Messages by Thread
-
[oss-security] CVE-2026-14570: Crypt::DSA versions before 1.22 for Perl draw the DSA signing nonce and private key from a biased random generator, leading to private-key recovery
Timothy Legge
-
[oss-security] CVE-2026-12740: Plack::Middleware::OAuth versions through 0.10 for Perl do not support the OAuth 2.0 state parameter
Robert Rothenberg
-
[oss-security] CVE-2026-12746: Dancer2::Plugin::Auth::OAuth::Provider versions before 0.23 for Perl do not support the OAuth 2.0 state parameter
Robert Rothenberg
-
[oss-security] CVE-2026-49297: Apache Airflow Google provider: Path traversal via GCS object names → local/SFTP filesystem (GCSToSFTPOperator + GCSTimeSpanFileTransformOperator)
Shahar Epstein
-
[oss-security] Wasm OCI Image Fetcher Bearer Realm SSRF Bypass
xylove21
-
[oss-security] [CONFIDENTIAL] cert-manager v1.15-v1.17+main — Reflected SSRF via Issuer.spec.vault.server (CVSS 7.2 HIGH)
xylove21
-
[oss-security] [CVE request] Apache APISIX 3.16.0 JWT-Auth Algorithm Confusion (Authentication Bypass, CVSS 9.8 CRITICAL) — no maintainer response in 9 days via GHSA Triage
xylove21
-
[oss-security] [CVE request] Apache Kafka OAUTHBEARER authentication bypass via signed JWT clock skew (vulnerable 4.0.0 - 4.0.x, no maintainer response in 7 days)
xylove21
-
[oss-security] pandemic of incomplete error handling in the OpenSSL ecosystem
Julian Andres Klode
-
[oss-security] CVE-2026-56015: Net::IP::LPM versions through 1.10 for Perl allow a heap out-of-bounds read via an unbounded prefix length
Robert Rothenberg
-
[oss-security] CVE-2026-47898: Apache Lucene.Net: XXE vulnerability in Lucene.Net.Analysis.Common PatternParser
Paul Irwin
-
[oss-security] CVE-2026-47897: Apache Lucene.Net: Arbitrary file write from malicious server to Lucene.Net.Replicator client
Paul Irwin
-
[oss-security] CVE-2026-47896: Apache Lucene.Net: Unauthenticated arbitrary file read on the Lucene.Net.Replicator replication server
Paul Irwin
-
[oss-security] CVE-2026-43503: Analysis of the "DirtyClone" Linux LPE (Dirty Frag family variant)
Or Peles
-
[oss-security] CVE-2026-54161: NUT upsmon: remote OS command injection via ups.alarm in NOTIFYCMD - fixed in PR #3499 (affects 2.8.3–2.8.5)
pro Err0r
-
[oss-security] Vinyl Cache / Varnish Cache HTTP/2 parsing deficiency [CVE-2026-50052]
Alan Coopersmith
-
[oss-security] Fwd: libevent 2.1.13-stable contains several security fixes
Alan Coopersmith
-
[oss-security] CVE-2025-15646: HTML::Gumbo versions before 0.19 for Perl disclose heap memory via type confusion
Robert Rothenberg
-
[oss-security] CVE-2026-56016: CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources
Robert Rothenberg
-
[oss-security] check_icmp (Monitoring Plugins): host-count overflow leads to heap buffer overflow in setuid-root binary
Holger Weiß
-
[oss-security] CVE-2026-54399: Apache HttpComponents Core: Unbounded HTTP Header/Line Length in Default Configuration
Oleg Kalnichevski
-
[oss-security] CVE-2026-54428: Apache HttpComponents Core: HPackDecoder Unlimited Header List Size Before SETTINGS ACK
Oleg Kalnichevski
-
[oss-security] OFFIS DCMTK: 5 CISA-coordinated DICOM vulnerabilities
Abhinav Agarwal
-
[oss-security] CVE-2026-13766: DBIx::QuickORM versions before 0.000026 for Perl allow SQL injection via unquoted SQL identifiers
Robert Rothenberg
-
[oss-security] CVE-2026-57079 through CVE-2026-57082: Multiple vulnerabilities in Net::BitTorrent versions through 2.0.1 for Perl
