Internet Systems Consortium, Inc. reports:
We corrected an issue in `kea-dhcp4` that caused the server to abort if a client sent a broadcast request with particular options, and Kea failed to find an appropriate subnet for that client. This addresses CVE-2025-40779 [#4055, #4048].
Andy Shaw reports:
When passing values outside of the expected range to QColorTransferGenericFunction it can cause a denial of service, for example, this can happen when passing a specifically crafted ICC profile to QColorSpace::fromICCProfile.
Qt qtwebengine-chromium repo reports:
Backports for 25 security bugs in Chromium:
- CVE-2025-5063: Use after free in Compositing
- CVE-2025-5064: Inappropriate implementation in Background Fetch
- CVE-2025-5065: Inappropriate implementation in FileSystemAccess API
- CVE-2025-5068: Use after free in Blink
- CVE-2025-5280: Out of bounds write in V8
- CVE-2025-5281: Inappropriate implementation in BFCache
- CVE-2025-5283: Use after free in libvpx
- CVE-2025-5419: Out of bounds read and write in V8
- CVE-2025-6191: Integer overflow in V8
- CVE-2025-6192: Use after free in Profiler
- CVE-2025-6554: Type Confusion in V8
- CVE-2025-6556: Insufficient policy enforcement in Loader
- CVE-2025-6557: Insufficient data validation in DevTools
- CVE-2025-6558: Incorrect validation of untrusted input in ANGLE and GPU
- CVE-2025-7656: Integer overflow in V8
- CVE-2025-7657: Use after free in WebRTC
- CVE-2025-8010: Type Confusion in V8
- CVE-2025-8576: Use after free in Extensions
- CVE-2025-8578: Use after free in Cast
- CVE-2025-8580: Inappropriate implementation in Filesystems
- CVE-2025-8582: Insufficient validation of untrusted input in DOM
- CVE-2025-8879: Heap buffer overflow in libaom
- CVE-2025-8880: Race in V8
- CVE-2025-8881: Inappropriate implementation in File Picker
- CVE-2025-8901: Out of bounds write in ANGLE
cve@mitre.org reports:
In SQLite 3.49.0 before 3.49.1, certain argument values to sqlite3_db_config (in the C-language API) can cause a denial of service (application crash). An sz*nBig multiplication is not cast to a 64-bit integer, and consequently some memory allocations may be incorrect.
perl-catalyst project reports:
Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl generate nonces using the Perl Data::UUID library. * Data::UUID does not use a strong cryptographic source for generating UUIDs.* Data::UUID returns v3 UUIDs, which are generated from known information and are unsuitable for security, as per RFC 9562. * The nonces should be generated from a strong cryptographic source, as per RFC 7616.
security@mozilla.org reports:
Memory safety bugs present in Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
Memory safety bugs present in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
Spoofing issue in the Address Bar component.
security@mozilla.org reports:
'Denial-of-service due to out-of-memory in the Graphics: WebRender component.'
security@mozilla.org reports:
Uninitialized memory in the JavaScript Engine component.
security@mozilla.org reports:
'Same-origin policy bypass in the Graphics: Canvas2D component.'
security@mozilla.org reports:
An attacker was able to perform memory corruption in the GMP process which processes encrypted media. This process is also heavily sandboxed, but represents slightly different privileges from the content process.
F5 reports:
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_mail_smtp_module that might allow an unauthenticated attacker to over-read NGINX SMTP authentication process memory; as a result, the server side may leak arbitrary bytes sent in a request to the authentication server. This issue happens during the NGINX SMTP authentication process and requires the attacker to make preparations against the target system to extract the leaked data. The issue affects NGINX only if (1) it is built with the ngx_mail_smtp_module, (2) the smtp_auth directive is configured with method "none," and (3) the authentication server returns the "Auth-Wait" response header.
Chrome Releases reports:
This update includes 6 security fixes:
- [432035817] High CVE-2025-8879: Heap buffer overflow in libaom. Reported by Anonymous on 2025-07-15
- [433533359] High CVE-2025-8880: Race in V8. Reported by Seunghyun Lee (@0x10n) on 2025-07-23
- [435139154] High CVE-2025-8901: Out of bounds write in ANGLE. Reported by Google Big Sleep on 2025-07-30
- [433800617] Medium CVE-2025-8881: Inappropriate implementation in File Picker. Reported by Alesandro Ortiz on 2025-07-23
- [435623339] Medium CVE-2025-8882: Use after free in Aura. Reported by Umar Farooq on 2025-08-01
PostgreSQL project reports:
Tighten security checks in planner estimation functions.
Prevent pg_dump scripts from being used to attack the user running the restore.
Convert newlines to spaces in names included in comments in pg_dump output.
Gitlab reports:
Cross-site scripting issue in blob viewer impacts GitLab CE/EE
Cross-site scripting issue in labels impacts GitLab CE/EE
Cross-site scripting issue in Workitem impacts GitLab CE/EE
Improper Handling of Permissions issue in project API impacts GitLab CE/EE
Incorrect Privilege Assignment issue in delete issues operation impacts GitLab CE/EE
Allocation of Resources Without Limits issue in release name creation impacts GitLab CE/EE
Incorrect Authorization issue in jobs API impacts GitLab CE/EE
Authorization issue in Merge request approval policy impacts GitLab EE
Inefficient Regular Expression Complexity issue in wiki impacts GitLab CE/EE
Allocation of Resources Without Limits issue in Mattermost integration impacts GitLab CE/EE
Incorrect Permission Assignment issue in ID token impacts GitLab CE/EE
Insufficient Access Control issue in IP Restriction impacts GitLab EE
Varnish Development Team reports:
A denial of service attack can be performed on Varnish Cache servers that have the HTTP/2 protocol turned on. An attacker can create a large number of streams and immediately reset them without ever reaching the maximum number of concurrent streams allowed for the session, causing the Varnish server to consume unnecessary resources processing requests for which the response will not be delivered.
This attack is a variant of the HTTP/2 Rapid Reset Attack, which was partially handled as VSV00013.
p5-Authen-SASL project reports:
Authen::SASL::Perl::DIGEST_MD5 versions 2.04 through 2.1800 for Perl generates the cnonce insecurely.
The cnonce (client nonce) is generated from an MD5 hash of the PID, the epoch time and the built-in rand function. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.
According to RFC 2831, The cnonce-value is an opaque quoted string value provided by the client and used by both client and server to avoid chosen plaintext attacks, and to provide mutual authentication. The security of the implementation depends on a good choice. It is RECOMMENDED that it contain at least 64 bits of entropy.
Chrome Releases reports:
This update includes 12 security fixes:
- [414760982] Medium CVE-2025-8576: Use after free in Extensions. Reported by asnine on 2025-04-30
- [384050903] Medium CVE-2025-8577: Inappropriate implementation in Picture In Picture. Reported by Umar Farooq on 2024-12-14
- [423387026] Medium CVE-2025-8578: Use after free in Cast. Reported by Fayez on 2025-06-09
- [407791462] Low CVE-2025-8579: Inappropriate implementation in Gemini Live in Chrome. Reported by Alesandro Ortiz on 2025-04-02
- [411544197] Low CVE-2025-8580: Inappropriate implementation in Filesystems. Reported by Huuuuu on 2025-04-18
- [416942878] Low CVE-2025-8581: Inappropriate implementation in Extensions. Reported by Vincent Dragnea on 2025-05-11
- [40089450] Low CVE-2025-8582: Insufficient validation of untrusted input in DOM. Reported by Anonymous on 2017-10-31
- [373794472] Low CVE-2025-8583: Inappropriate implementation in Permissions. Reported by Shaheen Fazim on 2024-10-16
The Apache httpd project reports:
'RewriteCond expr' always evaluates to true in 2.4.64.
An integer overflow in the archive_read_format_rar_seek_data() function may lead to a double free problem.
Exploiting a double free vulnerability can cause memory corruption. This in turn could enable a threat actor to execute arbitrary code. It might also result in denial of service.
cve-coordination@google.com reports:
An integer overflow can be triggered in SQLites `concat_ws()` function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap Buffer overflow of size ~4GB can be triggered. This can result in arbitrary code execution.
Deluan Quintão reports:
A permission verification flaw in Navidrome allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modifying, and deleting transcoding settings.
cve-coordination@google.com reports:
An integer overflow in the sqlite3KeyInfoFromExprList function in SQLite versions 3.39.2 through 3.41.1 allows an attacker with the ability to execute arbitrary SQL statements to cause a denial of service or disclose sensitive information from process memory via a crafted SELECT statement with a large number of expressions in the ORDER BY clause.
Lib-Crypt-CBC project reports:
Crypt::CBC versions between 1.21 and 3.05 for Perl may use the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. This issue affects operating systems where "/dev/urandom'" is unavailable. In that case, Crypt::CBC will fallback to use the insecure rand() function.
cmpilato reports:
The ViewVC standalone web server (standalone.py) is a script provided in the ViewVC distribution for the purposes of quickly testing a ViewVC configuration. This script can in particular configurations expose the contents of the host server's filesystem though a directory traversal-style attack.
Manu reports:
The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet.
An attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv library parses such a packet, the name decompression process consumes a large amount of CPU resources, as the library does not limit the resulting length of the name.
This resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition.
security@mozilla.org reports:
Memory safety bugs present in Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
Focus incorrectly truncated URLs towards the beginning instead of around the origin.
security@mozilla.org reports:
Memory safety bugs present in Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
In some cases search terms persisted in the URL bar even after navigating away from the search page.
security@mozilla.org reports:
Thunderbird ignored paths when checking the validity of navigations in a frame.
security@mozilla.org reports:
Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the nameless cookie was set over HTTP and the shadowed cookie included the `Secure` attribute.
security@mozilla.org reports:
Thunderbird cached CORS preflight responses across IP address changes. This allowed circumventing CORS with DNS rebinding.
security@mozilla.org reports:
Memory safety bugs present in Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
Memory safety bugs present in Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
The JavaScript engine did not handle closed generators correctly and it was possible to resume them leading to a nullptr deref.
security@mozilla.org reports:
XSLT document loading did not correctly propagate the source document which bypassed its CSP.
security@mozilla.org reports:
The `username:password` part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials.
security@mozilla.org reports:
Insufficient escaping in the Copy as cURL feature could potentially be used to trick a user into executing unexpected code.
security@mozilla.org reports:
Thunderbird executed `javascript:` URLs when used in `object` and `embed` tags.
security@mozilla.org reports:
On arm64, a WASM `br_table` instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and incorrect computation of the branch address.
security@mozilla.org reports:
On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits.
cve@mitre.org reports:
A flaw exists in gdk-pixbuf within the gdk_pixbuf__jpeg_image_load_increment function (io-jpeg.c) and in glib’s g_base64_encode_step (glib/gbase64.c). When processing maliciously crafted JPEG images, a heap buffer overflow can occur during Base64 encoding, allowing out-of-bounds reads from heap memory, potentially causing application crashes or arbitrary code execution.
