6577 matches found
xrdp -- multiple vulnerabilities
xrdp projects reports: xrdp v0.10.6.1 fixes 10 vulnerabilities and 1 regression introduced by a vulnerability fix in the previous release...
zeek -- potential DoS vulnerabilities
Tim Wojtulewicz of Corelight reports: The NVT, Rlogin, and RSH analyzers have received fixes to avoid unbounded state growth. Due to the fact that these packets can be received from remote hosts, these are considered DoS risks. A specially crafted WebSocket payload can cause the Spicy WebSocket...
Weechat -- Memory leak in relay-API
The Weechat project reports: Pre-auth memory leak in relay-api POST /api/handshake unfreed JSON body → unauthenticated remote memory-exhaustion DoS...
Roundcube -- Multiple vulnerabilities
The Rouncube project reports: See links for more detail...
openvpn -- multiple vulnerabilities
The OpenVPN community project team reports: ... OpenVPN 2.7.5 ... is a bugfix release fixing several security issues: Fix use-after-free bug in ackwritebuf, triggerable by a well-timed sequence of control channel + authentication packets CVE-2026-12996 Fix use-after-free bug in tlswrapreneg,...
p5-CGI-Session -- secuity fixes
CGI-Session project reports: SECURITY: Strengthen cryptographic randomness of MD5 driver...
FreeBSD -- Incorrect audit records for ptrace(2) syscall requests
Problem Description: When auditing a system call executed via ptracePTSCREMOTE, the kernel passed the return value of an internal setup function to AUDITSYSCALLEXIT rather than the actual result of the executed system call. As a result, committed audit records for system calls which returned an...
FreeBSD -- Remote DOS via uninitialized memory access in KTLS receive
Problem Description: When building the iovec array for a received TLS 1.2 CBC record, ktlsocftlscbcdecrypt incremented the iovec index for every mbuf in the chain, including mbufs that were skipped because they contained only TLS header bytes. This left uninitialized entries in the iovec array. T...
FreeBSD -- Buffer overflow in libalias RTSP handler
Problem Description: The RTSP handler in libalias rewrote outgoing packets into a fixed-length stack buffer without checking whether the rewritten data fit in the buffer, or whether the result fit back in the original packet. Impact: A host sending crafted RTSP traffic from inside a NAT gateway...
FreeBSD -- Jail reference count underflow
Problem Description: When the JAILATDESC flag is specified, kernjailset and kernjailget released the reference to the caller's current prison before looking up the jail descriptor. If the descriptor lookup failed, error-handling paths released the same reference a second time. Impact: An...
FreeBSD -- Use-after-free in device pager page list
Problem Description: When msyncMSINVALIDATE is called on a mapping of an unmanaged device object, the physical pages in the mapping range are marked invalid but remain in the pager's page list. A subsequent page fault will cause the fault handler to re-insert the page into the object's list. This...
FreeBSD -- Multiple vulnerabilities in POSIX largepage objects
Problem Description: Pages belonging to largepage shared memory objects were not explicitly wired. When sendfile2 transmitted such an object with the SFNOCACHE flag, it freed the underlying pages after transmission even though existing mappings still referred to them. CVE-2026-49427 Separately,...
FreeBSD -- Multiple vulnerabilities in OpenZFS
Problem Description: The ZFSIOCUSERSPACEMANY ioctl, used by zfs-userspace8, truncated a 64-bit output buffer size to a 32-bit integer for the kernel allocation, but used the original 64-bit size as the buffer limit when writing records. The ZFSIOCRECVNEW ioctl, in the heal receive path, similarly...
FreeBSD-kernel -- Kernel stack disclosure in 32-bit compatibility support
Problem Description: The compat32 kevent handler translates a 64-bit kevent struct into a stack- declared 32-bit struct. It did not first zero the stack struct. Impact: An unprivileged user may observe a small amount of uninitialized kernel stack data, which may contain sensitive information...