Robert Rothenberg
-
[oss-security] CVE-2025-53648: Apache Gravitino: SQL misconfiguration can access or truncate files
Jerry Shao
-
[oss-security] hostapd: OOB write in Wi-Fi 7 MLD association parsing (pre-auth DoS)
Abhinav Agarwal
-
[oss-security] CVE-2026-53917: Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Client, Apache ActiveMQ Broker: Unbounded memory allocation in OpenWire property unmarshalling
Christopher L. Shannon
-
[oss-security] CVE-2026-55957: Apache Tomcat: Authentication bypass with JNDIRealm and GSSAPI authenticated bind
Mark Thomas
-
[oss-security] CVE-2026-55956: Apache Tomcat: Security constraints for default servlet ignored method
Mark Thomas
-
[oss-security] CVE-2026-55955: Apache Tomcat: EncryptInterceptor not protected against replay attacks
Mark Thomas
-
[oss-security] CVE-2026-53916: Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp: Unbounded header buffer in STOMP NIO codec
Christopher L. Shannon
-
[oss-security] CVE-2026-55276: Apache Tomcat: Logged effective web.xml is incomplete
Mark Thomas
-
[oss-security] CVE-2026-53434: Apache Tomcat: Invalid CRL configuration doesn't trigger failure for FFM Connector
Mark Thomas
-
[oss-security] CVE-2026-53404: Apache Tomcat: Bad ornext processing in RewriteValve
Mark Thomas
-
[oss-security] CVE-2026-54475: Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Temporary destination ownership takeover
Christopher L. Shannon
-
[oss-security] CVE-2026-50229: Apache Tomcat: XSS in number guess example
Mark Thomas
-
[oss-security] CVE-2026-13758: CryptX versions before 0.088_001 for Perl compare AEAD authentication tags in non-constant time in the streaming decrypt_done path
Stig Palmquist
-
[oss-security] CVE-2026-13593: CSS::Minifier::XS versions before 0.14 for Perl have a memory leak when the entire document is minified away
Robert Rothenberg
-
[oss-security] CVE-2026-56018: JavaScript::Minifier::XS versions before 0.16 for Perl leak memory on every call to minify(), allowing unbounded memory growth
Robert Rothenberg
-
[oss-security] CVE-2026-56017: JavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first meaningful token of the input is a slash
Robert Rothenberg
-
[oss-security] CVE-2026-52760: Apache ActiveMQ, Apache ActiveMQ Web Console: Stored XSS via Unescaped values in ActiveMQ Web Console
Christopher L. Shannon
-
[oss-security] CVE-2026-50750: Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All: Pre-authentication OpenWire DoS following fix for CVE-2026-49270
Christopher L. Shannon
-
[oss-security] CVE-2026-50734: Apache ActiveMQ Client, Apache ActiveMQ, Apache ActiveMQ All: Pre-authentication OpenWire memory-allocation DoS during wire format negotiation
Christopher L. Shannon
-
[oss-security] CVE-2026-49877: Apache ActiveMQ: Authenticated web users retain admin access by default in the Web Console
Christopher L. Shannon
-
[oss-security] CVE-2026-49434: Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All: LdapNetworkConnector instantiates denied transports and a remote-properties broker
Christopher L. Shannon
-
[oss-security] CVE-2026-49432: Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp: STOMP negative content-length enables denial of service
Christopher L. Shannon
-
[oss-security] CVE-2025-70101: lwext4 out-of-bounds read in ext4_ext_binsearch_idx
shvedov
-
