OpenEXR < 3.4.3 -- multiple vulnerabilities

Cary Phillips reports: Patch release that addresses several bugs, primarily involving properly rejecting corrupt input data. He goes on to report various relevant items including heap buffer overflows, use-after-free, use of uninitialized memory and other bugs, several of them found by OSS-fuzz,...

chromium -- multiple security fixes

Chrome Releases reports: This update includes 20 security fixes: 447613211 High CVE-2025-12428: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2025-09-26 450618029 High CVE-2025-12429: Inappropriate implementation in V8. Reported by Aorui Zhang on 2025-10-10 442860743 High...

Firefox -- use-after-free in the GPU or browser process

https://bugzilla.mozilla.org/showbug.cgi?id=1993113 reports: Starting with Firefox 142, it was possible for a compromised child process to trigger a use-after-free in the GPU or browser process using WebGPU-related IPC calls. This may have been usable to escape the child process sandbox...

OpenVPN -- HMAC verification on source IP address ineffective

Arne Schwabe reports: Fix memcmp check for the hmac verification in the 3way handshake being inverted This is a stupid mistake but causes all hmac cookies to be accepted, thus breaking source IP address validation. As a consequence, TLS sessions can be openend and state can be consumed in the...

strongSwan -- Heap-based buffer overflow in eap-mschapv2 plugin due to improper handling of failure request packets

Xu Biang reports: The eap-mschapv2 plugin doesn't correctly check the length of an EAP-MSCHAPv2 Failure Request packet on the client, which can cause an integer underflow that leads to a crash and, depending on the compiler options, even a heap-based buffer overflow that's potentially exploitable...

SQLite -- Integer Overflow vulnerability

http://sqlite3.com reports: Integer Overflow vulnerability in SQLite SQLite3 v.3.50.0 allows a remote attacker to cause a denial of service via the setupLookaside function...

RT -- XSS via calendar invitations

Mateusz Szymaniec and CERT Polska Reports: RT is vulnerable to XSS via calendar invitations added to a ticket. Thanks to Mateusz Szymaniec and CERT Polska for reporting this finding...

RT -- CSV injection

Gareth Watkin-Jones from 4armed reports: RT is vulnerable to CSV injection via ticket values with special characters that are exported to a TSV from search results. Thanks to Gareth Watkin-Jones from 4armed for reporting this finding...

privatebin - Missing HTML sanitisation of attached filename in file size hint enabling persistent XSS

PrivateBin reports: We've identified an HTML injection/XSS vulnerability in the PrivateBin service that allows the injection of arbitrary HTML markup via the attached filename...

unbound -- Possible domain hijacking via promiscuous records in the authority section

[email protected] reports: NLnet Labs Unbound up to and including version 1.24.0 is vulnerable to possible domain hijack attacks. Promiscuous NS RRSets that complement positive DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone...

Gitlab -- vulnerabilities

Gitlab reports: Improper access control issue in runner API impacts GitLab EE Denial of service issue in event collection impacts GitLab CE/EE Denial of service issue in JSON validation impacts GitLab CE/EE Denial of service issue in upload impacts GitLab CE/EE Incorrect Authorization issue in...

FreeBSD -- SO_REUSEPORT_LB breaks connect(2) for UDP sockets

Problem Description: Connected sockets are not intended to belong to load-balancing groups. However, the kernel failed to check the connection state of sockets when adding them to load-balancing groups. Furthermore, when looking up the destination socket for an incoming packet, the kernel will...

chromium -- security fix

Chrome Releases reports: This update includes 1 security fix: 452296415 High CVE-2025-12036: Inappropriate implementation in V8. Reported by Google Big Sleep on 2025-10-15...

Mongodb -- Use-after-free in the MongoDB

[email protected] reports: An authorized user may crash the MongoDB server by causing buffer over-read. This can be done by issuing a DDL operation while queries are being issued, under some conditions...

