
Open Source Security Mailing List
Discussion of security flaws, concepts, and practices in the Open Source community
List Archives
- Jan–Mar
- Apr–Jun
- Jul–Sep
- Oct–Dec
- 2026
- 431
- 1080
- 11
- –
- 2025
- 262
- 289
- 251
- 361
- 2024
- 358
- 314
- 293
- 183
- 2023
- 220
- 284
- 269
- 356
- 2022
- 212
- 220
- 239
- 273
- 2021
- 281
- 236
- 193
- 182
- 2020
- 131
- 219
- 211
- 241
- 2019
- 199
- 237
- 257
- 176
- 2018
- 287
- 256
- 284
- 279
- 2017
- 701
- 658
- 596
- 437
- 2016
- 738
- 637
- 689
- 788
- 2015
- 1068
- 839
- 658
- 618
- 2014
- 714
- 711
- 886
- 1185
- 2013
- 777
- 648
- 688
- 583
- 2012
- 815
- 578
- 591
- 549
- 2011
- 640
- 738
- 550
- 591
- 2010
- 291
- 376
- 465
- 383
- 2009
- 250
- 264
- 272
- 304
- 2008
- 206
- 390
- 402
- 358
Latest Posts
Re: check_icmp (Monitoring Plugins): host-count overflow leads to heap buffer overflow in setuid-root binary
Michael Orlitzky (Jul 01)
If anyone was wondering, nagios-plugins has the same problem.
Fix: https://github.com/nagios-plugins/nagios-plugins/pull/833
CVE-2026-54161: NUT upsmon: remote OS command injection via ups.alarm in NOTIFYCMD - fixed in PR #3499 (affects 2.8.3–2.8.5)
pro Err0r (Jul 01)
Hello,
A remote OS command injection (CWE-78) in Network UPS Tools (NUT) upsmon,
affecting 2.8.3, 2.8.4 and 2.8.5 (and pre-fix git master). Not affected:
2.8.2 and earlier.
CVE-2026-54161
Advisory:
https://github.com/networkupstools/nut/security/advisories/GHSA-mjgp-j4gm-6qg5
Fix: https://github.com/networkupstools/nut/pull/3499
## Detail
When a monitored UPS reports ALARM and the operator has NOTIFYCMD set with
"NOTIFYFLAG ALARM...
Vinyl Cache / Varnish Cache HTTP/2 parsing deficiency [CVE-2026-50052]
Alan Coopersmith (Jul 01)
https://vinyl-cache.org/security/VSV00019.html says:
[See https://vinyl-cache.org/security/VSV00019.html for full details.]
https://blog.calif.io/p/mad-bugs-my-cousin-vinyl-cve-2026 provides the story of
how it was found by the researcher.
Fwd: libevent 2.1.13-stable contains several security fixes
Alan Coopersmith (Jul 01)
[None of the GHSA's list CVE id's at this time. -alan-]
-------- Forwarded Message --------
Subject: libevent 2.1.13-stable
Date: Wed, 1 Jul 2026 05:31:52 -0700
From: Kevin Bowling <kevin.bowling () kev009 com>
To: distributions () lists linux dev
https://github.com/libevent/libevent/releases/tag/release-2.1.13-stable
(and https://github.com/libevent/libevent/releases/tag/release-2.2.2-alpha)
are primarily security releases and...
CVE-2025-15646: HTML::Gumbo versions before 0.19 for Perl disclose heap memory via type confusion
Robert Rothenberg (Jul 01)
========================================================================
CVE-2025-15646 CPAN Security Group
========================================================================
CVE ID: CVE-2025-15646
Distribution: HTML-Gumbo
Versions: before 0.19
MetaCPAN: https://metacpan.org/dist/HTML-Gumbo
VCS Repo: ...
CVE-2026-56016: CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources
Robert Rothenberg (Jul 01)
========================================================================
CVE-2026-56016 CPAN Security Group
========================================================================
CVE ID: CVE-2026-56016
Distribution: CGI-Session
Versions: before 4.49
MetaCPAN: https://metacpan.org/dist/CGI-Session
VCS Repo: ...
check_icmp (Monitoring Plugins): host-count overflow leads to heap buffer overflow in setuid-root binary
Holger Weiß (Jul 01)
We released Monitoring Plugins 3.0.1, which fixes a security issue in
the check_icmp plugin.
Product: Monitoring Plugins (check_icmp)
Date: 2026-07-01
Severity: High (CVSS 3.1: 7.0, CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVE: requested, not yet assigned
CWE: CWE-190 (Integer Overflow or Wraparound),
CWE-787 (Out-of-bounds Write)
Affected: check_icmp 3.0.0 (introduced in v3.0.0-rc1)
Fixed in: Monitoring...