[oss-security] CVE-2025-70100: lwext4 divide-by-zero in ext4_block_set_lb_size
shvedov
-
[oss-security] CVE-2025-70099: lwext4 NULL pointer dereference in ext4_dir_en_get_name_len
shvedov
-
[oss-security] CVE-2023-0645: libjxl/cjxl out-of-bounds read in EXIF metadata parsing
Alexander A. Shvedov
-
[oss-security] Symlink Traversal Privilege Escalation via getfattr/setfattr, getfacl/setfacl/chacl, libacl
Andreas Gruenbacher
-
[oss-security] [Security advisory] FreeHSM C v1.1.0 - v1.2.1 : raw CKM_ECDSA signatures not externally verifiable (fixed in v1.2.2 ; v1.3.0 extends boot KAT regression guard to 6/7 surfaces)
Afchine Mad
-
[oss-security] [vim-security] Arbitrary Code Execution via PHP Omni-Completion in Vim < 9.2.0736
Christian Brabandt
-
[oss-security] fetchmail's NTLM authentication vulnerable to stack buffer overflow up to release 6.6.6 (FW: The 6.6.7.rc1 release candidate is available (security fix for NTLM protocol, possible RCE))
Matthias Andree
-
[oss-security] n8n: SSRF remains exploitable in default configuration (incomplete fix, no CVE)
Akshat Sinha
-
[oss-security] [vim-security] Arbitrary Code Execution via C Omni-Completion in Vim < 9.2.0735
Christian Brabandt
-
[oss-security] CVE-2025-60474: Heap-based Buffer Overflow in GPAC/MP4Box via gf_media_import on crafted MPEG-2 TS file
Alexander A. Shvedov
-
[oss-security] CVE-2025-60467: Use-After-Free in GPAC/MP4Box via gf_filter_pid_inst_swap_delete_task on crafted MPEG-2 TS file
Alexander A. Shvedov
-
[oss-security] CVE-2025-60473: NULL Pointer Dereference in GPAC/MP4Box via gf_filter_in_parent_chain on crafted MPEG-2 TS file
Alexander A. Shvedov
-
[oss-security] CVE-2025-60466: Expired Pointer Dereference in GPAC/MP4Box via gf_filter_pid_get_packet on crafted MPEG-2 TS file
Alexander A. Shvedov
-
[oss-security] CVE-2025-60465: Use-After-Free in GPAC/MP4Box via gf_filter_pid_inst_swap on crafted MPEG-2 TS file
Alexander A. Shvedov
-
[oss-security] CVE-2026-57915: Apache Kerby: Kerberos Pre-Authentication Bypass
Colm O hEigeartaigh
-
[oss-security] CVE-2026-57914: Apache Kerby: StackOverflow on parsing deeply nested ASN1 structures
Colm O hEigeartaigh
-
[oss-security] CVE-2026-11702: Bytes::Random::Secure::Tiny versions through 1.011 for Perl share internal state across forked processes
Robert Rothenberg
-
[oss-security] CVE-2026-11625: Bytes::Random::Secure versions through 0.29 for Perl share internal state across forked processes
Robert Rothenberg
-
[oss-security] CVE-2025-60464: NULL Pointer Dereference in GPAC/MP4Box via gf_sei_load_from_state_internal on crafted MPEG-2 TS file
Alexander A. Shvedov
-
[oss-security] CVE-2025-60471: Use-After-Free in GPAC/MP4Box via gf_filter_pid_reconfigure_task_discard on crafted MPEG-2 TS file
Alexander A. Shvedov
-
[oss-security] CVE-2025-55639: NULL Pointer Dereference in GPAC/MP4Box via gf_isom_add_track_kind on crafted MP4 file
Alexander A. Shvedov
-
[oss-security] CVE-2026-49486: Apache Airflow FTP provider: FTP Provider does not protect FTPS data channel (missing PROT_P)
Shahar Epstein
-
[oss-security] Several vulnerabilities were found in NLnet Labs NSD
Willem Toorop
-
[oss-security] CVE-2026-12844: List::SomeUtils::XS versions before 0.59 for Perl have a heap buffer overflow in the pairwise function
Paul Johnson
-
[oss-security] libexpat 2.8.2 fixes 14 vulnerabilities (integer overflow, out-of-bounds write, ..)
