Post-Auth Remote Code Execution found in Roundcube Webmail

Roundcube Webmail reports: Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v...

electron{34,35} -- multiple vulnerabilities

Electron developers report: This update fixes the following vulnerability: Security: backported fix for CVE-2025-4609. Security: backported fix for CVE-2025-4664...

navidrome -- transcoding permission bypass vulnerability

Deluan Quintão reports: A permission verification flaw in Navidrome allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modifying, and deleting transcoding settings...

Navidrome -- SQL Injection via role parameter

Deluan reports: This vulnerability arises due to improper input validation on the role parameter within the API endpoint /api/artist. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially gaining unauthorized access to the backend database and compromising sensitive user...

redis,valkey -- {redis,valkey}-check-aof may lead to stack overflow and potential RCE

Simcha Kosman & CyberArk Labs reports: A user can run the redis,valkeyu-check-aof cli and pass a long file path to trigger a stack buffer overflow, which may potentially lead to remote code execution...

ISC KEA -- Multiple vulnerabilities

Internet Systems Consortium, Inc. reports: Loading a malicious hook library can lead to local privilege escalation https://kb.isc.org/docs/cve-2025-32801 Insecure handling of file paths allows multiple local attacks https://kb.isc.org/docs/cve-2025-32802 Insecure file permissions can result in...

curl -- Multiple vulnerabilities

curl security team reports: CVE-2025-5025: No QUIC certificate pinning with wolfSSL CVE-2025-4947: QUIC certificate check skip with wolfSSL...

Mozilla -- XS-leak attack

[email protected] reports: Script elements loading cross-origin resources generated load and error events which leaked information enabling XS-Leaks attacks...

Mozilla -- memory corruption

[email protected] reports: Memory safety bug present in Firefox ESR 128.10, and Thunderbird 128.10. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code...

libxml2 -- multiple vulnerabilities

Alan Coopersmith reports: As discussed in https://gitlab.gnome.org/GNOME/libxml2/-/issues/913 the security policy of libxml2 has been changed to disclose vulnerabilities before fixes are available so that people other than the maintainer can contribute to fixing security issues in this library. A...

Mozilla -- local code execution

[email protected] reports: Due to insufficient escaping of the newline character in the Copy as cURL feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system...

chromium -- multiple security fixes

Chrome Releases reports: This update includes 11 security fixes: 411573532 High CVE-2025-5063: Use after free in Compositing. Reported by Anonymous on 2025-04-18 417169470 High CVE-2025-5280: Out of bounds write in V8. Reported by pwn2car on 2025-05-12 40058068 Medium CVE-2025-5064: Inappropriate...

Firefox -- content injection attack

[email protected] reports: Previewing a response in Devtools ignored CSP headers, which could have allowed content injection attacks...

Mozilla -- clickjacking vulnerability

[email protected] reports: A clickjacking vulnerability could have been used to trick a user into leaking saved payment card details to a malicious page...

traefik -- Path traversal vulnerability

The traefik project reports: There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a URL encoded string in its path, it...

Mozilla -- Memory safety bugs

[email protected] reports: Memory safety bugs present in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code...

qt6-webengine -- Multiple vulnerabilities

Qt qtwebengine-chromium repo reports: Backports for 25 security bugs in Chromium: CVE-2025-5063: Use after free in Compositing CVE-2025-5064: Inappropriate implementation in Background Fetch CVE-2025-5065: Inappropriate implementation in FileSystemAccess API CVE-2025-5068: Use after free in Blink...

Chrome -- Heap corruption exploitation

[email protected] reports: Use after free in Compositing in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Chromium security severity: High...

Mozilla -- cross-origin leak attack

[email protected] reports: Error handling for script execution was incorrectly isolated from web content, which could have allowed cross-origin leak attacks...

Firefox -- unencrypted SNI

[email protected] reports: In certain cases, SNI could have been sent unencrypted even when encrypted DNS was enabled...

Mozilla -- Memory safety bugs

[email protected] reports: Memory safety bugs present in Firefox 138 and Thunderbird 138. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code...

OpenSSL -- Inverted security logic in x509 app

The OpenSSL project reports: The x509 application adds trusted use instead of rejected use low...

Gitlab -- vulnerabilities

Gitlab reports: Unprotected large blob endpoint in GitLab allows Denial of Service Improper XPath validation allows modified SAML response to bypass 2FA requirement A Discord webhook integration may cause DoS Unbounded Kubernetes cluster tokens may lead to DoS Unvalidated notes position may lead ...

ModSecurity -- possible DoS vulnerability

[email protected] reports: ModSecurity is an open source, cross platform web application firewall WAF engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case in stable released versions: when the payload's content...