PowerDNS Team reports:
An attacker spoofing answers to ECS enabled requests sent out by the Recursor has a chance of success higher than non-ECS enabled queries. The updated version include various mitigations against spoofing attempts of ECS enabled queries by chaining ECS enabled requests and enforcing stricter validation of the received answers. The most strict mitigation done when the new setting outgoing.edns_subnet_harden (old style name edns-subnet-harden) is enabled.
Gitlab reports:
Cross-site scripting issue impacts Kubernetes Proxy in GitLab CE/EE
Cross-site scripting issue impacts Kubernetes Proxy in GitLab CE/EE using CDNs
Exposure of Sensitive Information to an Unauthorized Actor issue impacts GitLab CE/EE
Improper Access Control issue impacts GitLab EE
Exposure of Sensitive Information to an Unauthorized Actor issue impacts GitLab CE/EE
Improper Access Control issue impacts GitLab CE/EE
cve-coordination@google.com reports:
There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue.
security-advisories@github.com reports:
7-Zip is a file archiver with a high compression ratio. Zeroes written outside heap buffer in RAR5 handler may lead to memory corruption and denial of service in versions of 7-Zip prior to 25.0.0. Version 25.0.0 contains a fix for the issue.
WasmTime development team reports:
A bug in Wasmtime's implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host (embedder).
sep@nlnetlabs.nl reports:
A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is also vulnerable when compiled with ECS support, i.e., '--enable-subnet', AND configured to send ECS information along with queries to upstream name servers, i.e., at least one of the 'send-client-subnet', 'client-subnet-zone' or 'client-subnet-always-forward' options is used. Resolvers supporting ECS need to segregate outgoing queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies.
The OpenQuantumSafe project reports:
Secret-dependent branching in HQC reference implementation when compiled with Clang 17-20 for optimizations above -O0
Daiki Ueno reports:
- libgnutls: Fix heap read buffer overrun in parsing X.509 SCTS timestamps Spotted by oss-fuzz and reported by OpenAI Security Research Team, and fix developed by Andrew Hamilton. [GNUTLS-SA-2025-07-07-1, CVSS: medium] [CVE-2025-32989]
- libgnutls: Fix double-free upon error when exporting otherName in SAN Reported by OpenAI Security Research Team. [GNUTLS-SA-2025-07-07-2, CVSS: low] [CVE-2025-32988]
- certtool: Fix 1-byte write buffer overrun when parsing template Reported by David Aitel. [GNUTLS-SA-2025-07-07-3, CVSS: low] [CVE-2025-32990]
- libgnutls: Fix NULL pointer dereference when 2nd Client Hello omits PSK Reported by Stefan Bühler. [GNUTLS-SA-2025-07-07-4, CVSS: medium] [CVE-2025-6395]
Alan Coopersmith reports:
On 6/16/25 15:12, Alan Coopersmith wrote:
BTW, users of libxml2 may also be using its sibling project, libxslt, which currently has no active maintainer, but has three unfixed security issues reported against it according to https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt
2 of the 3 have now been disclosed:
(CVE-2025-7424) libxslt: Type confusion in xmlNode.psvi between stylesheet and source nodes
https://gitlab.gnome.org/GNOME/libxslt/-/issues/139 https://project-zero.issues.chromium.org/issues/409761909(CVE-2025-7425) libxslt: heap-use-after-free in xmlFreeID caused by `atype` corruption
https://gitlab.gnome.org/GNOME/libxslt/-/issues/140
https://project-zero.issues.chromium.org/issues/410569369Engineers from Apple & Google have proposed patches in the GNOME gitlab issues, but neither has had a fix applied to the git repo since there is currently no maintainer for libxslt.
Note that a fourth vulnerability was reported on June 18, 2025, which remains undisclosed to date (GNOME libxslt issue 148, link below), see https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt
Alan Coopersmith reports:
As discussed in https://gitlab.gnome.org/GNOME/libxml2/-/issues/913 the security policy of libxml2 has been changed to disclose vulnerabilities before fixes are available so that people other than the maintainer can contribute to fixing security issues in this library.
As part of this, the following 5 CVE's have been disclosed recently:
(CVE-2025-49794) Heap use after free (UAF) leads to Denial of service (DoS) https://gitlab.gnome.org/GNOME/libxml2/-/issues/931 [...]
(CVE-2025-49795) Null pointer dereference leads to Denial of service (DoS) https://gitlab.gnome.org/GNOME/libxml2/-/issues/932 [...]
(CVE-2025-49796) Type confusion leads to Denial of service (DoS) https://gitlab.gnome.org/GNOME/libxml2/-/issues/933 [...]
For all three of the above, note that upstream is considering removing Schematron support completely, as discussed in https://gitlab.gnome.org/GNOME/libxml2/-/issues/935.
(CVE-2025-6021) Integer Overflow Leading to Buffer Overflow in xmlBuildQName() https://gitlab.gnome.org/GNOME/libxml2/-/issues/926 [...]
(CVE-2025-6170) Stack-based Buffer Overflow in xmllint Shell https://gitlab.gnome.org/GNOME/libxml2/-/issues/941 [...]
The mod_http2 project reports:
a client can increase memory consumption for a HTTP/2 connection via repeated request header names,leading to denial of service
certain proxy configurations whith mod_proxy_http2 as the backend, an assertion can be triggered by certain requests, leading to denial of service
The Apache httpd project reports:
moderate: Apache HTTP Server: HTTP response splitting (CVE-2024-42516)
low: Apache HTTP Server: SSRF with mod_headers setting Content-Type header (CVE-2024-43204)
moderate: Apache HTTP Server: SSRF on Windows due to UNC paths (CVE-2024-43394)
low: Apache HTTP Server: mod_ssl error log variable escaping (CVE-2024-47252)
moderate: Apache HTTP Server: mod_ssl access control bypass with session resumption (CVE-2025-23048)
low: Apache HTTP Server: mod_proxy_http2 denial of service (CVE-2025-49630)
moderate: Apache HTTP Server: mod_ssl TLS upgrade attack (CVE-2025-49812)
moderate: Apache HTTP Server: HTTP/2 DoS by Memory Increase (CVE-2025-53020)
security@apache.org reports:
A race condition on connection close could trigger a JVM crash when using the APR/Native connector leading to a DoS. This was particularly noticeable with client initiated closes of HTTP/2 connections.
An uncontrolled resource consumption vulnerability if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams could result in a DoS.
For some unlikely configurations of multipart upload, an Integer Overflow vulnerability could lead to a DoS via bypassing of size limits.
Gitlab reports:
Cross-site scripting issue impacts GitLab CE/EE
Improper authorization issue impacts GitLab CE/EE
Improper authorization issue impacts GitLab EE
Improper authorization issue impacts GitLab EE
Git development team reports:
CVE-2025-27613: Gitk: When a user clones an untrusted repository and runs Gitk without additional command arguments, any writable file can be created and truncated. The option "Support per-file encoding" must have been enabled. The operation "Show origin of this line" is affected as well, regardless of the option being enabled or not.
CVE-2025-27614: Gitk: A Git repository can be crafted in such a way that a user who has cloned the repository can be tricked into running any script supplied by the attacker by invoking `gitk filename`, where `filename` has a particular structure.
CVE-2025-46835: Git GUI: When a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite any writable file.
CVE-2025-48384: Git: When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout.
CVE-2025-48385: Git: When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution.
CVE-2025-48386: Git: The wincred credential helper uses a static buffer (`target`) as a unique key for storing and comparing against internal storage. This credential helper does not properly bounds check the available space remaining in the buffer before appending to it with `wcsncat()`, leading to potential buffer overflows.
cna@mongodb.com reports:
MongoDB Server's mongos component can become unresponsive to new connections due to incorrect handling of incomplete data. This affects MongoDB when configured with load balancer support. Required Configuration: This affects MongoDB sharded clusters when configured with load balancer support for mongos using HAProxy on specified ports.
cna@mongodb.com reports:
An unauthorized user may leverage a specially crafted aggregation pipeline to access data without proper authorization due to improper handling of the $mergeCursors stage in MongoDB Server. This may lead to access to data without further authorisation.
cna@mongodb.com reports:
MongoDB Server may be susceptible to disruption caused by high memory usage, potentially leading to server crash. This condition is linked to inefficiencies in memory management related to internal operations. In scenarios where certain internal processes persist longer than anticipated, memory consumption can increase, potentially impacting server stability and availability.
cna@mongodb.com reports:
An issue has been identified in MongoDB Server where unredacted queries may inadvertently appear in server logs when certain error conditions are encountered.
security-advisories@github.com reports:
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application/xml, and at least one XML tag is empty (eg <foo></foo>), then a segmentation fault occurs. This issue has been patched in version 2.9.11. A workaround involves setting SecParseXmlIntoArgs to Off.
@julienperriercornet reports:
An unauthenticated connection can cause repeated IP protocol errors, leading to client starvation and, ultimately, a denial of service.
Seunghyun Lee reports:
An authenticated user may use a specially crafted string to trigger a stack/heap out of bounds write on hyperloglog operations, potentially leading to remote code execution.
Simcha Kosman & CyberArk Labs reports:
A user can run the {redis,valkeyu}-check-aof cli and pass a long file path to trigger a stack buffer overflow, which may potentially lead to remote code execution.
A worker thread could free its input buffer after decoding, while the main thread might still be writing to it. This leads to an use-after-free condition on heap memory.
An attacker may use specifically crafted .xz file to cause multi-threaded xz decoder to crash, or potentially run arbitrary code under the credential the decoder was executed.
GStreamer Security Center reports:
It is possible for a malicious third party to trigger a buffer overflow that can result in a crash of the application and possibly also allow code execution through stack manipulation.
security@mozilla.org reports:
An attacker was able to bypass the `connect-src` directive of a Content Security Policy by manipulating subdocuments. This would have also hidden the connections from the Network tab in Devtools.
When Multi-Account Containers was enabled, DNS requests could have bypassed a SOCKS proxy when the domain name was invalid or the SOCKS proxy was not responding.
