Open Source Security Mailing List

Discussion of security flaws, concepts, and practices in the Open Source community

List Archives

Latest Posts

CVE-2026-14570: Crypt::DSA versions before 1.22 for Perl draw the DSA signing nonce and private key from a biased random generator, leading to private-key recovery Timothy Legge (Jul 04)
========================================================================
CVE-2026-14570 CPAN Security Group
========================================================================

CVE ID: CVE-2026-14570
Distribution: Crypt-DSA
Versions: before 1.22

MetaCPAN: https://metacpan.org/dist/Crypt-DSA
VCS Repo: https://github.com/perl-Crypt-OpenPGP/Crypt-DSA

Crypt::DSA...

CVE-2026-12740: Plack::Middleware::OAuth versions through 0.10 for Perl do not support the OAuth 2.0 state parameter Robert Rothenberg (Jul 04)
========================================================================
CVE-2026-12740                                       CPAN Security Group
========================================================================

        CVE ID:  CVE-2026-12740
  Distribution:  Plack-Middleware-OAuth
      Versions:  through 0.10

      MetaCPAN:  https://metacpan.org/dist/Plack-Middleware-OAuth
      VCS Repo: ...

CVE-2026-12746: Dancer2::Plugin::Auth::OAuth::Provider versions before 0.23 for Perl do not support the OAuth 2.0 state parameter Robert Rothenberg (Jul 04)
========================================================================
CVE-2026-12746                                       CPAN Security Group
========================================================================

        CVE ID:  CVE-2026-12746
  Distribution:  Dancer2-Plugin-Auth-OAuth
      Versions:  before 0.23

      MetaCPAN: https://metacpan.org/dist/Dancer2-Plugin-Auth-OAuth
      VCS Repo:...

CVE-2026-49297: Apache Airflow Google provider: Path traversal via GCS object names → local/SFTP filesystem (GCSToSFTPOperator + GCSTimeSpanFileTransformOperator) Shahar Epstein (Jul 04)
Severity: moderate

Affected versions:

- Apache Airflow Google provider (apache-airflow-providers-google) before 22.2.1

Description:

Apache Airflow's Google provider operators `GCSToSFTPOperator` and `GCSTimeSpanFileTransformOperator` joined GCS object
names returned by the bucket listing API directly to a destination filesystem path without normalisation or containment
check. A user with write access to the source GCS bucket...

Re: Wasm OCI Image Fetcher Bearer Realm SSRF Bypass Solar Designer (Jul 03)
Thanks. What does presence of this header guarantee in terms of lack of
human review? May it be set on messages that passed human review? If
not, it's tempting to block messages with that header from even reaching
the moderators.

I guess this also explains why messages are sent from a made-up address.

CC'ing another address for xylove21 now, maybe a real one. I also
forwarded my previous reply to there.

Alexander

Re: Wasm OCI Image Fetcher Bearer Realm SSRF Bypass h (Jul 03)
From email headers on at least the first and last emails, and probably
the others:
> X-Mailer: OpenClaw disclosure sender

I think it's safe to say that this is certainly an LLM, given that.

Re: Wasm OCI Image Fetcher Bearer Realm SSRF Bypass Solar Designer (Jul 03)
Hi,

I first wrote the below thinking I'd include xylove21 as a recipient,
but actually the address xylove21 () proton me does not exist. So it seems
these are four AI slops, and we should just ignore them and move on.
But I did approve them in case anyone cares to look into them, as well
as to show what's being sent to us.

We got 4 assorted vulnerability disclosures from you posted to
oss-security today. The first 3 I (as a...

Wasm OCI Image Fetcher Bearer Realm SSRF Bypass xylove21 (Jul 03)
# Security Disclosure Draft — Wasm OCI Image Fetcher Bearer Realm SSRF Bypass

**To**: security () istio io
**Cc**: cncf-kubernetes-istio-security () lists cncf io
**From**: 小青蟹 (xylove21) — Pentest role, on behalf of the audited organization
**Date**: 2026-06-25 (drafted); submission date TBD
**Subject**: 0-day in `pkg/wasm/imagefetcher.go` — Bearer realm SSRF bypass via hostname (Istio 1.29.1 – 1.30.2 and
master)
**CVSS...