Sebastian Pipping
-
[oss-security] PowerDNS Security Advisory 2026-09 for DNSdist: Multiple issues
Remi Gacogne
-
[oss-security] PowerDNS Security Advisory 2026-08 for PowerDNS Recursor: Multiple issues
Otto Moerbeek
-
[oss-security] PowerDNS Security Advisory 2026-07: Insufficient input validation of internal web server
Miod Vallat
-
[oss-security] CVE-2026-54226: Apache Kvrocks: RESTORE IntSet Integer Overflow Leads to Remote DoS
Hulk Lin
-
[oss-security] CVE-2026-46752: Apache Kvrocks: Stack buffer overflow in Lua bit.tohex()
Hulk Lin
-
[oss-security] CVE-2026-46751: Apache Kvrocks: Does not remove the unsafe loadstring function from its Lua sandbox, allowing a user who can run EVAL scripts to load crafted, unvalidated bytecode that crashes the server process, resulting in a remote denial of service.
Hulk Lin
-
[oss-security] CVE-2026-45188: Apache Kvrocks: Replication Fullsync Path Traversal via Unvalidated Filename Handling
Hulk Lin
-
[oss-security] CVE-2026-41566: Apache Kvrocks: Improper permission for the APPLYBATCH command
Hulk Lin
-
[oss-security] [vim-security] Out-of-bounds Write in SAL Soundfolding in Vim < 9.2.0725
Christian Brabandt
-
[oss-security] CVE-2026-56130: Apache Shiro: Remember-me cookie isn't checked for expiry on the server
Lenny Primak
-
[oss-security] CVE-2026-56091: Apache Shiro: Authentication bypass in Guice-Web integration
Lenny Primak
-
[oss-security] [SECURITY ADVISORIES] for curl 8.21.0
Daniel Stenberg
-
[oss-security] libssh2: CVE-2026-55200 (critical), CVE-2025-15661 (high), CVE-2026-55199 (high)
James Addison
-
[oss-security] Plone: various security fixes 20260623
Maurits van Rees
-
[oss-security] icalendar: Denial of Service CVE-2026-55099
Maurits van Rees
-
[oss-security] [CVE-2026-50160] Hoppscotch: Unauthenticated JWT Secret Overwrite (CVSS 10.0)
Aditi Bhatnagar
-
[oss-security][CVE-2026-11940] Cpython: tarfile extraction filter bypass allows escaping the destination directory
Alan Coopersmith
-
[oss-security] [OSSA-2026-024] OpenStack Swift: Swift proxy-server SSRF via header injection (CVE-2026-50221)
Goutham Pacha Ravi
-
[oss-security] CVE-2026-55556: rsyslog imhttp Basic Auth heap overflow
Rainer Gerhards
-
[oss-security] pwnlift: symlink following and TOCTOU in privileged upload handler allow arbitrary file write as root
GregD
-
[oss-security] CVE-2026-9733: Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter
Robert Rothenberg
-
[oss-security] Common PKCS#7 / CMS parsing issues in OpenSSL, WolfSSL, Bouncy Castle, & GnuPG
Alan Coopersmith
-
[oss-security] CVE-2026-11373: Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections
Robert Rothenberg
-
[oss-security] CVE-2026-6653: libxml2: use after free in xmlParseInternalSubset (>=2.9.11, <2.11.0)
Sudhakar Verma
-
[oss-security] CVE-2025-66336: Apache Doris MCP Server: SQL injection leading the authentication bypass
Calvin Kirs
-
[oss-security] [vim-security] Arbitrary Code Execution via Python Omni-Completion Docstrings in Vim < 9.2.0699
Christian Brabandt
-
[oss-security] [vim-security] Out-of-bounds Write in SOFO Soundfolding in Vim < 9.2.0698
Christian Brabandt
-
[oss-security] CVE-2026-54665: Apache NiFi: Missing Validation for Proxy Host Headers
David Handermann
-
[oss-security] CVE-2026-44914: Apache NiFi: Missing Authorization of Restricted Permissions when Replacing Flow Contents
David Handermann
-