If a user visited a webpage with an invalid TLS certificate, and granted an exception, the webpage was able to provide a WebAuthn challenge that the user would be prompted to complete. This is in violation of the WebAuthN spec which requires "a secure transport established without errors".
The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP.
If a user saved a response from the Network tab in Devtools using the Save As context menu option, that file may not have been saved with the `.download` file extension. This could have led to the user inadvertently running a malicious executable.
Memory safety bugs present in Firefox 139 and Thunderbird 139. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed.
When a file download is specified via the `Content-Disposition` header, that directive would be ignored if the file was included via a `<embed>` or `<object>` tag, potentially making a website vulnerable to a cross-site scripting attack.
security@mozilla.org reports:
An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.
php.net reports:
- CVE-2025-1735: pgsql extension does not check for errors during escaping
- CVE-2025-6491: NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix
- CVE-2025-1220: Null byte termination in hostnames
security@mozilla.org reports:
A use-after-free in FontFaceSet resulted in a potentially exploitable crash.
Chrome Releases reports:
This update includes 1 security fix:
- [427663123] High CVE-2025-6554: Type Confusion in V8.
Chrome Releases reports:
This update includes 11 security fixes:
- [407328533] Medium CVE-2025-6555: Use after free in Animation. Reported by Lyra Rebane (rebane2001) on 2025-03-30
- [40062462] Low CVE-2025-6556: Insufficient policy enforcement in Loader. Reported by Shaheen Fazim on 2023-01-02
- [406631048] Low CVE-2025-6557: Insufficient data validation in DevTools. Reported by Ameen Basha M K on 2025-03-27
Todd C. Miller reports, crediting Rich Mirch from Stratascale Cyber Research Unit (CRU):
Sudo 1.9.17p1:
- Fixed CVE-2025-32462. Sudo's -h (--host) option could be specified when running a command or editing a file. This could enable a local privilege escalation attack if the sudoers file allows the user to run commands on a different host. For more information, see Local Privilege Escalation via host option.
- Fixed CVE-2025-32463. An attacker can leverage sudo's -R (--chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file. The chroot support has been deprecated an will be removed entirely in a future release. For more information, see Local Privilege Escalation via chroot option.
The X.Org project reports:
- CVE-2025-49176: Integer overflow in Big Requests Extension
The Big Requests extension allows requests larger than the 16-bit length limit. It uses integers for the request length and checks for the size not to exceed the maxBigRequestSize limit, but does so after translating the length to integer by multiplying the given size in bytes by 4. In doing so, it might overflow the integer size limit before actually checking for the overflow, defeating the purpose of the test.
The X.Org project reports:
- CVE-2025-49175: Out-of-bounds access in X Rendering extension (Animated cursors)
The X Rendering extension allows creating animated cursors providing a list of cursors. By default, the Xserver assumes at least one cursor is provided while a client may actually pass no cursor at all, which causes an out-of-bound read creating the animated cursor and a crash of the Xserver.
- CVE-2025-49177: Data leak in XFIXES Extension 6 (XFixesSetClientDisconnectMode)
The handler of XFixesSetClientDisconnectMode does not check the client request length. A client could send a shorter request and read data from a former request.
- CVE-2025-49178: Unprocessed client request via bytes to ignore
When reading requests from the clients, the input buffer might be shared and used between different clients. If a given client sends a full request with non-zero bytes to ignore, the bytes to ignore may still be non-zero even though the request is full, in which case the buffer could be shared with another client who's request will not be processed because of those bytes to ignore, leading to a possible hang of the other client request.
- CVE-2025-49179: Integer overflow in X Record extension
The RecordSanityCheckRegisterClients() function in the X Record extension implementation of the Xserver checks for the request length, but does not check for integer overflow. A client might send a very large value for either the number of clients or the number of protocol ranges that will cause an integer overflow in the request length computation, defeating the check for request length.
- CVE-2025-49180: Integer overflow in RandR extension (RRChangeProviderProperty)
A client might send a request causing an integer overflow when computing the total size to allocate in RRChangeProviderProperty().
RedHat, Inc. reports:
A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.
cna@mongodb.com reports:
An authenticated user may trigger a use after free that may result in MongoDB Server crash and other unexpected behavior, even if the user does not have authorization to shut down a server. The crash is triggered on affected versions by issuing an aggregation framework operation using a specific combination of rarely-used aggregation pipeline expressions. This issue affects MongoDB Server v6.0 version prior to 6.0.21, MongoDB Server v7.0 version prior to 7.0.17 and MongoDB Server v8.0 version prior to 8.0.4 when the SBE engine is enabled.
NVD reports:
Under certain conditions, an authenticated user request may execute with stale privileges following an intentional change by an authorized administrator.
NVD reports:
The MongoDB Server is susceptible to a denial of service vulnerability due to improper handling of specific date values in JSON input when using OIDC authentication. This can be reproduced using the mongo shell to send a malicious JSON payload leading to an invariant failure and server crash.
cna@mongodb.com reports:
MongoDB Server may be susceptible to stack overflow due to JSON parsing mechanism, where specifically crafted JSON inputs may induce unwarranted levels of recursion, resulting in excessive stack space consumption. Such inputs can lead to a stack overflow that causes the server to crash which could occur pre-authorisation. This issue affects MongoDB Server v7.0 versions prior to 7.0.17 and MongoDB Server v8.0 versions prior to 8.0.5. The same issue affects MongoDB Server v6.0 versions prior to 6.0.21, but an attacker can only induce denial of service after authenticating.
GitHub Security Advisories reports:
Kanboard allows password reset emails to be sent with URLs derived from the unvalidated Host header when the application_url configuration is unset (default behavior). This allows an attacker to craft a malicious password reset link that leaks the token to an attacker-controlled domain. If a victim (including an administrator) clicks the poisoned link, their account can be taken over. This affects all users who initiate a password reset while application_url is not set.
Gitlab reports:
Denial of Service impacts GitLab CE/EE
Missing Authentication issue impacts GitLab CE/EE
Improper access control issue impacts GitLab CE/EE
Elevation of Privilege impacts GitLab CE/EE
Improper access control issue impacts GitLab EE
Cisco reports:
A vulnerability in the decoding functions of OpenH264 codec library could allow a remote, unauthenticated attacker to trigger a heap overflow. This vulnerability is due to a race condition between a Sequence Parameter Set (SPS) memory allocation and a subsequent non Instantaneous Decoder Refresh (non-IDR) Network Abstraction Layer (NAL) unit memory usage. An attacker could exploit this vulnerability by crafting a malicious bitstream and tricking a victim user into processing an arbitrary video containing the malicious bistream. An exploit could allow the attacker to cause an unexpected crash in the victim's user decoding client and, possibly, perform arbitrary commands on the victim's host by abusing the heap overflow.
Cisco reports:
A vulnerability in Universal Disk Format (UDF) processing of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to a memory overread during UDF file scanning. An attacker could exploit this vulnerability by submitting a crafted file containing UDF content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to terminate the ClamAV scanning process, resulting in a DoS condition on the affected software. For a description of this vulnerability, see the .
Cisco reports:
A vulnerability in the PDF scanning processes of ClamAV could allow an unauthenticated, remote attacker to cause a buffer overflow condition, cause a denial of service (DoS) condition, or execute arbitrary code on an affected device. This vulnerability exists because memory buffers are allocated incorrectly when PDF files are processed. An attacker could exploit this vulnerability by submitting a crafted PDF file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to trigger a buffer overflow, likely resulting in the termination of the ClamAV scanning process and a DoS condition on the affected software. Although unproven, there is also a possibility that an attacker could leverage the buffer overflow to execute arbitrary code with the privileges of the ClamAV process.
Chrome Releases reports:
This update includes 3 security fixes:
- [420697404] High CVE-2025-6191: Integer overflow in V8. Reported by Shaheen Fazim on 2025-05-27
- [421471016] High CVE-2025-6192: Use after free in Profiler. Reported by Chaoyuan Peng (@ret2happy) on 2025-05-31
Deluan reports:
This vulnerability arises due to improper input validation on the role parameter within the API endpoint /api/artist. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially gaining unauthorized access to the backend database and compromising sensitive user information.
Grafana Labs reports:
An incident occurred where the DingDing alerting integration URL was inadvertently exposed to viewers due to a setting oversight, which we learned about through a bug bounty report.
The CVSS 3.0 score for this vulnerability is 4.3 (Medium).
Grafana Labs reports:
On April 15, we discovered a vulnerability that stems from the user deletion logic associated with organization administrators. An organization admin could remove any user from the specific organization they manage. Additionally, they have the power to delete users entirely from the system if they have no other org membership. This leads to two situations:
- They can delete a server admin if the organization the Organization Admin manages is the server admin’s final organizational membership.
- They can delete any user (regardless of whether they are a server admin or not) if that user currently belongs to no organizations.
These two situations allow an organization manager to disrupt instance-wide activity by continually deleting server administrators if there is only one organization or if the server administrators are not part of any organization.
The CVSS score for this vulnerability is 5.5 Medium.
security@mozilla.org reports:
CVE-2025-49709: Certain canvas operations could have lead to memory corruption.
CVE-2025-49710: An integer overflow was present in `OrderedHashTable` used by the JavaScript engine.
Chrome Releases reports:
This update includes 2 security fixes:
- [$8000][420150619] High CVE-2025-5958: Use after free in Media. Reported by Huang Xilin of Ant Group Light-Year Security Lab on 2025-05-25
- [NA][422313191] High CVE-2025-5959: Type Confusion in V8. Reported by Seunghyun Lee as part of TyphoonPWN 2025 on 2025-06-04
Chrome Releases reports:
This update includes 3 security fixes:
- [420636529] High CVE-2025-5419: Out of bounds read and write in V8. Reported by Clement Lecigne and Benoît Sevens of Google Threat Analysis Group on 2025-05-27. This issue was mitigated on 2025-05-28 by a configuration change pushed out to Stable across all Chrome platforms.
- [409059706] Medium CVE-2025-5068: Use after free in Blink. Reported by Walkman on 2025-04-07
security@mozilla.org reports:
Thunderbird's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-level file operations on paths controlled by a non-privileged user and enabling privilege escalation. This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Firefox ESR < 115.23, Thunderbird < 138, and Thunderbird < 128.10.
Webmin reports:
A less-privileged Webmin user can execute commands as root via a vulnerability in the shell autocomplete feature.
secalert@redhat.com reports:
A flaw was found in Yelp. The Gnome user help application allows the help document to execute arbitrary scripts. This vulnerability allows malicious users to input help documents, which may exfiltrate user files to an external environment.
secalert@redhat.com reports:
A flaw was found in Yelp. The Gnome user help application allows the help document to execute arbitrary scripts. This vulnerability allows malicious users to input help documents, which may exfiltrate user files to an external environment.