CVE-2026-54399: Apache HttpComponents Core: Unbounded HTTP Header/Line Length in Default Configuration
Oleg Kalnichevski (Jul 01)
Severity: important
Affected versions:
- Apache HttpComponents Core (org.apache.httpcomponents.core5:httpcore5) 5.5-beta1
- Apache HttpComponents Core (org.apache.httpcomponents.core5:httpcore5) 5.4.2
Description:
Uncontrolled Resource Consumption vulnerability in the HTTP/1.1 message parser in Apache HttpComponents Core (5.4.2 and
earlier, 5.5-beta1 and earlier) allows an remote attacker to cause a denial of service through memory...
CVE-2026-54428: Apache HttpComponents Core: HPackDecoder Unlimited Header List Size Before SETTINGS ACK
Oleg Kalnichevski (Jul 01)
Severity: Important
Affected versions:
- Apache HttpComponents Core (org.apache.httpcomponents.core5:httpcore5-h2) 5.5-beta1
- Apache HttpComponents Core (org.apache.httpcomponents.core5:httpcore5-h2) 5.4.2
Description:
Allocation of resources without limits or throttling in the HTTP/2 HPACK decoder in Apache HttpComponents Core (5.4.2
and earlier, 5.5-beta1 and earlier) allows an remote attacker to cause a denial of service through memory...
Re: hostapd: OOB write in Wi-Fi 7 MLD association parsing (pre-auth DoS)
Abhinav Agarwal (Jul 01)
MITRE assigned CVE-2026-58374 with a CVSS score of 6.5
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
-- Abhinav
OFFIS DCMTK: 5 CISA-coordinated DICOM vulnerabilities
Abhinav Agarwal (Jul 01)
CISA has published an advisory for five vulnerabilities in OFFIS DCMTK
(DICOM Toolkit), affecting DCMTK <= 3.7.0:
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-181-01
Fix status:
The fixes are in upstream DCMTK master but not any release as of today
https://github.com/DCMTK/dcmtk/releases/tag/latest
Vulnerabilities and fixes:
1. CVE-2026-50003 - bit-preserving C-GET path traversal - CVSS v3.1:
9.8 Critical
Fix:...
CVE-2026-13766: DBIx::QuickORM versions before 0.000026 for Perl allow SQL injection via unquoted SQL identifiers
Robert Rothenberg (Jun 30)
========================================================================
CVE-2026-13766 CPAN Security Group
========================================================================
CVE ID: CVE-2026-13766
Distribution: DBIx-QuickORM
Versions: before 0.000026
MetaCPAN: https://metacpan.org/dist/DBIx-QuickORM
VCS Repo: ...
CVE-2026-57079 through CVE-2026-57082: Multiple vulnerabilities in Net::BitTorrent versions through 2.0.1 for Perl
Robert Rothenberg (Jun 30)
========================================================================
CVE-2026-57079 CPAN Security Group
========================================================================
CVE ID: CVE-2026-57079
Distribution: Net-BitTorrent
Versions: through 2.0.1
MetaCPAN: https://metacpan.org/dist/Net-BitTorrent
VCS Repo: ...
CVE-2025-53648: Apache Gravitino: SQL misconfiguration can access or truncate files
Jerry Shao (Jun 30)
Severity: low
Affected versions:
- Apache Gravitino (org.apache.gravitino:catalog-jdbc-common) 0.5.0 before 1.0.0
Description:
SQL misconfiguration in the Gravitino UI, in versions 1.0.0 and below, can allow a malicious user to read or truncate
files.
Users are recommended to upgrade to version 1.0.0, which fixes this issue.
Credit:
A1kaid@ThreatBook VulTeam (reporter)
Le1a@ThreatBook VulTeam (finder)
References:...
hostapd: OOB write in Wi-Fi 7 MLD association parsing (pre-auth DoS)
Abhinav Agarwal (Jun 29)
A Wi-Fi 7 / IEEE 802.11be MLD parsing issue in hostapd AP mode has
been fixed upstream:
https://w1.fi/security/2026-1/missing-ml-parsing-validation.txt
Issue:
Missing link ID validation in hostapd_process_ml_assoc_req()
(src/ap/ieee802_11_eht.c). link_id is masked with 0x000f
(values 0-15), but links[] only has valid entries 0..14
(MAX_NUM_MLD_LINKS=15). A crafted Per-STA Profile with
link_id=15 can write past the end of links[]...
More Lists
Dozens of other network security lists are archived at SecLists.Org.
