Advisory ROSA-SA-2026-3304

Software: mupdf 1.26.10 Operating System: ROSA-CHROME Unaffected versions: = mupdf-1.26.10-2 Affected versions: mupdf-1.26.10-2 CVE-ID: CVE-2026-25556 BDU-ID: None CVE-Crit: HIGH CVE-DESCRIPTION: A vulnerability related to double-freeing memory exists in MuPDF versions from 1.23.0 to 1.27.0. This...

PT-2026-42687

Name of the Vulnerable Software and Affected Versions Fission versions prior to 1.23.0 Description Runtime pods were configured with the fission-fetcher ServiceAccount, which possesses namespace-wide get permissions for secrets and configmaps. Because the service account token was automounted and...

CVE-2026-40451

DeepL Chrome browser extension versions from v1.22.0 to v.1.23.0 contain a cross-site scripting vulnerability, which allows an attacker to execute arbitrary script in a user's browser, and inject malicious HTML into web pages viewed by the user...

CVE-2026-40451

The CVE-2026-40451 entry affects the DeepL Chrome extension, specifically versions 1.22.0 through 1.23.0. It describes a cross-site scripting vulnerability that allows an attacker to execute arbitrary scripts in a user’s browser and inject malicious HTML into pages viewed by the user. The provide...

PT-2026-34249

Name of the Vulnerable Software and Affected Versions DeepL Chrome browser extension versions 1.22.0 through 1.23.0 Description A cross-site scripting flaw allows an attacker to execute arbitrary script in a user's browser and inject malicious HTML into web pages viewed by the user. Recommendatio...

openSUSE 16 Security Update : osc, obs-scm-bridge (openSUSE-SU-2026:20361-1)

The remote openSUSE 16 host has packages installed that are affected by a vulnerability as referenced in the openSUSE- SU-2026:20361-1 advisory. Changes in osc: - 1.24.0 - Command-line: - Add '--target-owner' option to 'git-obs repo fork' command - Add '--self' parameter to fix 'no matching paren...

CVE-2026-25556

MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fzfillpixmapfromdisplaylist when an exception occurs during display list rendering. The function accepts a caller-owned fzpixmap pointer but incorrectly drops the pixmap in its error handling path before rethrowing the...

CVE-2026-25556 MuPDF 1.23.0 through 1.27.0 Barcode Decoding Double Free

MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fzfillpixmapfromdisplaylist when an exception occurs during display list rendering. The function accepts a caller-owned fzpixmap pointer but incorrectly drops the pixmap in its error handling path before rethrowing the...

PT-2026-6730

Name of the Vulnerable Software and Affected Versions MuPDF versions 1.23.0 through 1.27.0 Description MuPDF versions 1.23.0 through 1.27.0 have a double-free issue in the fz fill pixmap from display list function during display list rendering. This occurs when an exception happens, causing the...

Improper Protection of Alternate Path

Overview Affected versions of this package are vulnerable to Improper Protection of Alternate Path due to insufficient validation in attachment editing APIs. An attacker can upload files with restricted extensions by modifying the attachment name, leading to unauthorized file uploads and further...

Gitea allows attackers to add attachments with forbidden file extensions

Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API...

Improper Protection of Alternate Path

Overview Affected versions of this package are vulnerable to Improper Protection of Alternate Path due to insufficient validation in attachment editing APIs. An attacker can upload files with restricted extensions by modifying the attachment name, leading to unauthorized file uploads and further...

CVE-2025-68939

Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API...

PT-2025-53436

Name of the Vulnerable Software and Affected Versions Gitea versions prior to 1.23.0 Description A flaw exists that enables attackers to add attachments with file extensions that are normally prohibited. This is achieved by modifying the attachment name through the attachment API. The affected AP...

CVE-2025-66416

The MCP Python SDK, called mcp on PyPI, is a Python implementation of the Model Context Protocol MCP. Prior to version 1.23.0, tThe Model Context Protocol MCP Python SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost...

CVE-2025-66416 DNS Rebinding Protection Disabled by Default in Model Context Protocol Python SDK for Servers Running on Localhost

The MCP Python SDK, called mcp on PyPI, is a Python implementation of the Model Context Protocol MCP. Prior to version 1.23.0, tThe Model Context Protocol MCP Python SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost...

CVE-2025-66416 DNS Rebinding Protection Disabled by Default in Model Context Protocol Python SDK for Servers Running on Localhost

The MCP Python SDK, called mcp on PyPI, is a Python implementation of the Model Context Protocol MCP. Prior to version 1.23.0, tThe Model Context Protocol MCP Python SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost...

CVE-2025-66416 DNS Rebinding Protection Disabled by Default in Model Context Protocol Python SDK for Servers Running on Localhost

The MCP Python SDK, called mcp on PyPI, is a Python implementation of the Model Context Protocol MCP. Prior to version 1.23.0, tThe Model Context Protocol MCP Python SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost...

Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default

Description The Model Context Protocol MCP Python SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication using FastMCP with streamable HTTP or SSE transport, and has not configured...

CVE-2025-64716

Anubis is a Web AI Firewall Utility that challenges users' connections in order to protect upstream resources from scraper bots. Prior to version 1.23.0, when using subrequest authentication, Anubis did not perform validation of the redirect URL and redirects user to any URL scheme. While most...