FreeBSD -- Kernel stack disclosure in Linux compatibility layer
Problem Description: The Linux waitid implementation translates a FreeBSD siginfot struct into a stack-declared Linux siginfot. It did not first zero the stack struct. Impact: An unprivileged user may observe 104 bytes of uninitialized kernel stack data, which may contain sensitive information...
FreeBSD -- Multiple vulnerabilities in iconv(3)
Problem Description: Several encoding modules, including HZ, UTF-7, VIQR, and ZW, did not properly check the size of the caller-supplied output buffer before writing converted characters. CVE-2026-58081 The ISO-2022 encoding module used a stack buffer sized to MBLENMAX 6 bytes for intermediate...
FreeBSD -- Use-after-free in TCP RACK stack option handler
Problem Description: The RACK setsockopt2 handler drops the connection lock in order to copy option data from userspace, then reacquires the lock. After reacquiring, it verifies that the TCP stack had not been switched away, but did not reload its pointer to the stack's per-connection control...
FreeBSD -- unlinkat(2) ignores AT_RESOLVE_BENEATH flag
Problem Description: The kernel function that implements unlinkat2 and funlinkat2 validated the ATRESOLVEBENEATH flag but failed to pass it through to the underlying path lookup. The flag was silently dropped, so path resolution was not actually restricted. Impact: A process that uses...
FreeBSD -- Local privilege escalation via execve(2) TOCTOU race
Problem Description: During execve2 of a SUID binary, the new virtual address space is installed before the process credentials are updated. During this window, a process running as the same user can access the target process's memory via procfs or linprocfs, because the kernel's debugging...
traefik -- Multiple vulnerabilities
The traefik project releases a new version addressing multiple CVEs: CVE-2026-54763 underscore-variant identity spoofing CVE-2026-54764 ForwardAuth middleware leaks X-Forwarded-Port spoofing CVE-2026-54765 Gateway HTTPRoute backendRef filters can leak backend context...
chromium -- security fixes
Chrome Releases reports: This update includes 382 security fixes: 506558270 Critical CVE-2026-13774: Use after free in Extensions. 511766407 Critical CVE-2026-13775: Use after free in GPU. 513012139 Critical CVE-2026-13776: Type Confusion in Dawn. 513128566 Critical CVE-2026-13777: Insufficient...
PostgresSQL JDBC -- Silent channel-binding authentication downgrade via unsupported certificate algorithms
PostgreSQL project reports: channelBinding=require connections can be silently downgraded from SCRAM-SHA-256-PLUS with channel binding to plain SCRAM-SHA-256 without it, losing the man-in-the-middle protection the setting is meant to guarantee. An attacker who can intercept the TLS connection...
icinga2 -- Improper access control for JSON-RPC update certificate messages
The Icinga team reports: The code handling certificate update JSON-RPC messages was flawed and did not properly validate the sender of the message, allowing an unauthenticated attacker that can connect to Icinga 2 to update both the own certificate as well as the trusted CA certificate. Updating...
Multiple vulnerability found in Expat
Expat 2.8.2 was released yesterday. The key motivation for cutting a release and doing so now was getting security and non-security bugsfixes out to users. On the security side, 13 vulnerabilities have been fixed: CVE-2026-50219: missing control flow integrity checks CVE-2026-56131: missing contr...
chromium -- security fixes
Chrome Releases reports: This update includes 3 security fixes: 513138301 High CVE-2026-13281: Integer overflow in Mojo. Reported by Google on 2026-05-14 517522620 High CVE-2026-13282: Use after free in Payments. Reported by Google on 2026-05-28 522561151 High CVE-2026-13283: Use after free in...
NSD -- vulnerabilities
NLnet Labs reports: CVE-2026-12244: A specially crafted SVCB RR can cause a heap overflow of up to 65509 attacker controlled bytes. If NSD is configured as secondary for a zone, the primary of that zone can crash NSD with an AXFR containing a DNS message with a special crafted SVCB RR with an rda...