ModSecurity -- Possible DoS Vulnerability

[email protected] reports: ModSecurity is an open source, cross platform web application firewall WAF engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case in stable released versions: when the payload's content...

firefox -- out-of-bounds read/write

[email protected] reports: An attacker was able to perform an out-of-bounds read or write on a JavaScript object by confusing array index sizes...

py-setuptools -- Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf reports: setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in PackageIndex is present in setuptools prior to version 78.1.1. An...

cpython -- Use-after-free in "unicode_escape" decoder with error handler

[email protected] reports: There is an issue in CPython when using bytes.decode"unicodeescape", error="ignore|replace". If you are not using the "unicodeescape" encoding or an error handler your usage is not affected. To work-around this issue you may stop using the error= handler and instead wrap t...

chromium -- multiple security fixes

Chrome Releases reports: This update includes 4 security fixes: 415810136 High CVE-2025-4664: Insufficient policy enforcement in Loader. Source: X post from @slonser on 2025-05-05 412578726 High CVE-2025-4609: Incorrect handle provided in unspecified circumstances in Mojo. Reported by Micky on...

vscode -- security feature bypass vulnerability

VSCode developers report: A security feature bypass vulnerability exists in VS Code 1.100.0 and earlier versions where a maliciously crafted URL could be considered trusted when it should not have due to how VS Code handled glob patterns in the trusted domains feature. When paired with the fetch...

www/varnish7 -- Request Smuggling Attack

The Varnish Development Team reports: A client-side desync vulnerability can be triggered in Varnish Cache and Varnish Enterprise. This vulnerability can be triggered under specific circumstances involving malformed HTTP/1 requests. An attacker can abuse a flaw in Varnish's handling of chunked...

screen -- multiple vulnerabilities

The screen project reports: Multiple security issues in screen...

WeeChat -- Multiple vulnerabilities

The Weechat project reports: Multiple integer and buffer overflows in WeeChat core...

PostgreSQL -- PostgreSQL GB18030 encoding validation can read one byte past end of allocation for text that fails validation

PostgreSQL project reports: A buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can elicit process termination. This affects the database server and also libpq. Versions before...

Gitlab -- vulnerabilities

Gitlab reports: Partial Bypass for Device OAuth flow using Cross Window Forgery Denial of service by abusing Github import API Group IP restriction bypass allows disclosing issue title of restricted project...

chromium -- multiple security fixes

Chrome Releases reports: This update includes 2 security fixes: 412057896 Medium CVE-2025-4372: Use after free in WebAudio. Reported by Huang Xilin of Ant Group Light-Year Security Lab on 2025-04-20...

chromium -- multiple security fixes

Chrome Releases reports: This update includes 8 security fixes: 409911705 High CVE-2025-4096: Heap buffer overflow in HTML. Reported by Anonymous on 2025-04-11 409342999 Medium CVE-2025-4050: Out of bounds memory access in DevTools. Reported by Anonymous on 2025-04-09 404000989 Medium...

Mozilla -- memory corruption

[email protected] reports: Memory safety bug present in Firefox ESR 128.9, and Thunderbird 128.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code...

Mozilla -- control access bypass

[email protected] reports: Thunderbird's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, allowin...

Mozilla -- memory safety bugs

[email protected] reports: Memory safety bugs present in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code...

Mozilla -- XPath parsing undefined behavior

[email protected] reports: A vulnerability was identified in Thunderbird where XPath parsing could trigger undefined behavior due to missing null checks during attribute access. This could lead to out-of-bounds read access and potentially, memory corruption...

dnsdist -- Denial of service via crafted DoH exchange

[email protected] reports: When DNSdist is configured to provide DoH via the nghttp2provider, an attacker can cause a denial of service by crafting a DoH exchange that triggers an illegal memory access double-free and crash of DNSdist, causing a denial of service. The remedy is: upgrade t...

Mozilla -- Cross-Site Request Forgery

[email protected] reports: A security vulnerability in Thunderbird allowed malicious sites to use redirects to send credentialed requests to arbitrary endpoints on any site that had invoked the Storage Access API. This enabled potential Cross-Site Request Forgery attacks across origins...

Mozilla -- insufficient character escaping

[email protected] reports: Due to insufficient escaping of special characters in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system...

Mozilla -- javascript content execution

[email protected] reports: A process isolation vulnerability in Thunderbird stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead of the intended frame, potentially enabling a sandbox escape...

Mozilla -- Information leak

[email protected] reports: An attacker with control over a content process could potentially leverage the privileged UITour actor to leak sensitive information or escalate privileges...

Mozilla -- memory corruption

[email protected] reports: Memory safety bugs present in Firefox 137 and Thunderbird 137. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code...

grafana -- XSS vulnerability

[email protected] reports: A cross-site scripting XSS vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does...

h11 accepts some malformed Chunked-Encoding bodies

h11 reports: h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11's parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions. This issue has been patched in version 0.16.0. Since...

redis,valkey -- DoS Vulnerability due to unlimited growth of output buffers abused by unauthenticated client

Axel Mierczuk reports: By default, the Redis configuration does not limit the output buffer of normal clients see client-output-buffer-limit. Therefore, the output buffer can grow unlimitedly over time. As a result, the service is exhausted and the memory is unavailable. When password...