MongoDB Server -- Multiple vulnerabilities

https://jira.mongodb.org/browse/SERVER-114126 reports: Complex queries can cause excessive memory usage in MongoDB Query Planner resulting in an Out-Of-Memory Crash. https://jira.mongodb.org/browse/SERVER-102364 reports: MongoDB Server may experience an out-of-memory failure while evaluating...

munge -- CWE-787: Out-of-bounds Write

https://github.com/dun/munge/security/advisories/GHSA-r9cr-jf4v-75gh reports: MUNGE is an authentication service for creating and validating user credentials. From 0.5 to 0.5.17, local attacker can exploit a buffer overflow vulnerability in munged the MUNGE authentication daemon to leak...

MongoDB Server -- CWE-617 Reachable Assertion

https://jira.mongodb.org/browse/SERVER-99119 reports: An authorized user may trigger a server crash by running a $geoNear pipeline with certain invalid index hints...

FreeBSD -- blocklistd(8) socket leak

Problem Description: Due to a programming error, blocklistd leaks a socket descriptor for each adverse event report it receives. Once a certain number of leaked sockets is reached, blocklistd becomes unable to run the helper script: a child process is forked, but this child dereferences a null...

Roundcube -- Multiple vulnerabilities

The Roundcube project reports: Unspecified CSS injection vulnerability. Remote image blocking bypass via SVG content...

oauth2-proxy -- multiple vulnerabilities

During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed...

navidrome -- multiple vulnerabilities

An XSS vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. Authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-image URL...

chromium -- multiple security fixes

Chrome Releases reports: This update includes 2 security fixes: 478942410 High CVE-2026-1861: Heap buffer overflow in libvpx. Reported by Google on 2026-01-26 479726070 High CVE-2026-1862: Type Confusion in V8. Reported by Chaoyuan Peng @ret2happy on 2026-01-29...

qt6-webengine -- multiple vulnerabilities

Qt qtwebengine-chromium repo reports: Backports for 7 security bugs in Chromium: CVE-2025-13638: Prevent media element GC in callbacks in WebMediaPlayerMS CVE-2025-13639: Improve validation of SDP direction in remote description CVE-2025-13720: Avoid downcasting Hash and Integrity reports...

expat -- multiple vulnerabilities

expat team reports: Update contains 2 security fixes: CVE-2026-24515: NULL dereference in function XMLExternalEntityParserCreate CVE-2026-25210: missing check for integer overflow in function doContent...

zeek -- potential DoS vulnerability

Tim Wojtulewicz of Corelight reports: Zeek's HTTP analyzer can be tricked into interpreting Transfer-Encoding or Content-Length headers set in MIME entities within HTTP bodies and change the analyzer behavior...

qt6-webengine -- multiple vulnerabilities

Qt qtwebengine-chromium repo reports: Backports for 262 security bugs in Chromium: CVE-2025-13223: Type Confusion in V8 CVE-2025-13224: Type Confusion in V8 CVE-2025-13630: Type Confusion in V8 CVE-2025-13632: Inappropriate implementation in DevTools CVE-2025-13634: Inappropriate implementation i...

FreeBSD -- Jail escape by a privileged user via nullfs

Problem Description: By default, jailed processes cannot mount filesystems, including nullfs4. However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks. If a privileged user within a jail is able to nullfs-mount directories, a limitation of the...

Firefox -- Multiple vulnerabilities

https://bugzilla.mozilla.org/showbug.cgi?id=2007302 reports: Mitigation bypass in the Privacy: Anti-Tracking component. Use-after-free in the Layout: Scrolling and Overflow component...

OpenSSL -- Multiple vulnerabilities

The OpenSSL project reports: Improper validation of PBMAC1 parameters in PKCS12 MAC verification CVE-2025-11187 Stack buffer overflow in CMS AuthEnvelopedData parsing CVE-2025-15467 NULL dereference in SSLCIPHERfind function on unknown cipher ID CVE-2025-15468 "openssl dgst" one-shot codepath...

chromium -- security fix

Chrome Releases reports: This update includes 1 security fix: 474435504 High CVE-2026-1504: Inappropriate implementation in Background Fetch API. Reported by Luan Herrera @lbherrera on 2026-01-09...

wheel -- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx reports: wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.46.1 and below, the unpack function is vulnerable to file permission modification through mishandling of file...

