported by Glitchers BoB 14th. on 2025-10-15
https://github.com/pypa/virtualenv/security/advisories/GHSA-597g-3phw-6986 reports:
virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1.
oss-security@ list reports:
Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string.
Gitlab reports:
Stored Cross-site Scripting issue in GitLab Flavored Markdown placeholders impacts GitLab CE/EE
Cross-site Scripting issue in Web IDE impacts GitLab CE/EE
Missing Authorization issue in Duo Workflows API impacts GitLab EE
Missing Authorization issue in AI GraphQL mutation impacts GitLab EE
Denial of Service issue in import functionality impacts GitLab CE/EE
Insufficient Access Control Granularity issue in GraphQL runnerUpdate mutation impacts GitLab CE/EE
Information Disclosure issue in Mermaid diagram rendering impacts GitLab CE/EE
Mailpit author reports:
The Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability.
An attacker can host a malicious website that, when visited by a developer running Mailpit locally, establishes a WebSocket connection to the victim's Mailpit instance (default ws://localhost:8025). This allows the attacker to intercept sensitive data such as email contents, headers, and server statistics in real-time.
phpMyFAQ team reports:
Stored cross-site scripting (XSS) and unauthenticated config backup download vulnerability
Chrome Releases reports:
This update includes 1 security fix:
- [463155954] High CVE-2026-0628: Insufficient policy enforcement in WebView tag. Reported by Gal Weizman on 2025-11-23
Libsodium maintainer reports:
The function crypto_core_ed25519_is_valid_point(), a low-level function used to check if a given elliptic curve point is valid, was supposed to reject points that aren't in the main cryptographic group, but some points were slipping through.
Mailpit author reports:
A Server-Side Request Forgery (SSRF) vulnerability exists in Mailpit's /proxy endpoint that allows attackers to make requests to internal network resources.
The /proxy endpoint allows requests to internal network resources. While it validates http:// and https:// schemes, it does not block internal IP addresses, allowing attackers to access internal services and APIs.
net-snmp development team reports:
A specially crafted packet to an net-snmp snmptrapd daemon can cause a buffer overflow and the daemon to crash.
The GStreamer Security Center reports:
Multiple out-of-bounds reads in the MIDI parser that can cause crashes for certain input files.