CVE-2026-44638

libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. From to 1.8.7-r1, a wrong NULL check after an allocation call in sixeldecoderaw and sixeldecode causes a NULL pointer dereference whenever the allocation fails. The check tests the address of the output parameter alway...

CVE-2026-44636

libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. From to 1.8.7-r1, signed integer overflow in sixelencodehighcolor's allocation size calculation can lead to a heap buffer overflow. The public sixelencode entry point validates only that width and height are greater th...

EUVD-2026-22744

libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain an integer overflow which leads to a heap buffer overflow via sixelframeconverttorgb888 in frame.c, where allocation size and pointer offset computations for palettised images PAL1, PAL...

CVE-2026-33020

libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain an integer overflow which leads to a heap buffer overflow via sixelframeconverttorgb888 in frame.c, where allocation size and pointer offset computations for palettised images PAL1, PAL...

CVE-2026-33019 libsixel: Integer overflow leads to Out-of-bounds Read in img2sixel

libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain an integer overflow leading to an out-of-bounds heap read in the --crop option handling of img2sixel, where positive coordinates up to INTMAX are accepted without overflow-safe bounds...

CVE-2026-33019

Summary: The issue affects libsixel versions up to 1.8.7 and prior, where the --crop handling in img2sixel can overflow when coordinates are large. In sixel_encoder_do_clip(), clip_w + clip_x overflows for clip_x = INT_MAX, bypassing bounds checks and allowing an unclamped coordinate to reach six...

CVE-2026-33018 libsixel: Use-After-Free in load_gif()

libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain a Use-After-Free vulnerability via the loadgif function in fromgif.c, where a single sixelframet object is reused across all frames of an animated GIF and gifinitframe unconditionally...

WordPress StreamWeasels Twitch Integration Plugin <= 1.8.6 is vulnerable to Cross Site Scripting (XSS)

Software StreamWeasels Twitch Integration Type Plugin Vulnerable versions = 1.8.6 Fixed in 1.8.7 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-9897 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 924e5605229d Credits Peter...

MyBB 1.8.6 - SQL Injection

MyBB 1.8.6 - SQL Injection Security Advisory - Curesec Research Team 1. Introduction Affected Product: MyBB 1.8.6 Fixed in: 1.8.7 Fixed Version Link: http://resources.mybb.com/downloads/mybb1807.zip Vendor Website: http://www.mybb.com/ Vulnerability Type: SQL Injection Remote Exploitable: Yes...