mongodb -- MongoDB Server router will crash when incorrect lsid is set on a sharded query

[email protected] reports: An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers. This issue occurs when a generic argument lsid is provided in a case when it is not applicable...

mongodb -- MongoDB may be susceptible to Invariant Failure in Transactions due Upsert Operation

[email protected] reports: MongoDB Server may allow upsert operations retried within a transaction to violate unique index constraints, potentially causing an invariant failure and server crash during commit. This issue may be triggered by improper WriteUnitOfWork state management...

Shibboleth Service Provider -- SQL injection vulnerability in ODBC plugin

Internet2 reports: The Shibboleth Service Provider includes a storage API usable for a number of different use cases such as the session cache, replay cache, and relay state management. An ODBC extension plugin is provided with some distributions of the software notably on Windows. A SQL injectio...

chromium -- multiple security fixes

Chrome Releases reports: This update includes 6 security fixes: 434513380 High CVE-2025-9864: Use after free in V8. Reported by Pavel Kuzmin of Yandex Security Team on 2025-07-28 437147699 Medium CVE-2025-9865: Inappropriate implementation in Toolbar. Reported by Khalil Zhani on 2025-08-07...

Django -- multiple vulnerabilities

Django reports: CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases...

exiv2 -- Denial-of-service

Kevin Backhouse reports: A denial-of-service was found in Exiv2 version v0.28.5: a quadratic algorithm in the ICC profile parsing code in jpegBase::readMetadata can cause Exiv2 to run for a long time. Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying th...

exiv2 -- Out-of-bounds read in Exiv2::EpsImage::writeMetadata()

Kevin Backhouse reports: An out-of-bounds read was found in Exiv2 versions v0.28.5 and earlier. Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The out-of-bounds read is triggered when Exiv2 is used to write metadata into ...

libudisks -- Udisks: out-of-bounds read in udisks daemon

[email protected] reports: A flaw was found in the Udisks daemon, where it allows unprivileged users to create loop devices using the D-BUS system. This is achieved via the loop device handler, which handles requests sent through the D-BUS interface. As two of the parameters of this handle, it...

PCRE2: heap-buffer-overflow read in match_ref due to missing boundary restoration in SCS

[email protected] reports: The PCRE2 library is a set of C functions that implement regular expression pattern matching. In version 10.45, a heap-buffer-overflow read vulnerability exists in the PCRE2 regular expression matching engine, specifically within the handling of the scs:...

Gitlab -- vulnerabilities

Gitlab reports: Allocation of Resources Without Limits issue in import function impacts GitLab CE/EE Missing authentication issue in GraphQL endpoint impacts GitLab CE/EE Allocation of Resources Without Limits issue in GraphQL impacts GitLab CE/EE Code injection issue in GitLab repositories impac...

ISC KEA -- kea-dhcp4 aborts if client sends a broadcast request with particular options

Internet Systems Consortium, Inc. reports: We corrected an issue in kea-dhcp4 that caused the server to abort if a client sent a broadcast request with particular options, and Kea failed to find an appropriate subnet for that client. This addresses CVE-2025-40779 4055, 4048...

Mozilla -- Same-origin policy bypass in the Graphics: Canvas2D component

https://bugzilla.mozilla.org/showbug.cgi?id=1979782 reports: Same-origin policy bypass in the Graphics: Canvas2D component...

Firefox -- Spoofing in the Address Bar

[email protected] reports: Spoofing issue in the Address Bar component...

Mozilla -- memory safety bugs

[email protected] reports: Memory safety bugs present in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort som...

Mozilla -- DoS in WebRender

[email protected] reports: 'Denial-of-service due to out-of-memory in the Graphics: WebRender component.'...

Mozilla -- Same-origin policy bypass

[email protected] reports: 'Same-origin policy bypass in the Graphics: Canvas2D component.'...

Mozilla -- memory safety bugs

[email protected] reports: Memory safety bugs present in Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code...

Mozilla -- Uninitialized memory

[email protected] reports: Uninitialized memory in the JavaScript Engine component...

Mozilla -- Denial-of-service due to out-of-memory

https://bugzilla.mozilla.org/showbug.cgi?id=1975837 reports: Denial-of-service due to out-of-memory in the Graphics: WebRender component...

Mozilla -- memory corruption in GMP

[email protected] reports: An attacker was able to perform memory corruption in the GMP process which processes encrypted media. This process is also heavily sandboxed, but represents slightly different privileges from the content process...

Gitlab -- vulnerabilities

Gitlab reports: Cross-site scripting issue in blob viewer impacts GitLab CE/EE Cross-site scripting issue in labels impacts GitLab CE/EE Cross-site scripting issue in Workitem impacts GitLab CE/EE Improper Handling of Permissions issue in project API impacts GitLab CE/EE Incorrect Privilege...

www/varnish7 -- Denial of Service in HTTP/2

Varnish Development Team reports: A denial of service attack can be performed on Varnish Cache servers that have the HTTP/2 protocol turned on. An attacker can create a large number of streams and immediately reset them without ever reaching the maximum number of concurrent streams allowed for th...

nginx -- worker process memory disclosure

F5 reports: NGINX Open Source and NGINX Plus have a vulnerability in the ngxmailsmtpmodule that might allow an unauthenticated attacker to over-read NGINX SMTP authentication process memory; as a result, the server side may leak arbitrary bytes sent in a request to the authentication server. This...

chromium -- multiple security fixes

Chrome Releases reports: This update includes 6 security fixes: 432035817 High CVE-2025-8879: Heap buffer overflow in libaom. Reported by Anonymous on 2025-07-15 433533359 High CVE-2025-8880: Race in V8. Reported by Seunghyun Lee @0x10n on 2025-07-23 435139154 High CVE-2025-8901: Out of bounds...