DNSdist -- vulnerabilities
The DNSdist team reports: CVE-2026-40011: Prometheus denial of service via crafted DNS queries CVE-2026-42004: EDNS options smuggling CVE-2026-42005: Insufficient input validation of internal web server CVE-2026-40208: Denial of service via DoH3 queries CVE-2026-40209: Denial of service via IXFR...
rclone -- Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation
https://github.com/rclone/rclone/security/advisories/GHSA-qw24-gh76-8rvv reports: Rclone is a command-line program to sync files and directories to and from different cloud storage providers.From 1.46.0 until 1.74.3, rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of...
Gitlab -- Vulnerabilities
Gitlab reports: Cross-site Scripting issue in Analytics Dashboard impacts GitLab EE Cross-site Scripting issue in Web IDE workbench asset handler impacts GitLab CE/EE Information Disclosure issue in Duo Workflows impacts GitLab EE Authorization Bypass issue in Virtual Registry Cleanup Policy API...
podman -- files outside build context may be included via malicious Git repo or tar archive
The Podman developers report: Building a Dockerfile using an ADD or COPY instruction accessing a malicious Git repository or tar archive could cause files outside the build context directory to be included in the build context or copied into the build...
ffmpeg -- Out-of-bounds write
https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23159 reports: An out-of-bounds write vulnerability in FFmpeg's libavcodec library, specifically in the MagicYUV decoder, allows denial-of-service and, in some cases, can be exploited for remote code execution. This vulnerability is associated with the...
mail/mailpit -- Incomplete SSRF protection in Link Check API via uncovered IPv6 forms
Mailpit authorreports: The tools.IsInternalIP deny-list relies on Go's stdlib classification helpers IsLoopback, IsPrivate, IsLinkLocalUnicast, IsLinkLocalMulticast, IsUnspecified, IsMulticast plus an inline CGNAT range, but those helpers do not match two classes of IPv6 address that should be...
nginx -- multiple vulnerabilities
The nginx developers report: A use-after-free vulnerability when using HTTP/3 and processing a specially crafted QUIC session may allow memory corruption or a segmentation fault in a worker process CVE-2026-42530. A heap memory buffer overflow vulnerability when using the "ignoreinvalidheaders...
nginx -- multiple vulnerabilities
The nginx developers report: A heap memory buffer overflow vulnerability when using the "ignoreinvalidheaders off;" and "largeclientheaderbuffers" directives with large configured values while proxying a specially crafted request to an HTTP/2 or gRPC backend may allow memory corruption or a...
gstreamer1 -- multiple vulnerabilities
The GStreamer project reports: Multiple security issues were identified and fixed in the GStreamer framework. GStreamer-SA-2026-0030: Missing bounds checks in RTCP SDES packet parsing GStreamer-SA-2026-0031: Integer overflow and truncation in MXF demuxer GStreamer-SA-2026-0032: Out-of-bounds read...
chromium -- security fixes
Chrome Releases reports: This update includes 33 security fixes: 516496659 Critical CVE-2026-12437: Use after free in WebShare. 516947912 Critical CVE-2026-12438: Inappropriate implementation in WebView. 519728275 Critical CVE-2026-12439: Use after free in Digital Credentials. 519731619 Critical...
chromium -- security fixes
Chrome Releases reports: This update includes 28 security fixes: 516731749 Critical CVE-2026-12007: Use after free Core. Reported by Google on 2026-05-26 516942828 Critical CVE-2026-12008: Use after free DigitalCredentials. Reported by Google on 2026-05-27 517332006 Critical CVE-2026-12009:...
Gitlab -- vulnerabilities
Gitlab reports: Improper Access Control issue in Group SAML Identity API impacts GitLab EE Cross-site Scripting issue in Analytics Dashboard impacts GitLab EE Denial of Service issue in Grape API JSON parsing middleware impacts GitLab CE/EE HTML injection issue in certain group setting fields...