Gitlab reports:
HTML injection impacts GitLab CE/EE
Cross-site scripting issue impacts GitLab CE/EE
Missing authorization issue impacts GitLab Ultimate EE
Denial of Service impacts GitLab CE/EE
Denial of Service via unbounded Webhook token names impacts GitLab CE/EE
Denial of Service via unbounded Board Names impacts GitLab CE/EE
Information disclosure issue impacts GitLab CE/EE
Denial of Service (DoS) via uncontrolled HTTP Response Processing impacts GitLab CE/EE
Information disclosure via authorization bypass impacts GitLab CE/EE
Sensitive information disclosure via Group IP restriction bypass
PostgreSQL JDBC Driver project reports:
Client Allows Fallback to Insecure Authentication Despite channelBinding=require configuration. Fix channel binding required handling to reject non-SASL authentication Previously, when channel binding was set to "require", the driver would silently ignore this requirement for non-SASL authentication methods. This could lead to a false sense of security when channel binding was explicitly requested but not actually enforced. The fix ensures that when channel binding is set to "require", the driver will reject connections that use non-SASL authentication methods or when SASL authentication has not completed properly.
security-advisories@github.com reports:
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the `sanitiseArg` (or `sanitizeArg`) action.
security-advisories@github.com reports:
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case (in stable released versions): when the payload's content type is `application/json`, and there is at least one rule which does a `sanitiseMatchedBytes` action. A patch is available at pull request 3389 and expected to be part of version 2.9.9. No known workarounds are available.
security@mozilla.org reports:
A clickjacking vulnerability could have been used to trick a user into leaking saved payment card details to a malicious page.
security@mozilla.org reports:
Script elements loading cross-origin resources generated load and error events which leaked information enabling XS-Leaks attacks.
security@mozilla.org reports:
Due to insufficient escaping of the newline character in the Copy as cURL feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system.
security@mozilla.org reports:
Error handling for script execution was incorrectly isolated from web content, which could have allowed cross-origin leak attacks.
chrome-cve-admin@google.com reports:
Out of bounds read and write in V8 in Google Chrome prior to 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2025-5419.
Roundcube Webmail reports:
Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v
zdi-disclosures@trendmicro.com reports:
GIMP FLI File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of FLI files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25100.
zdi-disclosures@trendmicro.com reports:
GIMP XWD File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XWD files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25082.
curl security team reports:
CVE-2025-5025: No QUIC certificate pinning with wolfSSL
CVE-2025-4947: QUIC certificate check skip with wolfSSL
cve@mitre.org reports:
In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.
cve@mitre.org reports:
libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE: this is similar to CVE-2017-9047.
cve@mitre.org reports:
libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.
Chrome Releases reports:
This update includes 11 security fixes:
- [411573532] High CVE-2025-5063: Use after free in Compositing. Reported by Anonymous on 2025-04-18
- [417169470] High CVE-2025-5280: Out of bounds write in V8. Reported by [pwn2car] on 2025-05-12
- [40058068] Medium CVE-2025-5064: Inappropriate implementation in Background Fetch API. Reported by Maurice Dauer on 2021-11-29
- [40059071] Medium CVE-2025-5065: Inappropriate implementation in FileSystemAccess API. Reported by NDevTK on 2022-03-11
- [356658477] Medium CVE-2025-5066: Inappropriate implementation in Messages. Reported by Mohit Raj (shadow2639) on 2024-07-31
- [417215501] Medium CVE-2025-5281: Inappropriate implementation in BFCache. Reported by Jesper van den Ende (Pelican Party Studios) on 2025-05-12
- [419467315] Medium CVE-2025-5283: Use after free in libvpx. Reported by Mozilla on 2025-05-22
- [40075024] Low CVE-2025-5067: Inappropriate implementation in Tab Strip. Reported by Khalil Zhani on 2023-10-17
chrome-cve-admin@google.com reports:
Use after free in Compositing in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
security@mozilla.org reports:
Memory safety bug present in Firefox ESR 128.10, and Thunderbird 128.10. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code.
security@mozilla.org reports:
Memory safety bugs present in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
In certain cases, SNI could have been sent unencrypted even when encrypted DNS was enabled.
security@mozilla.org reports:
Previewing a response in Devtools ignored CSP headers, which could have allowed content injection attacks.
security@mozilla.org reports:
Memory safety bugs present in Firefox 138 and Thunderbird 138. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security-advisories@github.com reports:
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case (in stable released versions): when the payload's content type is `application/json`, and there is at least one rule which does a `sanitiseMatchedBytes` action. A patch is available at pull request 3389 and expected to be part of version 2.9.9. No known workarounds are available.
The traefik project reports:
There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a URL encoded string in its path, it's possible to target a backend, exposed using another router, by-passing the middlewares chain.
security-advisories@github.com reports:
CVE-2024-11955: A vulnerability was found in GLPI up to 10.0.17. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument redirect leads to open redirect. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 10.0.18 is able to address this issue. It is recommended to upgrade the affected component.
CVE-2025-23024: Starting in version 0.72 and prior to version 10.0.18, an anonymous user can disable all the active plugins. Version 10.0.18 contains a patch. As a workaround, one may delete the `install/update.php` file.
CVE-2025-23046: Prior to version 10.0.18, a low privileged user can enable debug mode and access sensitive information. Version 10.0.18 contains a patch. As a workaround, one may delete the `install/update.php` file.
CVE-2025-25192: Starting in version 9.5.0 and prior to version 10.0.18, if a "Mail servers" authentication provider is configured to use an Oauth connection provided by the OauthIMAP plugin, anyone can connect to GLPI using a user name on which an Oauth authorization has already been established. Version 10.0.18 contains a patch. As a workaround, one may disable any "Mail servers" authentication provider configured to use an Oauth connection provided by the OauthIMAP plugin.
CVE-2025-21626: Starting in version 0.71 and prior to version 10.0.18, an anonymous user can fetch sensitive information from the `status.php` endpoint. Version 10.0.18 contains a fix for the issue. Some workarounds are available. One may delete the `status.php` file, restrict its access, or remove any sensitive values from the `name` field of the active LDAP directories, mail servers authentication providers and mail receivers.
CVE-2025-21627: In versions prior to 10.0.18, a malicious link can be crafted to perform a reflected XSS attack on the search page. If the anonymous ticket creation is enabled, this attack can be performed by an unauthenticated user. Version 10.0.18 contains a fix for the issue.
CVE-2025-21619: An administrator user can perfom a SQL injection through the rules configuration forms. This vulnerability is fixed in 10.0.18.
CVE-2025-24799: An unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 10.0.18.
CVE-2025-24801: An authenticated user can upload and force the execution of *.php files located on the GLPI server. This vulnerability is fixed in 10.0.18.
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2025-4609.
- Security: backported fix for CVE-2025-4664.
Internet Systems Consortium, Inc. reports:
- Loading a malicious hook library can lead to local privilege escalation https://kb.isc.org/docs/cve-2025-32801
- Insecure handling of file paths allows multiple local attacks https://kb.isc.org/docs/cve-2025-32802
- Insecure file permissions can result in confidential information leakage https://kb.isc.org/docs/cve-2025-32803
security@grafana.com reports:
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.
cna@python.org reports:
There is an issue in CPython when using `bytes.decode("unicode_escape", error="ignore|replace")`. If you are not using the "unicode_escape" encoding or an error handler your usage is not affected. To work-around this issue you may stop using the error= handler and instead wrap the bytes.decode() call in a try-except catching the DecodeError.
The OpenSSL project reports:
The x509 application adds trusted use instead of rejected use (low)
security@mozilla.org reports:
A race condition existed in nsHttpTransaction that could have been exploited to cause memory corruption, potentially leading to an exploitable condition.
Gitlab reports:
Unprotected large blob endpoint in GitLab allows Denial of Service
Improper XPath validation allows modified SAML response to bypass 2FA requirement
A Discord webhook integration may cause DoS
Unbounded Kubernetes cluster tokens may lead to DoS
Unvalidated notes position may lead to Denial of Service
Hidden/masked variables may get exposed in the UI
Two-factor authentication requirement bypass
View full email addresses that should be partially obscured
Branch name confusion in confidential MRs
Unauthorized access to job data via a GraphQL query
The screen project reports:
Multiple security issues in screen.
security@mozilla.org reports:
An attacker was able to perform an out-of-bounds read or write on a JavaScript object by confusing array index sizes.
The Weechat project reports:
Multiple integer and buffer overflows in WeeChat core.
Chrome Releases reports:
This update includes 4 security fixes:
- [415810136] High CVE-2025-4664: Insufficient policy enforcement in Loader. Source: X post from @slonser_ on 2025-05-05
- [412578726] High CVE-2025-4609: Incorrect handle provided in unspecified circumstances in Mojo. Reported by Micky on 2025-04-22
security@mozilla.org reports:
Memory safety bugs present in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
Memory safety bug present in Firefox ESR 128.9, and Thunderbird 128.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code.
VSCode developers report:
A security feature bypass vulnerability exists in VS Code 1.100.0 and earlier versions where a maliciously crafted URL could be considered trusted when it should not have due to how VS Code handled glob patterns in the trusted domains feature. When paired with the #fetch tool in Chat, this scenario would require the attacker to convince an LLM (via prompt injection) to fetch the maliciously crafted URL but when fetched, the user would have no moment to confirm the flighting of the request.
xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes.
numbers.c in libxslt before 1.1.43 has a use-after-free because , in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal.
The Varnish Development Team reports:
A client-side desync vulnerability can be triggered in Varnish Cache and Varnish Enterprise. This vulnerability can be triggered under specific circumstances involving malformed HTTP/1 requests.
An attacker can abuse a flaw in Varnish's handling of chunked transfer encoding which allows certain malformed HTTP/1 requests to exploit improper framing of the message body to smuggle additional requests. Specifically, Varnish incorrectly permits CRLF to be skipped to delimit chunk boundaries.
security@mozilla.org reports:
Memory safety bugs present in Firefox 137 and Thunderbird 137. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
Due to insufficient escaping of special characters in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system.
security@mozilla.org reports:
A security vulnerability in Thunderbird allowed malicious sites to use redirects to send credentialed requests to arbitrary endpoints on any site that had invoked the Storage Access API. This enabled potential Cross-Site Request Forgery attacks across origins.
security@mozilla.org reports:
A vulnerability was identified in Thunderbird where XPath parsing could trigger undefined behavior due to missing null checks during attribute access. This could lead to out-of-bounds read access and potentially, memory corruption.
security@mozilla.org reports:
An attacker with control over a content process could potentially leverage the privileged UITour actor to leak sensitive information or escalate privileges.
security@mozilla.org reports:
A process isolation vulnerability in Thunderbird stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead of the intended frame, potentially enabling a sandbox escape.