Gitlab -- vulnerabilities

Gitlab reports: Denial of Service issue in Jira Connect integration impacts GitLab CE/EE Incorrect Authorization issue in Releases API impacts GitLab CE/EE Unchecked Return Value issue in authentication services impacts GitLab CE/EE Infinite Loop issue in Wiki redirects impacts GitLab CE/EE Denia...

Python -- poplib module, when passed a user-controlled command, can have additional commands injected using newlines

Python Software Foundation Security Developer reports: The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters...

chromium -- multiple security fixes

Chrome Releases reports: This update includes 1 security fix: 473851441 High CVE-2026-1220: Race in V8. Reported by @p1nky4745 on 2026-01-07...

MySQL -- Multiple vulnerabilities

Oracle reports: Oracle reports multiple vulnerabilities in its MySQL server products...

Python -- imaplib module, when passed a user-controlled command, can have additional commands injected using newlines

Python Software Foundation Security Developer reports: The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters...

mail/mailpit -- multiple vulnerabilities

Mailpit author reports: Ensure SMTP TO & FROM addresses are RFC 5322 compliant and prevent header injection GHSA-54wq-72mp-cq7c Prevent Server-Side Request Forgery SSRF via HTML Check API GHSA-6jxm-fv7w-rw5j...

python -- several security vulnerabilities

The Python project announces a new release with several security fixes: CVE-2026-1299: gh-144125: BytesGenerator will now refuse to serialize write headers that are unsafely folded or delimited; see verifygeneratedheaders. Contributed by Bas Bloemsaat and Petr Viktorin in gh-121650. gh-143935:...

oauth2-proxy -- multiple vulnerabilities

Within HostnameError.Error, when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can...

traefik -- ACME TLS-ALPN fast path potential DoS

The traefik project reports: There is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up goroutines and file descriptors indefinitely when the ACME TLS challenge is enabled.A malicious client ca...

chromium -- multiple security fixes

Chrome Releases reports: This update includes 10 security fixes: 458914193 High CVE-2026-0899: Out of bounds memory access in V8. Reported by @p1nky4745 on 2025-11-08 465730465 High CVE-2026-0900: Inappropriate implementation in V8. Reported by Google on 2025-12-03 40057499 High CVE-2026-0901:...

Mozilla -- multiple vulnerabilities

Memory safety bugs present in firefox-esr 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146. Spoofing issue in the DOM: Copy & Paste and Drag & Drop component. Clickjacking issue and information disclosure in the PDF Viewer component. Use-after-free in the JavaScript: GC component...

Mozilla -- multiple vulnerabilities

Incorrect boundary conditions in the Graphics component. Use-after-free in the IPC component. Sandbox escape due to integer overflow in the Graphics component. Sandbox escape due to incorrect boundary conditions in the Graphics component. Mitigation bypass in the DOM: Security component...

Mozilla -- multiple vulnerabilities

Memory safety bugs present in Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. Denial-of-service in the DOM: Service Workers component. Information...

mail/mailpit -- Cross-Site WebSocket Hijacking

Mailpit author reports: The Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking CSWSH vulnerability. An attacker can host a malicious website that, when visited by a developer running Mailp...

virtualenv -- CWE-59: Improper Link Resolution Before File Access ('Link Following')

https://github.com/pypa/virtualenv/security/advisories/GHSA-597g-3phw-6986 reports: virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU Time-of-Check-Time-of-Use vulnerabilities in virtualenv allow local attackers to perform symlink-based attac...