Erlang/OTP -- TLS distribution check_ip flag does not enforce same-LAN constraint
https://github.com/erlang/otp/security/advisories/GHSA-gp7x-mfv6-52cv reports: Erlang distribution over TLS run with the kernel checkip flag now properly enforces connecting nodes to be on the same LAN. Previously the constraint was not enforced...
Erlang/OTP -- timing-based username enumeration in SSH password authentication
https://github.com/erlang/otp/security/advisories/GHSA-3w6p-vwhf-wvp4 reports: A timing-based username enumeration vulnerability during password authentication with the userpasswords option has been fixed by performing a dummy PBKDF2 computation for invalid usernames, so authentication timing no...
Erlang/OTP -- FTP passive-mode client does not validate server response IP
https://github.com/erlang/otp/security/advisories/GHSA-24cv-hwgr-37fq reports: The FTP client in passive mode did not validate the IP address returned in the server's response, allowing a compromised or malicious server to redirect the data connection to an arbitrary host. This enables server-sid...
Erlang/OTP -- httpc leaks authentication headers on cross-host redirect
https://github.com/erlang/otp/security/advisories/GHSA-m75x-4vwg-ggjh reports: The HTTP client httpc in inets now removes Authorization, Proxy-Authorization, Cookie, Referer, and Origin headers when following a redirect to a different host or port, following the requirements of RFC 9110 section...
Erlang/OTP -- SFTP READLINK discloses server filesystem paths
https://github.com/erlang/otp/security/advisories/GHSA-pv7g-pjrq-x2fh reports: The SSH SFTP daemon's handling of SSHFXPREADLINK returned symbolic link targets containing the server's absolute filesystem path, disclosing the backend root prefix to clients. The handler now strips the backend root...
ldns -- CWE-346 Origin Validation Error
https://www.nlnetlabs.nl/downloads/ldns/CVE-2026-10846.txt reports: NLnet Labs ldns 1.2.0 up to and including versions 1.9.0, when used in applications as stub resolver over UDP, lacks matching the query destination address and port with the response source address and port. Furthermore not the...
jenkins -- multiple vulnerabilities
Jenkins Security Advisory 2026-06-10: SECURITY-3707 / CVE-2026-53435: Deserialization vulnerability High SECURITY-3711+3755 / CVE-2026-53436, CVE-2026-53437: Open redirect vulnerability Medium SECURITY-3712 / CVE-2026-53438: Missing permission check allows canceling queue items Medium SECURITY-37...
Erlang/OTP -- buffer overflow parsing SCTP ERROR/ABORT chunks
https://github.com/erlang/otp/security/advisories/GHSA-6f4f-chj5-5g97 reports: A buffer overflow error when parsing SCTP ERROR or ABORT chunks has been fixed. This could lead to stack corruption and VM crash, but ultimately with hard work by an attacker be refined into maybe even remote code...
Erlang/OTP -- stack overflow in ei_s_print_term for very large integer terms
https://github.com/erlang/otp/security/advisories/GHSA-xcxj-5pg2-v72j reports: Fixed a stack overflow in eisprintterm in erlinterface for very large integer terms more than 2000 hexadecimal digits long...
FreeBSD -- Arm CPU errata may bypass page table permission changes
Problem Description: Some Arm CPUs have errata where the ordering of stores and the TLBI+DSB sequence may be incorrect. If one CPU stores to a virtual address while another CPU invalidates the translation for that address, the second CPU's TLBI+DSB may complete before the first CPU's store has be...
FreeBSD -- Insufficient response validation in the ldns stub resolver
Problem Description: When used as a stub resolver over UDP, ldns failed to verify that a received response belonged to the outstanding query. It did not check that the response source address and port matched the query destination, that the transaction ID matched, or that the question section of...
FreeBSD -- Integer overflow in vt(4) CONS_HISTORY ioctl
Problem Description: The CONSHISTORY ioctl handler did not adequately validate the requested history size. A large value caused an integer overflow in the buffer size calculation, resulting in a heap allocation smaller than expected. Subsequent initialization of the buffer wrote beyond the end of...