Gitlab reports:
Partial Bypass for Device OAuth flow using Cross Window Forgery
Denial of service by abusing Github import API
Group IP restriction bypass allows disclosing issue title of restricted project
PostgreSQL project reports:
A buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can elicit process termination. This affects the database server and also libpq. Versions before PostgreSQL 17.5, 16.9, 15.13, 14.18, and 13.21 are affected.
Chrome Releases reports:
This update includes 2 security fixes:
- [412057896] Medium CVE-2025-4372: Use after free in WebAudio. Reported by Huang Xilin of Ant Group Light-Year Security Lab on 2025-04-20
Chrome Releases reports:
This update includes 8 security fixes:
- [409911705] High CVE-2025-4096: Heap buffer overflow in HTML. Reported by Anonymous on 2025-04-11
- [409342999] Medium CVE-2025-4050: Out of bounds memory access in DevTools. Reported by Anonymous on 2025-04-09
- [404000989] Medium CVE-2025-4051: Insufficient data validation in DevTools. Reported by Daniel Fröjdendahl on 2025-03-16
- [401927528] Low CVE-2025-4052: Inappropriate implementation in DevTools. Reported by vanillawebdev on 2025-03-10
cve@mitre.org reports:
FastCGI fcgi2 (aka fcgi) 2.x through 2.4.4 has an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c.
security@open-xchange.com reports:
When DNSdist is configured to provide DoH via the nghttp2provider, an attacker can cause a denial of service by crafting a DoH exchange that triggers an illegal memory access (double-free) and crash of DNSdist, causing a denial of service. The remedy is: upgrade to the patched 1.9.9 version. A workaround is to temporarily switch to the h2o provider until DNSdist has been upgraded to a fixed version. We would like to thank Charles Howes for bringing this issue to our attention.
PowerDNS Team reports:
PowerDNS Security Advisory 2025-01: A crafted zone can lead to an illegal memory access in the Recursor
cve@mitre.org reports:
In SQLite 3.44.0 through 3.49.0 before 3.49.1, the concat_ws() SQL function can cause memory to be written beyond the end of a malloc-allocated buffer. If the separator argument is attacker-controlled and has a large string (e.g., 2MB or more), an integer overflow occurs in calculating the size of the result buffer, and thus malloc may not allocate enough memory.
h11 reports:
h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11's parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions. This issue has been patched in version 0.16.0. Since exploitation requires the combination of buggy h11 with a buggy (reverse) proxy, fixing either component is sufficient to mitigate this issue.
Grafana Labs reports:
This vulnerability, which was discovered while reviewing a pull request from an external contributor, effects Grafana’s data source proxy API and allows authorization checks to be bypassed by adding an extra slash character (/) in the URL path. Among Grafana-maintained data sources, the vulnerability only affects the read paths of Prometheus (all flavors) and Alertmanager when configured with basic authorization.
The CVSS score for this vulnerability is 5.0 MEDIUM.
Grafana Labs reports:
During the development of a new feature in Grafana 11.6.x, a security vulnerability was introduced that allows for Viewers and Editors to bypass dashboard-specific permissions. As a result, users with the Viewer role could view all the dashboards within their org and users with the Editor role could view, edit, and delete all the dashboards in their org.
Note: Organization isolation boundaries still apply, which means viewers and editors in one organization cannot view or edit dashboards in another org. Also this vulnerability does not allow users to query data via data sources they don’t have access to.
The CVSS score for this vulnerability is 8.3 HIGH.
Grafana Labs reports:
An external security researcher responsibly reported a security vulnerability in Grafana’s built-in XY chart plugin that is vulnerable to a DOM XSS vulnerability.
The CVSS score for this vulnerability is 6.8 MEDIUM.
Axel Mierczuk reports:
By default, the Redis configuration does not limit the output buffer of normal clients (see client-output-buffer-limit). Therefore, the output buffer can grow unlimitedly over time. As a result, the service is exhausted and the memory is unavailable.
When password authentication is enabled on the Redis server, but no password is provided, the client can still cause the output buffer to grow from "NOAUTH" responses until the system will run out of memory.
Gitlab reports:
Cross Site Scripting (XSS) in Maven Dependency Proxy through CSP directives
Cross Site Scripting (XSS) in Maven dependency proxy through cache headers
Network Error Logging (NEL) Header Injection in Maven Dependency Proxy Allows Browser Activity Monitoring
Denial of service (DOS) via issue preview
Unauthorized access to branch names when Repository assets are disabled in the project
Chrome Releases reports:
This update includes 1 security fix.
Deluan reports:
In certain Subsonic API endpoints, authentication can be bypassed by using a non-existent username combined with an empty (salted) password hash. This allows read-only access to the server’s resources, though attempts at write operations fail with a “permission denied” error.
security-advisories@github.com reports:
Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.
ejabberd team reports:
Fixed issue with handling of user provided occupant-id in messages and presences sent to muc room. Server was replacing just first instance of occupant-id with its own version, leaving other ones untouched. That would mean that depending on order in which clients send occupant-id, they could see value provided by sender, and that could be used to spoof as different sender.
Chrome Releases reports:
This update includes 2 security fixes:
- [409619251] Critical CVE-2025-3619: Heap buffer overflow in Codecs. Reported by Elias Hohl on 2025-04-09
- [405292639] High CVE-2025-3620: Use after free in USB. Reported by @retsew0x01 on 2025-03-21
Chrome Releases reports:
This update includes 2 security fixes:
- [405140652] High CVE-2025-3066: Use after free in Site Isolation. Reported by Sven Dysthe (@svn-dys) on 2025-03-21
element-hq/synapse developers report:
A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild.
Jenkins Security Advisory:
Description
(Medium) SECURITY-3512 / CVE-2025-31720
Missing permission check allows retrieving agent configurations
Description
(Medium) SECURITY-3513 / CVE-2025-31721
Missing permission check allows retrieving secrets from agent configurations
Gitlab reports:
Denial of service via CI pipelines
Unintentionally authorizing sensitive actions on users behalf
IP Restriction Bypass through GraphQL Subscription
Unauthorized users can list the number of confidential issues
Debugging Information Disclosed
secalert@redhat.com reports:
A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.
security@mozilla.org reports:
Memory safety bugs present in Firefox 136 and Thunderbird 136. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
Leaking of file descriptors from the fork server to web content processes could allow for privilege escalation attacks.
security@mozilla.org reports:
An attacker could read 32 bits of values spilled onto the stack in a JIT compiled function.
security@mozilla.org reports:
Memory safety bugs present in Firefox 136, Thunderbird 136, Firefox ESR 128.8, and Thunderbird 128.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack.
security@mozilla.org reports:
JavaScript code running while transforming a document with the XSLTProcessor could lead to a use-after-free.
Chrome Releases reports:
This update includes 13 security fixes:
- [376491759] Medium CVE-2025-3067: Inappropriate implementation in Custom Tabs. Reported by Philipp Beer (TU Wien) on 2024-10-31
- [401823929] Medium CVE-2025-3068: Inappropriate implementation in Intents. Reported by Simon Rawet on 2025-03-09
- [40060076] Medium CVE-2025-3069: Inappropriate implementation in Extensions. Reported by NDevTK on 2022-06-26
- [40086360] Medium CVE-2025-3070: Insufficient validation of untrusted input in Extensions. Reported by Anonymous on 2017-01-01
- [40051596] Low CVE-2025-3071: Inappropriate implementation in Navigations. Reported by David Erceg on 2020-02-23
- [362545037] Low CVE-2025-3072: Inappropriate implementation in Custom Tabs. Reported by Om Apip on 2024-08-27
- [388680893] Low CVE-2025-3073: Inappropriate implementation in Autofill. Reported by Hafiizh on 2025-01-09
- [392818696] Low CVE-2025-3074: Inappropriate implementation in Downloads. Reported by Farras Givari on 2025-01-28
security@mozilla.org reports:
Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 128.5, and Thunderbird 128.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
Memory safety bugs present in Firefox 133 and Thunderbird 133. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed.
security@mozilla.org reports:
Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 115.18, Firefox ESR 128.5, Thunderbird 115.18, and Thunderbird 128.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
When segmenting specially crafted text, segmentation would corrupt memory leading to a potentially exploitable crash.
security@mozilla.org reports:
Parsing a JavaScript module as JSON could, under some circumstances, cause cross-compartment access, which may result in a use-after-free.
security@mozilla.org reports:
When using Alt-Svc, ALPN did not properly validate certificates when the original server is redirecting to an insecure site.
security@mozilla.org reports:
Assuming a controlled failed memory allocation, an attacker could have caused a use-after-free, leading to a potentially exploitable crash.
security@mozilla.org reports:
The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks.
security@mozilla.org reports:
Memory safety bugs present in Firefox 135 and Thunderbird 135. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
CVE-2025-1938: Memory safety bugs present in Firefox 135, Thunderbird 135, Firefox ESR 128.7, and Thunderbird 128.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
CVE-2025-1935: A web page could trick a user into setting that site as the default handler for a custom URL protocol.
CVE-2025-1934: It was possible to interrupt the processing of a RegExp bailout and run additional JavaScript, potentially triggering garbage collection when the engine was not expecting it.
security@mozilla.org reports:
Memory safety bugs present in Firefox 135, Thunderbird 135, Firefox ESR 115.20, Firefox ESR 128.7, and Thunderbird 128.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
It was possible to cause a use-after-free in the content process side of a WebTransport connection, leading to a potentially exploitable crash.
security@mozilla.org reports:
On 64-bit CPUs, when the JIT compiles WASM i32 return values they can pick up bits from left over memory. This can potentially cause them to be treated as a different type.
cna@mongodb.com reports:
When run on commands with certain arguments set, explain may fail to validate these arguments before using them. This can lead to crashes in router servers. This affects MongoDB Server v5.0 prior to 5.0.31, MongoDB Server v6.0 prior to 6.0.20, MongoDB Server v7.0 prior to 7.0.16 and MongoDB Server v8.0 prior to 8.0.4
cna@mongodb.com reports:
Specifically crafted MongoDB wire protocol messages can cause mongos to crash during command validation. This can occur without using an authenticated connection. This issue affects MongoDB v5.0 versions prior to 5.0.31, MongoDB v6.0 versions prior to6.0.20 and MongoDB v7.0 versions prior to 7.0.16
cna@mongodb.com reports:
A user authorized to access a view may be able to alter the intended collation, allowing them to access to a different or unintended view of underlying data. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.20, MongoDB Server v7.0 version prior to 7.0.14 and MongoDB Server v7.3 versions prior to 7.3.4.