[oss-security] CVE-2026-44913: Apache NiFi: Improper Escaping of Table Names in CaptureChangeMySQL
David Handermann
-
[oss-security] CVE-2026-44911: Apache NiFi: Incorrect Authorization for Configuration Verification Requests
David Handermann
-
[oss-security] [vim-security] Out-of-bounds Read with Text Properties in Vim >= 9.2.0320 && Vim < 9.2.0679
Christian Brabandt
-
[oss-security] [vim-security] PowerShell Command Injection in zip.vim via Crafted Archive Entry Names in Vim > 9.1.1783 && Vim < 9.2.0678
Christian Brabandt
-
[oss-security] CVE-2025-62198: Apache Atlas: Stored XSS in Create Entity page
Madhan Neethiraj
-
[oss-security] CVE-2026-49872: Apache APISIX: Improper authentication in cas-auth plugin
Abhishek Choudhary
-
[oss-security] CVE-2026-49871: Apache APISIX: cas-auth login CSRF / session injection issue
Abhishek Choudhary
-
[oss-security] CVE-2026-49231: Apache APISIX: Identity spoofing issue in APISIX opa plugin
Abhishek Choudhary
-
[oss-security] CVE-2026-49230: Apache APISIX: Authentication bypass in jwe-decrypt
Abhishek Choudhary
-
[oss-security] CVE-2026-48895: Apache APISIX: Cas-auth Host header influence on CAS service URL
Abhishek Choudhary
-
[oss-security] CVE-2026-47341: Apache APISIX: Session replay issue in hmac-auth
Abhishek Choudhary
-
[oss-security] CVE-2026-47339: Apache APISIX: authz-casdoor incorrect session sharing
Abhishek Choudhary
-
[oss-security] CVE-2026-44915: Apache APISIX: Cas-auth plugin open redirect via unsanitized cookie value
Abhishek Choudhary
-
[oss-security] CVE-2026-44087: Apache APISIX: Openid-connect plugin Identity Header Spoofing
Abhishek Choudhary
-
[oss-security] CVE-2026-44046: Apache APISIX: wolf-rbac plugin Identity Spoofing
Abhishek Choudhary
-
[oss-security] CVE-2026-39999: Apache APISIX: JWT Algorithm Confusion allows authentication bypass
Abhishek Choudhary
-
[oss-security] CVE-2026-39998: Apache APISIX: Identity Injection via forward-auth Plugin Missing Header Cleanup
Abhishek Choudhary
-
[oss-security] OpenBSD mpls_do_error: Remote Kernel Stack Disclosure via MPLS Label Stack Over-read
shj
-
[oss-security] [containerd] Patch releases addressing CVE-2026-50195, CVE-2026-53488, CVE-2026-53492, CVE-2026-53489, and CVE-2026-47262
Samuel Karp
-
[oss-security] [vim-security] Out-of-bounds Read with libsodium-encrypted Files in Vim < 9.2.0671
Christian Brabandt
-
[oss-security] CVE-2026-9692: Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely
Robert Rothenberg
-
[oss-security] [CVE-2026-43495] Linux kernel: slab out-of-bounds read in MediaTek t7xx WWAN driver
Pavitra Jha
-
[oss-security] [vim-security] Out-of-bounds Read in Text Property Count in Vim < 9.2.0670
Christian Brabandt
-
[oss-security] CVE-2026-49268: Apache Shiro: LDAP DN Injection in DefaultLdapRealm
Lenny Primak
-
[oss-security] CVE-2026-41280: Apache DolphinScheduler: Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects
Wenjun Ruan
-
[oss-security] CVE-2026-49050: Apache DolphinScheduler: General user can mint admin access tokens via /access-tokens
Wenjun Ruan
-
[oss-security] CVE-2026-47340: Apache DolphinScheduler: An incorrect authorization vulnerability allows authenticated users to access alert instances associated with alert groups they do not have permission to access.
Wenjun Ruan
-
[oss-security] CVE-2026-42357: Apache DolphinScheduler: Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access.