OpenVPN -- avoid buffer overread parsing routes or endpoints

Mikhail Khachaiants reports: socket: reject mismatched address family in getaddrgeneric. Add a family check to prevent copying address data of the wrong type, which could cause buffer over-read when parsing routes or endpoints...

minio -- Privilege Escalation via Session Policy Bypass in Service Accounts and STS

mino reports: A privilege escalation vulnerability allows service accounts and STS Security Token Service accounts with restricted session policies to bypass their inline policy restrictions when performing "own" account operations, specifically when creating new service accounts for the same use...

Hidden/Protected custom variables are prone to filter enumeration

Icinga reports: An authorized user with access to Icinga DB Web, can use a custom variable in a filter that is either protected by icingadb/protect/variables or hidden by icingadb/denylist/variables, to guess values assigned to it...

powerdns-recursor -- cache pollution

PowerDNS Team reports: It has been brought to our attention that the Recursor does not apply strict enough validation of received delegation information. The malicious delegation information can be sent by an attacker spoofing packets...

Mozilla -- Memory safety bugs

[email protected] reports: Memory safety bugs. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code...

Mozilla -- Out-of-bounds reads and writes

[email protected] reports: A compromised web process was able to trigger out of bounds reads and writes in a more privileged process using manipulated WebGL textures...

Mozilla -- Memory disclosure

[email protected] reports: A compromised web process using malicious IPC messages could have caused the privileged browser process to reveal blocks of its memory to the compromised process...

Mozilla -- Use-after-free

[email protected] reports: Use-after-free in MediaTrackGraphImpl::GetInstance...

Mozilla -- Memory safety bugs

[email protected] reports: Memory safety bug. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code...

Mozilla -- XSS in sites without content-type header

[email protected] reports: A malicious page could have used the type attribute of an OBJECT tag to override the default browser behavior when encountering a web resource served without a content-type. This could have contributed to an XSS on a site that unsafely serves files without a...

Mozilla -- Memory safety bugs

[email protected] reports: Memory safety bugs. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code...

chromium -- multiple security fixes

Chrome Releases reports: This update includes 1 security fix: 447192722 High CVE-2025-11756: Use after free in Safe Browsing. Reported by asnine on 2025-09-25...

Mozilla -- JavaScript Object property overriding

[email protected] reports: There was a way to change the value of JavaScript Object properties that were supposed to be non-writeable...

zeek -- information leak vulnerability

Tim Wojtulewicz of Corelight reports: The KRB analyzer can leak information about hosts in analyzed traffic via external DNS lookups...

py-social-auth-app-django -- Unsafe account association

Michal Čihař reports: Upon authentication, the user could be associated by e-mail even if the associatebyemail pipeline was not included. This could lead to account compromise when a third-party authentication service does not validate provided e-mail addresses or doesn't require unique e-mail...

Mailpit -- Performance information disclosure

Ralph Slooten Mailpit developer reports: An HTTP endpoint was found which exposed expvar runtime information memory usage, goroutine counts, GC behavior, uptime and potential runtime flags due to the Prometheus client library dependency...

Gitlab -- vulnerabilities

Gitlab reports: Incorrect authorization issue in GraphQL mutations impacts GitLab EE Denial of Service issue in GraphQL blob type impacts GitLab CE/EE Missing authorization issue in manual jobs impacts GitLab CE/EE Denial of Service issue in webhook endpoints impacts GitLab CE/EE...

chromium -- multiple security fixes

Chrome Releases reports: This update includes 3 security fixes: 443196747 High CVE-2025-11458: Heap buffer overflow in Sync. Reported by raven at KunLun lab on 2025-09-05 446722008 High CVE-2025-11460: Use after free in Storage. Reported by Sombra on 2025-09-23 441917796 Medium CVE-2025-11211: Ou...

redis,valkey -- Lua Use-After-Free may lead to remote code execution

redis reports: An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. An additional workaround to mitigate the problem...

redis,valkey -- Out of bound read due to a bug in LUA

redis reports: An authenticated user may use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. The problem exists in all versions of Redis with Lua scripting An additional workaround to mitigate the problem without patching the...

redis,valkey -- Lua library commands may lead to integer overflow and potential RCE

redis reports: An authenticated user may use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution The problem exists in all versions of Redis with Lua scripting. An additional workaround to mitigate the problem without patching the redis-server...

redis,valkey -- Running Lua function as a different user

redis reports: An authenticated user may use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user The problem exists in all versions of Redis with Lua scripting. An additional workaround to mitigate the problem withou...

fetchmail -- potential crash when authenticating to SMTP server

Matthias Andree reports: fetchmail's SMTP client, when configured to authenticate, is susceptible to a protocol violation where, when a trusted but malicious or malfunctioning SMTP server responds to an authentication request with a "334" code but without a following blank on the line, it will...