Gert Doering reports:
OpenVPN servers between 2.6.1 and 2.6.13 using --tls-crypt-v2 can be made to abort with an ASSERT() message by sending a particular combination of authenticated and malformed packets.
To trigger the bug, a valid tls-crypt-v2 client key is needed, or network observation of a handshake with a valid tls-crypt-v2 client key
No crypto integrity is violated, no data is leaked, and no remote code execution is possible.
This bug does not affect OpenVPN clients.
security@golang.org reports:
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
go-redis is the official Redis client library for the Go programming language. Prior to 9.5.5, 9.6.3, and 9.7.3, go-redis potentially responds out of order when `CLIENT SETINFO` times out during connection establishment. This can happen when the client is configured to transmit its identity, there are network connectivity issues, or the client was configured with aggressive timeouts. The problem occurs for multiple use cases. For sticky connections, you receive persistent out-of-order responses for the lifetime of the connection. All commands in the pipeline receive incorrect responses. When used with the default ConnPool once a connection is returned after use with ConnPool#Put the read buffer will be checked and the connection will be marked as bad due to the unread data. This means that at most one out-of-order response before the connection is discarded. This issue is fixed in 9.5.5, 9.6.3, and 9.7.3. You can prevent the vulnerability by setting the flag DisableIndentity to true when constructing the client instance.
golang-jwt is a Go implementation of JSON Web Tokens. Prior to 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.
security@mozilla.org reports:
An inconsistent comparator in xslt/txNodeSorter could have resulted in potentially exploitable out-of-bounds access. Only affected version 122 and later. This vulnerability affects Firefox < 136, Firefox ESR < 128.8, Thunderbird < 136, and Thunderbird < 128.8.
Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed (distinct from CVE-2025-0245). This vulnerability affects Firefox < 136.
When String.toUpperCase() caused a string to get longer it was possible for uninitialized memory to be incorporated into the result string This vulnerability affects Firefox < 136 and Thunderbird < 136.
Websites redirecting to a non-HTTP scheme URL could allow a website address to be spoofed for a malicious page This vulnerability affects Firefox for iOS < 136.
Suricate team reports:
Multiple vulnerabilities
Qt qtwebengine-chromium repo reports:
Backports for 11 security bugs in Chromium:
- CVE-2024-11477: 7-Zip Zstd decompression integer underflow
- CVE-2025-0762: Use after free in DevTools
- CVE-2025-0996: Inappropriate implementation in Browser UI
- CVE-2025-0998: Out of bounds memory access in V8
- CVE-2025-0999: Heap buffer overflow in V8
- CVE-2025-1006: Use after free in Network
- CVE-2025-1426: Heap buffer overflow in GPU
- CVE-2025-1918: Out of bounds read in Pdfium
- CVE-2025-1919: Out of bounds read in Media
- CVE-2025-1921: Inappropriate implementation in Media
- CVE-2025-2036: Use after free in Inspector
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2025-2783.
Gitlab reports:
Cross-site Scripting (XSS) through merge-request error messages
Cross-site Scripting (XSS) through improper rendering of certain file types
Admin Privileges Persists After Role is Revoked
External user can access internal projects
Prompt injection in Amazon Q integration may allow unauthorized actions
Uncontrolled Resource Consumption via a maliciously crafted terraform file in merge request
Maintainer can inject shell code in Harbor project name configuration when using helper scripts
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2025-1920.
Qt qtwebengine-chromium repo reports:
Backports for 1 security bug in Chromium:
- CVE-2024-12694: Use after free in Compositing
The Varnish Development Team reports:
A client-side desync vulnerability can be triggered in Varnish Cache and Varnish Enterprise. This vulnerability can be triggered under specific circumstances involving malformed HTTP/1 requests.
Chrome Releases reports:
This update includes 2 security fixes:
- [401029609] Critical CVE-2025-2476: Use after free in Lens. Reported by SungKwon Lee of Enki Whitehat on 2025-03-05
php.net reports:
- CVE-2024-11235: Core: Fixed GHSA-rwp7-7vc6-8477 (Reference counting in php_request_shutdown causes Use-After-Free).
- CVE-2025-1219: LibXML: Fixed GHSA-p3x9-6h7p-cgfc (libxml streams use wrong `content-type` header when requesting a redirected resource).
- CVE-2025-1736: Streams: Fixed GHSA-hgf5-96fm-v528 (Stream HTTP wrapper header check might omit basic auth header).
- CVE-2025-1861: Streams: Fixed GHSA-52jp-hrpf-2jff (Stream HTTP wrapper truncate redirect location to 1024 bytes).
- CVE-2025-1734: Streams: Fixed GHSA-pcmh-g36c-qc44 (Streams HTTP wrapper does not fail for headers without colon).
- CVE-2025-1217: Streams: Fixed GHSA-v8xr-gpvj-cx9g (Header parser of `http` stream wrapper does not handle folded headers).
The Shibboleth Project reports:
An updated version of the OpenSAML C++ library is available which corrects a parameter manipulation vulnerability when using SAML bindings that rely on non-XML signatures. The Shibboleth Service Provider is impacted by this issue, and it manifests as a critical security issue in that context.
Parameter manipulation allows the forging of signed SAML messages
A number of vulnerabilities in the OpenSAML library used by the Shibboleth Service Provider allowed for creative manipulation of parameters combined with reuse of the contents of older requests to fool the library's signature verification of non-XML based signed messages.
Most uses of that feature involve very low or low impact use cases without critical security implications; however, there are two scenarios that are much more critical, one affecting the SP and one affecting some implementers who have implemented their own code on top of our OpenSAML library and done so improperly.
The SP's support for the HTTP-POST-SimpleSign SAML binding for Single Sign-On responses is its critical vulnerability, and it is enabled by default (regardless of what one's published SAML metadata may advertise).
The other critical case involves a mistake that does *not* impact the Shibboleth SP, allowing SSO to occur over the HTTP-Redirect binding contrary to the plain language of the SAML Browser SSO profile. The SP does not support this, but other implementers may have done so.
Prior to updating, it is possible to mitigate the POST-SimpleSign vulnerability by editing the protocols.xml configuration file and removing this line:
<Binding id="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" path="/SAML2/POST-SimpleSign" />
Gitlab reports:
CVE-2025-25291 and CVE-2025-25292 (third party gem ruby-saml)
CVE-2025-27407 (third party gem graphql)
Denial of Service Due to Inefficient Processing of Untrusted Input
Credentials disclosed when repository mirroring fails
Denial of Service Vulnerability in GitLab Approval Rules due to Unbounded Field
Internal Notes in Merge Requests Are Emailed to Non-Members Upon Review Submission
Maintainer can inject shell code in Google integrations
Guest with custom Admin group member permissions can approve the users invitation despite user caps
Vim reports:
See https://github.com/vim/vim/security/advisories/GHSA-693p-m996-3rmf
Chrome Releases reports:
This update includes 5 security fixes:
- [398065918] High CVE-2025-1920: Type Confusion in V8. Reported by Excello s.r.o. on 2025-02-21
- [400052777] High CVE-2025-2135: Type Confusion in V8. Reported by Zhenghang Xiao (@Kipreyyy) on 2025-03-02
- [401059730] High CVE-TBD: Out of bounds write in GPU. Reported on 2025-03-05
- [395032416] Medium CVE-2025-2136: Use after free in Inspector. Reported by Sakana.S on 2025-02-10
- [398999390] Medium CVE-2025-2137: Out of bounds read in V8. Reported by zeroxiaobai@ on 2025-02-25
security@documentfoundation.org reports:
LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In the affected versions of LibreOffice a link in a browser using that scheme could be constructed with an embedded inner URL that when passed to LibreOffice could call internal macros with arbitrary arguments. This issue affects LibreOffice: from 24.8 before < 24.8.5, from 25.2 before < 25.2.1.
security-advisories@github.com reports:
Vim is distributed with the tar.vim plugin, that allows easy editing and viewing of (compressed or uncompressed) tar files. Starting with 9.1.0858, the tar.vim plugin uses the ":read" ex command line to append below the cursor position, however the is not sanitized and is taken literally from the tar archive. This allows to execute shellcommands via special crafted tar archives. Whether this really happens, depends on the shell being used ('shell' option, which is set using $SHELL).
Electron develpers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2025-0445.
- Security: backported fix for CVE-2025-0995.
- Security: backported fix for CVE-2025-0998.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2025-0445.
- Security: backported fix for CVE-2025-0998.
security-advisories@github.com reports:
Jinja is an extensible templating engine. Prior to 3.1.6, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to use the |attr filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the |attr filter no longer bypasses the environment's attribute lookup. This vulnerability is fixed in 3.1.6.
The X.Org project reports:
- CVE-2025-26594: Use-after-free of the root cursor
The root cursor is referenced in the xserver as a global variable. If a client manages to free the root cursor, the internal reference points to freed memory and causes a use-after-free.
- CVE-2025-26595: Buffer overflow in XkbVModMaskText()
The code in XkbVModMaskText() allocates a fixed sized buffer on the stack and copies the names of the virtual modifiers to that buffer. The code however fails to check the bounds of the buffer correctly and would copy the data regardless of the size, which may lead to a buffer overflow.
- CVE-2025-26596: Heap overflow in XkbWriteKeySyms()
The computation of the length in XkbSizeKeySyms() differs from what is actually written in XkbWriteKeySyms(), which may lead to a heap based buffer overflow.
- CVE-2025-26597: Buffer overflow in XkbChangeTypesOfKey()
If XkbChangeTypesOfKey() is called with 0 group, it will resize the key symbols table to 0 but leave the key actions unchanged. If later, the same function is called with a non-zero value of groups, this will cause a buffer overflow because the key actions are of the wrong size.
- CVE-2025-26598: Out-of-bounds write in CreatePointerBarrierClient()
The function GetBarrierDevice() searches for the pointer device based on its device id and returns the matching value, or supposedly NULL if no match was found. However the code will return the last element of the list if no matching device id was found which can lead to out of bounds memory access.