Wenjun Ruan
-
[oss-security] CVE-2026-32967: Apache DolphinScheduler: The `/v2` experimental interface lacks permission checks
Wenjun Ruan
-
[oss-security] CVE-2026-32966: Apache DolphinScheduler: DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure
Wenjun Ruan
-
[oss-security] [CVE-2026-36849] libtiff: Denial of Service via large SamplesPerPixel tag
Ryo utomo
-
[oss-security] [vim-security] Vimscript Code Injection in netrw NetrwLocalRmFile() via crafted filename affects Vim < 9.2.0663
Christian Brabandt
-
[oss-security] [vim-security] Out-of-bounds Write in Spell File Prefix Dump in Vim < 9.2.0662
Christian Brabandt
-
[oss-security] [OSSN-0100] Ironic: Command Injection in IPA (CVE-2026-43003)
Jay Faulkner
-
[oss-security] [OSSA-2026-023] Ironic: Sensitive properties returned unredacted in POST and PATCH HTTP responses (CVE-2026-54421)
Jay Faulkner
-
[oss-security] OpenBSD sppp_pap_input: PAP authentication bypass
shj
-
[oss-security][CVE-2026-12003] CPython In-tree (development) search paths can be enabled without modifying install directory
Alan Coopersmith
-
[oss-security] Pacemaker: Denial of Service via integer overflow in remote message decompression (CVE-2026-10649)
Marco Benatto
-
[oss-security] [OSSA-2026-022] OpenStack Nova: Nova scheduler hint injection bypasses Placement resource claims and scheduling constraints (CVE-2026-46448)
Goutham Pacha Ravi
-
[oss-security] CVE-2026-50203: Apache Airflow SFTP provider: Path traversal in SFTPHook.retrieve_directory allows local file write outside the destination directory via malicious server-supplied directory-entry names
Jarek Potiuk
-
[oss-security] 'rcp' and friends meet escape characters and quoting
Collin Funk
-
[oss-security] Fwd: gsasl-2.2.4 released - fixes heap disclosure
Alan Coopersmith
-
[oss-security] CVE-2026-11832: Dancer2::Plugin::Auth::OAuth versions before 0.22 for Perl default to a predictable nonce
Robert Rothenberg
-
[oss-security] CVE-2026-12087: Socket versions before 2.041 for Perl have an out-of-bounds heap read
Robert Rothenberg
-
[oss-security] [vim-security] Out-of-bounds Write in Spell File Word Count in Vim < 9.2.0653
Christian Brabandt
-
[oss-security] tmux 3.6b fixes CVE-2026-11623
Alan Coopersmith
-
[oss-security] CVE-2026-12205: Crypt::DSA versions before 1.21 for Perl reused the nonce across signatures, leading to private-key recovery
Timothy Legge
-
[oss-security] CVE-2026-11527: Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a 2-arg open() of the -file argument in _make_filehandle
Paul Johnson
-
[oss-security] CVE-2026-11526: GD versions before 2.86 for Perl allow OS command injection and file overwrite via a 2-arg open() of filename arguments in _make_filehandle
Paul Johnson
-
[oss-security] CVE-2025-52292: Stack-based Buffer Overflow in GPAC/MP4Box via filein_process on crafted MP4 file during DASH segmentation
shvedov
-
[oss-security] CVE-2025-55662: Divide by Zero in GPAC/MP4Box via gf_opus_parse_packet_header on crafted MP4 file with malformed Opus header
shvedov
-
[oss-security] CVE-2025-52293: Out-of-bounds Read in GPAC/MP4Box via gf_hevc_read_sps_bs_internal on crafted HEVC SPS in MP4 file
shvedov
-
[oss-security] CVE-2025-55651: NULL Pointer Dereference in GPAC/MP4Box via gf_isom_get_user_data_count on truncated MP4 input
shvedov
-
[oss-security] CVE-2025-55659: NULL Pointer Dereference in GPAC/MP4Box via ctts_box_write on crafted MP4 file with negative timestamps
shvedov
-