Gitlab -- vulnerabilities

Gitlab reports: Stored Cross-site Scripting issue in GitLab Flavored Markdown placeholders impacts GitLab CE/EE Cross-site Scripting issue in Web IDE impacts GitLab CE/EE Missing Authorization issue in Duo Workflows API impacts GitLab EE Missing Authorization issue in AI GraphQL mutation impacts...

libtasn1 -- Stack-based buffer overflow

oss-security@ list reports: Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1expendoctetstring...

chromium -- multiple security fixes

Chrome Releases reports: This update includes 1 security fix: 463155954 High CVE-2026-0628: Insufficient policy enforcement in WebView tag. Reported by Gal Weizman on 2025-11-23...

mail/mailpit -- Server-Side Request Forgery

Mailpit author reports: A Server-Side Request Forgery SSRF vulnerability exists in Mailpit's /proxy endpoint that allows attackers to make requests to internal network resources. The /proxy endpoint allows requests to internal network resources. While it validates http:// and https:// schemes, it...

curl -- Multiple vulnerabilities

The curl project reports: Multiple vulnerabilities...

security/libsodium -- crypto_core_ed25519_is_valid_point mishandles checks for whether an elliptic curve point is valid

Libsodium maintainer reports: The function cryptocoreed25519isvalidpoint, a low-level function used to check if a given elliptic curve point is valid, was supposed to reject points that aren't in the main cryptographic group, but some points were slipping through...

phpmyfaq -- multiple vulnerabilities

phpMyFAQ team reports: Stored cross-site scripting XSS and unauthenticated config backup download vulnerability...

gstreamer1-plugins-bad -- Out-of-bounds reads in MIDI parser

The GStreamer Security Center reports: Multiple out-of-bounds reads in the MIDI parser that can cause crashes for certain input files...

Forgejo -- Symbolic Link (Symlink) Following

https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/13.0.2.md reports: Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template...

net-mgmt/net-snmp -- Remote Code Execution (snmptrapd)

net-snmp development team reports: A specially crafted packet to an net-snmp snmptrapd daemon can cause a buffer overflow and the daemon to crash...

fluidsynth -- Use after free when using DLS files

The fluidsynth authors report: A race condition during unloading of a DLS file can trigger a heap-based use-after-free. A concurrently running thread may be pending to unload a DLS file, leading to use of freed memory, if the synthesizer is being concurrently destroyed, or samples of the unloaded...

smb4k -- Critical vulnerabilities in Mount Helper

vulndb reports: A vulnerability, which was classified as critical, was found in smb4k up to 4.0.4. Affected is some unknown functionality of the component Mount Helper. The manipulation with an unknown input leads to a access control vulnerability. CWE is classifying the issue as CWE-284. The...

MongoDB -- Improper Handling of Length Parameter Inconsistency

https://jira.mongodb.org/browse/SERVER-115508 reports: Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client...

Firefox -- Memory safety bugs

https://bugzilla.mozilla.org/buglist.cgi?bugid=1996570%2C1999700 reports: Memory safety bugs present in Firefox 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code...

Firefox -- Use-after-free

https://bugzilla.mozilla.org/showbug.cgi?id=2000597 reports: Use-after-free in the Disability Access APIs component...

FreeBSD -- Remote code execution via ND6 Router Advertisements

Problem Description: The rtsol8 and rtsold8 programs do not validate the domain search list options provided in router advertisement messages; the option body is passed to resolvconf8 unmodified. resolvconf8 is a shell script which does not validate its input. A lack of quoting meant that shell...

chromium -- multiple security fixes

Chrome Releases reports: This update includes 2 security fixes: 448294721 High CVE-2025-14765: Use after free in WebGPU. Reported by Anonymous on 2025-09-30 466786677 High CVE-2025-14766: Out of bounds read and write in V8. Reported by Shaheen Fazim on 2025-12-08...

FreeBSD -- ipfw denial of service

Problem Description: In some cases, the tcp-setmss handler may free the packet data and throw an error without halting the rule processing engine. A subsequent rule can then allow the traffic after the packet data is gone, resulting in a NULL pointer dereference. Impact: Maliciously crafted packe...