PostgreSQL -- vulnerabilities

PostgreSQL project reports: Tighten security checks in planner estimation functions. Prevent pgdump scripts from being used to attack the user running the restore. Convert newlines to spaces in names included in comments in pgdump output...

p5-Catalyst-Authentication-Credential-HTTP -- Insecure source of randomness

perl-catalyst project reports: Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl generate nonces using the Perl Data::UUID library. Data::UUID does not use a strong cryptographic source for generating UUIDs. Data::UUID returns v3 UUIDs, which are generated from known...

FreeBSD -- Integer overflow in libarchive leading to double free

Problem Description: An integer overflow in the archivereadformatrarseekdata function may lead to a double free problem. Impact: Exploiting a double free vulnerability can cause memory corruption. This in turn could enable a threat actor to execute arbitrary code. It might also result in denial o...

quiche -- Infinite loop triggered by connection ID retirement

Quiche Releases reports: This update includes 1 security fix: High CVE-2025-7054: Infinite loop triggered by connection ID retirement. Reported by Catena cyber on 2025-08-07...

chromium -- multiple security fixes

Chrome Releases reports: This update includes 12 security fixes: 414760982 Medium CVE-2025-8576: Use after free in Extensions. Reported by asnine on 2025-04-30 384050903 Medium CVE-2025-8577: Inappropriate implementation in Picture In Picture. Reported by Umar Farooq on 2024-12-14 423387026 Mediu...

Vieb -- Remote Code Execution via Visiting Untrusted URLs

Zhengyu Liu, Jianjia Yu, Jelmer van Arnhem report: We discovered a remote code execution RCE vulnerability in the latest release of the Vieb browser v12.3.0. By luring a user to visit a malicious website, an attacker can achieve arbitrary code execution on the victim’s machine...

SQLite -- integer overflow in key info allocation

[email protected] reports: An integer overflow in the sqlite3KeyInfoFromExprList function in SQLite versions 3.39.2 through 3.41.1 allows an attacker with the ability to execute arbitrary SQL statements to cause a denial of service or disclose sensitive information from process memory v...

gdk-pixbuf2 -- a heap buffer overflow

[email protected] reports: A flaw exists in gdk-pixbuf within the gdkpixbufjpegimageloadincrement function io-jpeg.c and in glib’s gbase64encodestep glib/gbase64.c. When processing maliciously crafted JPEG images, a heap buffer overflow can occur during Base64 encoding, allowing out-of-bounds reads...

Apache httpd -- evaluation always true

The Apache httpd project reports: 'RewriteCond expr' always evaluates to true in 2.4.64...

Gitlab -- vulnerabilities

Gitlab reports: Cross-site scripting issue impacts Kubernetes Proxy in GitLab CE/EE Cross-site scripting issue impacts Kubernetes Proxy in GitLab CE/EE using CDNs Exposure of Sensitive Information to an Unauthorized Actor issue impacts GitLab CE/EE Improper Access Control issue impacts GitLab EE...

Mozilla -- HTTP Basic Authentication credentials leak

[email protected] reports: The username:password part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials...

Mozilla -- 'javascript:' URLs execution

[email protected] reports: Thunderbird executed javascript: URLs when used in object and embed tags...

Mozilla -- Persisted search terms in the URL bar

[email protected] reports: In some cases search terms persisted in the URL bar even after navigating away from the search page...

Mozilla -- IonMonkey-JIT bad stack write

[email protected] reports: On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits...

Mozilla -- Multiple vulnerabilities

[email protected] reports: Memory safety bugs present in Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. Focus incorrectly truncated URLs towards the...

viewvc -- Arbitrary server filesystem content

cmpilato reports: The ViewVC standalone web server standalone.py is a script provided in the ViewVC distribution for the purposes of quickly testing a ViewVC configuration. This script can in particular configurations expose the contents of the host server's filesystem though a directory...

Mozilla -- XSLT document CSP bypass

[email protected] reports: XSLT document loading did not correctly propagate the source document which bypassed its CSP...

Mozilla -- Memory safety bugs

[email protected] reports: Memory safety bugs present in Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort som...

Mozilla -- Insufficient input escaping

[email protected] reports: Insufficient escaping in the Copy as cURL feature could potentially be used to trick a user into executing unexpected code...

Mozilla -- Ignored paths while checking navigations

[email protected] reports: Thunderbird ignored paths when checking the validity of navigations in a frame...

Mozilla -- Incorrect computation of branch address

[email protected] reports: On arm64, a WASM brtable instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and incorrect computation of the branch address...

Mozilla -- CORS circumvention

[email protected] reports: Thunderbird cached CORS preflight responses across IP address changes. This allowed circumventing CORS with DNS rebinding...

Mozilla -- nullptr dereference

[email protected] reports: The JavaScript engine did not handle closed generators correctly and it was possible to resume them leading to a nullptr deref...

Mozilla -- cookie shadowing

[email protected] reports: Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the nameless cookie was set over HTTP and the shadowed cookie included the Secure attribute...

Mozilla -- Memory safety bugs

[email protected] reports: Memory safety bugs present in Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code...

Mozilla -- Memory safety bugs

[email protected] reports: Memory safety bugs present in Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could hav...