[oss-security] CVE-2025-55657: NULL Pointer Dereference in GPAC/MP4Box via gf_odf_vvc_cfg_write_bs on crafted MP4 file with unsupported vvc16 box
shvedov
-
[oss-security] CVE-2025-55660: Stack-based Buffer Overflow in GPAC/MP4Box via gf_opus_read_length on crafted MP4 file with malformed Opus packet
shvedov
-
[oss-security] CVE-2025-55663: NULL Pointer Dereference in GPAC/MP4Box via Track_SetStreamDescriptor on crafted MP4 with unknown svcC box in av01
shvedov
-
[oss-security] CVE-2025-55661: Heap-based Buffer Overflow in GPAC/MP4Box via gf_opus_parse_packet_header on crafted MP4 file with malformed Opus packet
shvedov
-
[oss-security] CVE-2025-55650: Use-After-Free in GPAC/MP4Box via gf_svg_node_del on crafted MP4 file processed with -svg
shvedov
-
[oss-security] CVE-2025-55649: NULL Pointer Dereference in GPAC/MP4Box via gf_media_map_esd on crafted MP4 with corrupted ESD data
shvedov
-
[oss-security] CVE-2025-55648: Heap-based Buffer Overflow in GPAC/MP4Box via gf_opus_parse_packet_header on crafted MP4 with corrupted stsz data
shvedov
-
[oss-security] CVE-2025-55641: NULL Pointer Dereference in GPAC/MP4Box via gf_isom_copy_sample_info on crafted MP4 file with corrupted SAI metadata
shvedov
-
[oss-security] CVE-2025-55642: Divide by Zero in GPAC/MP4Box via avidmx_process on crafted AVI input with zero declared frames
shvedov
-
[oss-security] CVE-2025-55647: Integer Overflow in GPAC/MP4Box via mp4_mux_cenc_insert_pssh on crafted MP4 with oversized PSSH metadata
shvedov
-
[oss-security] CVE-2025-55645: Heap-based Buffer Overflow in GPAC/MP4Box via gf_cenc_set_pssh on crafted MP4 with oversized PSSH payload
shvedov
-
[oss-security] CVE-2025-55643: NULL Pointer Dereference in GPAC/MP4Box via TrackWriter handling on crafted MP4 with malformed mvcC/stsz metadata during DASH segmentation
shvedov
-
[oss-security] CVE-2025-55652: Heap-based Buffer Overflow in GPAC/MP4Box via gf_isom_vp_config_new on crafted MP4 with malformed VP codec configuration
shvedov
-
[oss-security] CVE-2025-55644: Use-After-Free in GPAC/MP4Box via gf_node_get_tag on crafted MP4 file with invalid BIFS GlobalQuantizer command
shvedov
-
[oss-security] CVE-2026-41579: runc allows a malicious image with a /dev symlink to trigger limited host filesystem integrity violations
Aleksa Sarai
-
[oss-security] CVE-2026-9641: Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations
Robert Rothenberg
-
[oss-security] CVE-2026-9638: Crypt::PBKDF2 versions before 0.261630 for Perl generate insecure random values for salts
Robert Rothenberg
-
[oss-security] CVE-2017-20240: Crypt::PBKDF2 versions before 0.261630 for Perl are vulnerable to timing attacks
Robert Rothenberg
-
[oss-security] CVE-2026-33590: Insecure default settings of Portainer < 2.38.0 allow host takeover
Dimitris Glynos
-
[oss-security] Squid CVE-2026-47729 and CVE-2026-50012
Amos Jeffries
-
[oss-security] CVE-2026-50645: Apache CXF: No restriction on attachment headers per message
Colm O hEigeartaigh
-
[oss-security] CVE-2026-50634: Apache CXF: WS JSON request filter trusts metadata from an unvalidated first signature entry
Colm O hEigeartaigh
-
[oss-security] CVE-2026-50633: Apache CXF: JNDI Injection vulnerability in DispatchMDBMessageListenerImpl
Colm O hEigeartaigh
-
[oss-security] CVE-2026-50632: Apache CXF: JNDI Injection Vulnerability in JMSConfigFactory
Colm O hEigeartaigh
-
[oss-security] CVE-2026-50631: Apache CXF: OAuth2: TOCTOU Race Condition in Refresh Token Processing
Colm O hEigeartaigh