LibreSSL -- overwrite and -read vulnerability

The LibreSSL project reports: An incorrect length check can result in a 4-byte overwrite and an 8-byte overread...

Vulnerability found in Expat

Expat 2.8.1 was released yesterday. The key motivation for cutting a release and doing so now was: Fixing vulnerability CVE-2026-45186 that allows easy denial of service. See also https://github.com/libexpat/libexpat/pull/1216...

Django -- multiple vulnerabilities

Django reports: CVE-2025-59681: Potential SQL injection in QuerySet.annotate, alias, aggregate, and extra on MySQL and MariaDB. CVE-2025-59682: Potential partial directory-traversal via archive.extract...

Firefox -- Sandbox escape due to integer overflow

https://bugzilla.mozilla.org/showbug.cgi?id=1987246 reports: Sandbox escape due to integer overflow in the Graphics: Canvas2D component...

Firefox -- JIT miscompilation in the JavaScript Engine

[email protected] reports: JIT miscompilation in the JavaScript Engine: JIT component...

chromium -- multiple security fixes

Chrome Releases reports: This update includes 21 security fixes: 442444724 High CVE-2025-11205: Heap buffer overflow in WebGPU. Reported by Atte Kettunen of OUSPG on 2025-09-02 444755026 High CVE-2025-11206: Heap buffer overflow in Video. Reported by Elias Hohl on 2025-09-12 428189824 Medium...

Firefox -- Sandbox escape

[email protected] reports: Sandbox excape due to integer overflow in the Graphics: Canvas2D component...

OpenSSL -- multiple vulnerabilities

The OpenSSL project reports reports: Out-of-bounds read & write in RFC 3211 KEK Unwrap Timing side-channel in SM2 algorithm on 64-bit ARM Fix Out-of-bounds read in HTTP client noproxy handling...

Gitlab -- Vulnerabilities

Gitlab reports: Denial of Service issue when uploading specifically crafted JSON files impacts GitLab CE/EE Denial of Service issue bypassing query complexity limits impacts GitLab CE/EE Information disclosure issue in virtual registery configuration for low privileged users impacts GitLab CE/EE...

qt6-webengine -- Multiple vulnerabilities

Qt qtwebengine-chromium repo reports: Backports for 9 security bugs in Chromium: CVE-2025-9866: Determine whether to bypass redirect checks per request CVE-2025-10200: Use after free in Serviceworker CVE-2025-10201: Inappropriate implementation in Mojo CVE-2025-10500: Use after free in Dawn...

openvpn-devel -- script injection vulnerability from trusted but malicious server

Gert Doering reports: Notable changes beta1 - beta2 are: ... add proper input sanitation to DNS strings to prevent an attack coming from a trusted-but-malicous OpenVPN server CVE: 2025-10680, affects unixoid systems with --dns-updown scripts and windows using the built-in powershell call Lev...

chromium -- multiple security fixes

Chrome Releases reports: This update includes 4 security fixes: 430336833 High CVE-2025-10890: Side-channel information leakage in V8. Reported by Mate Marjanović SharpEdged on 2025-07-09 443765373 High CVE-2025-10891: Integer overflow in V8. Reported by Google Big Sleep on 2025-09-09 444048019...

dnsdist -- Denial of service via crafted DoH exchange

[email protected] reports: In some circumstances, when DNSdist is configured to use the nghttp2 library to process incoming DNS over HTTPS queries, an attacker might be able to cause a denial of service by crafting a DoH exchange that triggers an unbounded I/O read loop, causing an...