[CONFIDENTIAL] cert-manager v1.15-v1.17+main — Reflected SSRF via Issuer.spec.vault.server (CVSS 7.2 HIGH) xylove21 (Jul 03)
From: xylove21 <xylove21 () proton me>
To: security () cert-manager io
Cc: cncf-kubernetes-cert-manager-security () lists cncf io
Subject: [CONFIDENTIAL] cert-manager v1.15-v1.17+main — Reflected SSRF via Issuer.spec.vault.server (CVSS 7.2 HIGH)
Date: 2026-06-28
Message-ID: <cert-manager-vault-issuer-ssrf-1782124830 () proton me>
Pre-flight token: ev_7fa7611407c7
X-Coordinated-Disclosure: 90 days (per FIRST.org / CNCF SIG-Security...

[CVE request] Apache APISIX 3.16.0 JWT-Auth Algorithm Confusion (Authentication Bypass, CVSS 9.8 CRITICAL) — no maintainer response in 9 days via GHSA Triage xylove21 (Jul 03)
From: xylove21 <xuy0515 () gmail com>
To: oss-security () lists openwall com
Cc: security () apache org
Subject: [CVE request] Apache APISIX 3.16.0 JWT-Auth Algorithm Confusion (Authentication Bypass, CVSS 9.8 CRITICAL) —
no maintainer response in 9 days via GHSA Triage

Hi oss-security,

Filing this publicly because the Apache APISIX project's GitHub Security
Advisory (...

[CVE request] Apache Kafka OAUTHBEARER authentication bypass via signed JWT clock skew (vulnerable 4.0.0 - 4.0.x, no maintainer response in 7 days) xylove21 (Jul 03)
From: xylove21 <xuy0515 () gmail com>
To: oss-security () lists openwall com
Cc: security () apache org
Subject: [CVE request] Apache Kafka OAUTHBEARER authentication bypass via signed JWT clock skew (vulnerable 4.0.0 -
4.0.x, no maintainer response in 7 days)

Hi oss-security,

Filing this publicly because Apache Kafka's security () apache org has not
responded to my private disclosure (sent 2026-06-12) or my two nudges
(2026-06-17)...

pandemic of incomplete error handling in the OpenSSL ecosystem Julian Andres Klode (Jul 03)
Hi folks,

apologies, Friday is not the best time for this, but
unfortunately this is public and wide spread, so I felt
the need to cast as wide a net as possible.

# case 1: nuking errors before calling operations

This comes from the discussion in
https://github.com/openssl/openssl/issues/31624 and the original
bug in APT, that suggested we call ERR_clear_error() to clear
the OpenSSL error queue before performing TLS because there
was a stale...

CVE-2026-56015: Net::IP::LPM versions through 1.10 for Perl allow a heap out-of-bounds read via an unbounded prefix length Robert Rothenberg (Jul 03)
========================================================================
CVE-2026-56015                                       CPAN Security Group
========================================================================

        CVE ID:  CVE-2026-56015
  Distribution:  Net-IP-LPM
      Versions:  through 1.10

      MetaCPAN:  https://metacpan.org/dist/Net-IP-LPM

Net::IP::LPM versions through 1.10 for Perl...

CVE-2026-47898: Apache Lucene.Net: XXE vulnerability in Lucene.Net.Analysis.Common PatternParser Paul Irwin (Jul 02)
Severity:

Affected versions:

- Apache Lucene.Net (Lucene.Net.Analysis.Common) 4.8.0-beta00005 before 4.8.0-beta00018

Description:

Improper Restriction of XML External Entity Reference vulnerability in Apache Lucene.Net (Lucene.Net.Analysis.Common
library).

This issue affects Apache Lucene.Net.Analysis.Common: from 4.8.0-beta00005 before 4.8.0-beta00018.

Users are recommended to upgrade to version 4.8.0-beta00018, which fixes the issue....

CVE-2026-47897: Apache Lucene.Net: Arbitrary file write from malicious server to Lucene.Net.Replicator client Paul Irwin (Jul 02)
Severity:

Affected versions:

- Apache Lucene.Net (Lucene.Net.Replicator) 4.8.0-beta00005 before 4.8.0-beta00018

Description:

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Lucene.Net
(Lucene.Net.Replicator library).

This issue affects Apache Lucene.Net.Replicator: from 4.8.0-beta00005 before 4.8.0-beta00018.

Users are recommended to upgrade to version 4.8.0-beta00018, which...

More Lists

Dozens of other network security lists are archived at SecLists.Org.