- CVE-2025-26599: Use of uninitialized pointer in compRedirectWindow()
The function compCheckRedirect() may fail if it cannot allocate the backing pixmap. In that case, compRedirectWindow() will return a BadAlloc error without the validation of the window tree marked just before, which leaves the validate data partly initialized, and the use of an uninitialized pointer later.
- CVE-2025-26600: Use-after-free in PlayReleasedEvents()
When a device is removed while still frozen, the events queued for that device remain while the device itself is freed and replaying the events will cause a use after free.
- CVE-2025-26601: Use-after-free in SyncInitTrigger()
When changing an alarm, the values of the change mask are evaluated one after the other, changing the trigger values as requested and eventually, SyncInitTrigger() is called. If one of the changes triggers an error, the function will return early, not adding the new sync object. This can be used to cause a use after free when the alarm eventually triggers.
MITRE Caldera contributor report:
In MITRE Caldera through 4.2.0 and 5.0.0 before 35bc06e, a Remote Code Execution (RCE) vulnerability was found in the dynamic agent (implant) compilation functionality of the server. This allows remote attackers to execute arbitrary code on the server that Caldera is running on via a crafted web request to the Caldera server API used for compiling and downloading of Caldera's Sandcat or Manx agent (implants). This web request can use the gcc -extldflags linker flag with sub-commands.
Jenkins Security Advisory:
Description
(Medium) SECURITY-3495 / CVE-2025-27622
Encrypted values of secrets stored in agent configuration revealed to users with Agent/Extended Read permission
Description
(Medium) SECURITY-3496 / CVE-2025-27623
Encrypted values of secrets stored in view configuration revealed to users with View/Read permission
Description
(Medium) SECURITY-3498 / CVE-2025-27624
CSRF vulnerability
Description
(Medium) SECURITY-3501 / CVE-2025-27625
Open redirect vulnerability
security-advisories@github.com reports:
Spotipy is a lightweight Python library for the Spotify Web API. The `CacheHandler` class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has `rw-r--r--` (644) permissions by default, when it could be locked down to `rw-------` (600) permissions. This leads to overly broad exposure of the spotify auth token. If this token can be read by an attacker (another user on the machine, or a process running as another user), it can be used to perform administrative actions on the Spotify account, depending on the scope granted to the token. Version 2.25.1 tightens the cache file permissions.
Chrome Releases reports:
This update includes 14 security fixes:
- [397731718] High CVE-2025-1914: Out of bounds read in V8. Reported by Zhenghang Xiao (@Kipreyyy) and Nan Wang (@eternalsakura13) on 2025-02-20
- [391114799] Medium CVE-2025-1915: Improper Limitation of a Pathname to a Restricted Directory in DevTools. Reported by Topi Lassila on 2025-01-20
- [376493203] Medium CVE-2025-1916: Use after free in Profiles. Reported by parkminchan, SSD Labs Korea on 2024-10-31
- [329476341] Medium CVE-2025-1917: Inappropriate Implementation in Browser UI. Reported by Khalil Zhani on 2024-03-14
- [388557904] Medium CVE-2025-1918: Out of bounds read in PDFium. Reported by asnine on 2025-01-09
- [392375312] Medium CVE-2025-1919: Out of bounds read in Media. Reported by @Bl1nnnk and @Pisanbao on 2025-01-26
- [387583503] Medium CVE-2025-1921: Inappropriate Implementation in Media Stream. Reported by Kaiido on 2025-01-04
- [384033062] Low CVE-2025-1922: Inappropriate Implementation in Selection. Reported by Alesandro Ortiz on 2024-12-14
- [382540635] Low CVE-2025-1923: Inappropriate Implementation in Permission Prompts. Reported by Khalil Zhani on 2024-12-06
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2025-0611.
- Security: backported fix for CVE-2025-0612.
- Security: backported fix for CVE-2025-0999.
SO-AND-SO reports:
Unit 1.34.2 fixes two issues in the Java language module websocket code.
- It addresses a potential security issue where we could get a negative payload length that could cause the Java language module process(es) to enter an infinite loop and consume excess CPU. This was a bug carried over from the initial Java websocket code import. It has been re-issued a CVE number (CVE-2025-1695).
- It addresses an issue whereby decoded payload lengths would be limited to 32 bits.
vim reports:
Summary
Potential code execution with tar.vim and special crafted tar files
Description
Vim is distributed with the tar.vim plugin, that allows easy editing and viewing of (compressed or uncompressed) tar files.
Since commit 129a844 (Nov 11, 2024 runtime(tar): Update tar.vim to support permissions), the tar.vim plugin uses the ":read " ex command line to append below the cursor position, however the is not sanitized and is taken literaly from the tar archive. This allows to execute shell commands via special crafted tar archives. Whether this really happens, depends on the shell being used ('shell' option, which is set using $SHELL).
Impact
Impact is high but a user must be convinced to edit such a file using Vim which will reveal the filename, so a careful user may suspect some strange things going on.
Gitlab reports:
XSS in k8s proxy endpoint
XSS Maven Dependency Proxy
HTML injection leads to XSS on self hosted instances
Improper Authorisation Check Allows Guest User to Read Security Policy
Planner role can read code review analytics in private projects
Chrome Releases reports:
This update includes 1 security fix.
Kevin Backhouse reports:
A heap buffer overflow was found in Exiv2 versions v0.28.0 to v0.28.4. Versions prior to v0.28.0, such as v0.27.7, are not affected. Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to gain code execution, if they can trick the victim into running Exiv2 on a crafted image file.
Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as fixiso.
A shell injection vulnerability exists in GNU Emacs due to improper handling of custom man URI schemes.
Initially considered low severity, as it required user interaction with local files, it was later discovered that an attacker could exploit this vulnerability by tricking a user into visiting a specially crafted website or an HTTP URL with a redirect, leading to arbitrary shell command execution without further user action.
An Emacs user who chooses to invoke elisp-completion-at-point (for code completion) on untrusted Emacs Lisp source code can trigger unsafe Lisp macro expansion that allows attackers to execute arbitrary code. This unsafe expansion also occurs if a user chooses to enable on-the-fly diagnosis that byte compiles untrusted Emacs Lisp source code.
cve@mitre.org reports:
Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization are used, allows remote SQL injection.
OpenSSH client host verification error (CVE-2025-26465)
ssh(1) contains a logic error that allows an on-path attacker to impersonate any server during certain conditions when the VerifyHostKeyDNS option is enabled.
OpenSSH server denial of service (CVE-2025-26466)
The OpenSSH client and server are both vulnerable to a memory/CPU denial of service while handling SSH2_MSG_PING packets.
OpenSSH client host verification error (CVE-2025-26465)
Under specific circumstances, a machine-in-the-middle may impersonate any server when the client has the VerifyHostKeyDNS option enabled.
OpenSSH server denial of service (CVE-2025-26466)
During the processing of SSH2_MSG_PING packets, a server may be subject to a memory/CPU denial of service.
Chrome Releases reports:
This update includes 3 security fixes:
- [394350433] High CVE-2025-0999: Heap buffer overflow in V8. Reported by Seunghyun Lee (@0x10n) on 2025-02-04
- [383465163] High CVE-2025-1426: Heap buffer overflow in GPU. Reported by un3xploitable and GF on 2024-12-11
- [390590778] Medium CVE-2025-1006: Use after free in Network. Reported by Tal Keren, Sam Agranat, Eran Rom, Edouard Bochin, Adam Hatsir of Palo Alto Networks on 2025-01-18
Chrome Releases reports:
This update includes 4 security fixes:
- [391907159] High CVE-2025-0995: Use after free in V8. Reported by Popax21 on 2025-01-24
- [391788835] High CVE-2025-0996: Inappropriate implementation in Browser UI. Reported by yuki yamaoto on 2025-01-23
- [391666328] High CVE-2025-0997: Use after free in Navigation. Reported by asnine on 2025-01-23
- [386857213] High CVE-2025-0998: Out of bounds memory access in V8. Reported by Alan Goodman on 2024-12-31
Chrome Releases reports:
This update includes 12 security fixes:
- [390889644] High CVE-2025-0444: Use after free in Skia. Reported by Francisco Alonso (@revskills) on 2025-01-19
- [392521083] High CVE-2025-0445: Use after free in V8. Reported by 303f06e3 on 2025-01-27
- [40061026] Medium CVE-2025-0451: Inappropriate implementation in Extensions API. Reported by Vitor Torres and Alesandro Ortiz on 2022-09-18
VSCode developers report:
The update addresses these issues, including a fix for a security vulnerability.
- Scope node_module binary resolution in js-debug
- Elevation of Privilege Vulnerability with VS Code server for web UI
Graham Northup reports:
A buffer overflow in extract_openvpn_cr allows attackers with a valid LDAP username and who can control the challenge/response password field to pass a string with more than 14 colons into this field and cause a buffer overflow.
The PostgreSQL Project reports:
Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
Gitlab reports:
A CSP-bypass XSS in merge-request page
Denial of Service due to Unbounded Symbol Creation
Exfiltrate content from private issues using Prompt Injection
A custom permission may allow overriding Repository settings
Internal HTTP header leak via route confusion in workhorse
SSRF via workspaces
Unauthorized Incident Closure and Deletion by Planner Role in GitLab
ActionCable does not invalidate tokens after revocation
Intel reports:
A potential security vulnerability in some Intel Processors may allow denial of service. Intel released microcode updates to mitigate this potential vulnerability.
A potential security vulnerability in some Intel Software Guard Extensions (Intel SGX) Platforms may allow denial of service. Intel is released microcode updates to mitigate this potential vulnerability.
Potential security vulnerabilities in the UEFI firmware for some Intel Processors may allow escalation of privilege, denial of service, or information disclosure. Intel released UEFI firmware and CPU microcode updates to mitigate these potential vulnerabilities.
A potential security vulnerability in some 13th and 14th Generation Intel Core™ Processors may allow denial of service. Intel released microcode and UEFI reference code updates to mitigate this potential vulnerability.
A potential security vulnerability in the Intel Data Streaming Accelerator (Intel DSA) for some Intel Xeon Processors may allow denial of service. Intel released software updates to mitigate this potential vulnerability.
The OpenSSL project reports:
RFC7250 handshakes with unauthenticated servers don't abort as expected (High). Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode is set.
security@mozilla.org reports:
A bug in WebAssembly code generation could have lead to a crash. It may have been possible for an attacker to leverage this to achieve code execution.
A race condition could have led to private browsing tabs being opened in normal browsing windows. This could have resulted in a potential privacy leak.
Certificate length was not properly checked when added to a certificate store. In practice only trusted data was processed.
Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 128.6, and Thunderbird 128.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
Memory safety bugs present in Firefox 134 and Thunderbird 134. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
The fullscreen notification is prematurely hidden when fullscreen is re-requested quickly by the user. This could have been leveraged to perform a potential spoofing attack.
security@mozilla.org reports:
An attacker could have caused a use-after-free via crafted XSLT data, leading to a potentially exploitable crash.
An attacker could have caused a use-after-free via the Custom Highlight API, leading to a potentially exploitable crash.
A race during concurrent delazification could have led to a use-after-free.
Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19, and Thunderbird 128.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For example, in the Other field of the Instant Messaging section. If another user imported the address book, clicking on the link could result in opening a web page inside Thunderbird, and that page could execute (unprivileged) JavaScript.
MariaDB reports:
Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.
Sam Hocevar reports:
Multiple memory leaks and invalid memory accesses:
- CVE-2018-20545: Illegal WRITE memory access at common-image.c
- CVE-2018-20546: Illegal READ memory access at caca/dither.c
- CVE-2018-20547: Illegal READ memory access at caca/dither.c
- CVE-2018-20548: Illegal WRITE memory access at common-image.c
- CVE-2018-20549: Illegal WRITE memory access at caca/file.c
- CVE-2021-3410: Buffer overflow in libcaca/caca/canvas.c in function caca_resize
- CVE-2021-30498: Heap buffer overflow in export.c in function export_tga
- CVE-2021-30499: Buffer overflow in export.c in function export_troff
Cacti repo reports:
- security #GHSA-c5j8-jxj3-hh36: Authenticated RCE via multi-line SNMP responses
- security #GHSA-f9c7-7rc3-574c: SQL Injection vulnerability when using tree rules through Automation API
- security #GHSA-fh3x-69rr-qqpp: SQL Injection vulnerability when request automation devices
- security #GHSA-fxrq-fr7h-9rqq: Arbitrary File Creation leading to RCE
- security #GHSA-pv2c-97pp-vxwg: Local File Inclusion (LFI) Vulnerability via Poller Standard Error Log Path
- security #GHSA-vj9g-p7f2-4wqj: SQL Injection vulnerability when view host template
The nginx development team reports:
This update fixes the SSL session reuse vulnerability.
Qt qtwebengine-chromium repo reports:
Backports for 9 security bugs in Chromium:
- CVE-2024-12693: Out of bounds memory access in V8
- CVE-2024-12694: Use after free in Compositing
- CVE-2025-0436: Integer overflow in Skia
- CVE-2025-0437: Out of bounds read in Metrics
- CVE-2025-0438: Stack buffer overflow in Tracing
- CVE-2025-0441: Inappropriate implementation in Fenced Frames
- CVE-2025-0443: Insufficient data validation in Extensions
- CVE-2025-0447: Inappropriate implementation in Navigation
- CVE-2025-0611: Object corruption in V8
Chrome Releases reports:
This update includes 2 security fixes:
- [384844003] Medium CVE-2025-0762: Use after free in DevTools. Reported by Sakana.S on 2024-12-18
Dendrite team reports:
This is a security release, gomatrixserverlib was vulnerable to server-side request forgery, serving content from a private network it can access, under certain conditions.
In some cases, the ktrace facility will log the contents of kernel structures to userspace. In one such case, ktrace dumps a variable-sized sockaddr to userspace. There, the full sockaddr is copied, even when it is shorter than the full size. This can result in up to 14 uninitialized bytes of kernel memory being copied out to userspace.
It is possible for an unprivileged userspace program to leak 14 bytes of a kernel heap allocation to userspace.
When etcupdate encounters conflicts while merging files, it saves a version containing conflict markers in /var/db/etcupdate/conflicts. This version does not preserve the mode of the input file, and is world-readable. This applies to files that would normally have restricted visibility, such as /etc/master.passwd.
An unprivileged local user may be able to read encrypted root and user passwords from the temporary master.passwd file created in /var/db/etcupdate/conflicts. This is possible only when conflicts within the password file arise during an update, and the unprotected file is deleted when conflicts are resolved.
In order to export a file system via NFS, the file system must define a file system identifier (FID) for all exported files. Each FreeBSD file system implements operations to translate between FIDs and vnodes, the kernel's in-memory representation of files. These operations are VOP_VPTOFH(9) and VFS_FHTOVP(9).
On 64-bit systems, the implementation of VOP_VPTOFH() in the cd9660, tarfs and ext2fs filesystems overflows the destination FID buffer by 4 bytes, a stack buffer overflow.
A NFS server that exports a cd9660, tarfs, or ext2fs file system can be made to panic by mounting and accessing the export with an NFS client. Further exploitation (e.g., bypassing file permission checking or remote kernel code execution) is potentially possible, though this has not been demonstrated. In particular, release kernels are compiled with stack protection enabled, and some instances of the overflow are caught by this mechanism, causing a panic.
A logic error in the ssh(1) ObscureKeystrokeTiming feature (on by default) rendered this feature ineffective.
A passive observer could detect which network packets contain real keystrokes, and infer the specific characters being transmitted from packet timing.
Golang reports:
This update include security fixes:
- CVE-2024-45338: Non-linear parsing of case-insensitive content
The Vaultwarden project reports:
RCE in the admin panel.
Getting access to the Admin Panel via CSRF.
Escalation of privilege via variable confusion in OrgHeaders trait.
Chrome Releases reports:
This update includes 3 security fixes:
- [386143468] High CVE-2025-0611: Object corruption in V8. Reported by 303f06e3 on 2024-12-26
- [385155406] High CVE-2025-0612: Out of bounds memory access in V8. Reported by Alan Goodman on 2024-12-20
Chrome Releases reports:
This update includes 16 security fixes:
- [374627491] High CVE-2025-0434: Out of bounds memory access in V8. Reported by ddme on 2024-10-21
- [379652406] High CVE-2025-0435: Inappropriate implementation in Navigation. Reported by Alesandro Ortiz on 2024-11-18
- [382786791] High CVE-2025-0436: Integer overflow in Skia. Reported by Han Zheng (HexHive) on 2024-12-08
- [378623799] High CVE-2025-0437: Out of bounds read in Metrics. Reported by Xiantong Hou of Wuheng Lab and Pisanbao on 2024-11-12
- [384186539] High CVE-2025-0438: Stack buffer overflow in Tracing. Reported by Han Zheng (HexHive) on 2024-12-15
- [371247941] Medium CVE-2025-0439: Race in Frames. Reported by Hafiizh on 2024-10-03
- [40067914] Medium CVE-2025-0440: Inappropriate implementation in Fullscreen. Reported by Umar Farooq on 2023-07-22
- [368628042] Medium CVE-2025-0441: Inappropriate implementation in Fenced Frames. Reported by someoneverycurious on 2024-09-21
- [40940854] Medium CVE-2025-0442: Inappropriate implementation in Payments. Reported by Ahmed ElMasry on 2023-11-08
- [376625003] Medium CVE-2025-0443: Insufficient data validation in Extensions. Reported by Anonymous on 2024-10-31
- [359949844] Low CVE-2025-0446: Inappropriate implementation in Extensions. Reported by Hafiizh on 2024-08-15
- [375550814] Low CVE-2025-0447: Inappropriate implementation in Navigation. Reported by Khiem Tran (@duckhiem) on 2024-10-25
- [377948403] Low CVE-2025-0448: Inappropriate implementation in Compositing. Reported by Dahyeon Park on 2024-11-08
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-12693.
- Security: backported fix for CVE-2024-12694.
- Security: backported fix for CVE-2024-12695.
- Security: backported fix for CVE-2025-0434.
- Security: backported fix for CVE-2025-0436.
- Security: backported fix for CVE-2025-0437.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2025-0434.
- Security: backported fix for CVE-2025-0436.
- Security: backported fix for CVE-2025-0437.
Gitlab reports:
Stored XSS via Asciidoctor render
Developer could exfiltrate protected CI/CD variables via CI lint
Cyclic reference of epics leads resource exhaustion
The ClamAV project reports:
A possible buffer overflow read bug is found in the OLE2 file parser that could cause a denial-of-service (DoS) condition.
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-12053.
The Go project reports:
crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints
A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain.
net/http: sensitive headers incorrectly sent after cross-domain redirect
The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-12053.
- Security: backported fix for CVE-2024-12693.
- Security: backported fix for CVE-2024-12694.
Filippo Valsorda reports:
A plugin name containing a path separator may allow an attacker to execute an arbitrary binary.
Such a plugin name can be provided to the age CLI through an attacker-controlled recipient or identity string, or to the plugin.NewIdentity, plugin.NewIdentityWithoutData, or plugin.NewRecipient APIs.
Frank Lichtenheld reports:
[OpenVPN v2.6.13 ...] improve server-side handling of clients sending usernames or passwords longer than USER_PASS_LEN - this would not result in a crash, buffer overflow or other security issues, but the server would then misparse incoming IV variables and produce misleading error messages.
rsync reports:
This update includes multiple security fixes:
- CVE-2024-12084: Heap Buffer Overflow in Checksum Parsing
- CVE-2024-12085: Info Leak via uninitialized Stack contents defeats ASLR
- CVE-2024-12086: Server leaks arbitrary client files
- CVE-2024-12087: Server can make client write files outside of destination directory using symbolic links
- CVE-2024-12088: --safe-links Bypass
- CVE-2024-12747: symlink race condition
Git development team reports:
CVE-2024-50349: Printing unsanitized URLs when asking for credentials made the user susceptible to crafted URLs (e.g. in recursive clones) that mislead the user into typing in passwords for trusted sites that would then be sent to untrusted sites instead.
CVE-2024-52006: Git may pass on Carriage Returns via the credential protocol to credential helpers which use line-reading functions that interpret said Carriage Returns as line endings, even though Git did not intend that.
Keycloak reports:
This update includes 2 security fixes:
- CVE-2024-11734: Unrestricted admin use of system and environment variables
- CVE-2024-11736: Denial of Service in Keycloak Server via Security Headers
cve@mitre.org reports:
An issue in the action_listcategories() function of Sangoma Asterisk v22/22.0.0/22.0.0-rc1/22.0.0-rc2/22.0.0-pre1 allows attackers to execute a path traversal.
Redis core team reports:
An authenticated with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service.The problem exists in Redis 7.0.0 or newer.
Redis core team reports:
An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting.
Gitlab reports:
Possible access token exposure in GitLab logs
Cyclic reference of epics leads resource exhaustion
Unauthorized user can manipulate status of issues in public projects
Instance SAML does not respect external_provider configuration