pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/doc
Module Name: pkgsrc
Committed By: leot
Date: Wed Feb 25 22:00:56 UTC 2026
Modified Files:
pkgsrc/doc: pkg-vulnerabilities
Log Message:
pkg-vulnerabilities: add last week CVEs
+ KeePass,
SOGo (no upstream and/or further details, assume not fixed),
admesh (not fixed),
apache-tomcat, caddy, calibre, chromium,
clamav (no upstream information, assume not fixed),
coturn, curl, dropbear, erlang, ffmpeg, gimp, grafana,
gsoap (no upstream information, assume not fixed),
hdf5, janet, jenkins,
libde265 (fixed upstream, latest stable release 1.0.16 affected),
libjxl,
libsixel (fixed upstream, latest stable release 1.8.7 affected),
libsoup,
libvips (fixed upstream, latest stable release 8.18.0 affected),
metabase,
minisat (not fixed),
moodle, nats-server,
openbabel (not fixed),
openexr, p5-Crypt-URandom, p5-Image-ExifTool,
php-owncloud (no upstream information, assume not fixed),
php-piwigo (CVE-2025-62512 not fixed),
postgresql-server,
py-Pillow, py-flask, py-nltk, py-pdf, py-werkzeug,
qemu (possible patches under discussion),
re2c (fixed upstream, latest stable release 4.4 affected),
ruby-rack, tiff, vaultwarden, vim, yt-dlp, zlib,
zoneminder (CVE-2025-65791 not fixed),
To generate a diff of this commit:
cvs rdiff -u -r1.736 -r1.737 pkgsrc/doc/pkg-vulnerabilities
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/doc/pkg-vulnerabilities
diff -u pkgsrc/doc/pkg-vulnerabilities:1.736 pkgsrc/doc/pkg-vulnerabilities:1.737
--- pkgsrc/doc/pkg-vulnerabilities:1.736 Wed Feb 25 19:58:38 2026
+++ pkgsrc/doc/pkg-vulnerabilities Wed Feb 25 22:00:55 2026
@@ -1,30 +1,13 @@
-# $NetBSD: pkg-vulnerabilities,v 1.736 2026/02/25 19:58:38 leot Exp $
#
#FORMAT 1.0.0
#
-# Please read "Handling packages with security problems" in the pkgsrc
-# guide before editing this file.
#
-# Note: NEVER remove entries from this file; this should document *all*
-# known package vulnerabilities so it is entirely appropriate to have
-# multiple entries in this file for a single package, and to contain
-# entries for packages which have been removed from pkgsrc.
#
-# New entries should be added at the end of this file.
#
-# Please ask pkgsrc-security to update the copy on ftp.NetBSD.org after
-# making changes to this file.
#
-# The command to run for this update is "./pkg-vuln-update.sh", but it needs
-# access to the private GPG key for pkgsrc-security.
#
-# If you have comments/additions/corrections, please contact
-# pkgsrc-security%NetBSD.org@localhost.
#
-# Note: If this file format changes, please do not forget to update
-# pkgsrc/mk/scripts/genreadme.awk which also parses this file.
#
-# package type of exploit URL
cfengine<1.5.3nb3 remote-root-shell https://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2000-013.txt.asc
navigator<4.75 remote-user-access http://www.cert.org/advisories/CA-2000-15.html
navigator<4.74 remote-user-shell https://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2000-011.txt.asc
@@ -1020,7 +1003,6 @@ postgresql-lib<7.3.9 remote-code-executi
postgresql73-lib<7.3.9 remote-code-execution https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0245
postgresql74-lib<7.4.7 remote-code-execution https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0245
postgresql80-lib<8.0.1 remote-code-execution https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0245
-# intagg not installed
#postgresql73-lib-7.3.[0-9]* denial-of-service https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0246
#postgresql74-lib-7.4.[0-9]* denial-of-service https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0246
#postgresql80-lib-8.0.[0-9]* denial-of-service https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0246
@@ -3689,7 +3671,6 @@ gitweb<1.5.6.6 remote-system-access ht
gitweb<1.5.6.6 remote-system-access https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5517
ganglia-monitor-core<3.1.2 remote-system-access http://secunia.com/advisories/33506/
xdg-utils<1.1.0rc1 remote-system-access https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0386
-# N/A; see https://security-tracker.debian.org/tracker/CVE-2009-0068
#xdg-utils-[0-9]* remote-system-access https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0068
tnftpd<20081009 cross-site-scripting http://securityreason.com/achievement_securityalert/56
libmikmod<3.2.0 remote-denial-of-service http://secunia.com/advisories/33485/
@@ -12612,7 +12593,6 @@ tcpdump<4.9.2 heap-overflow https://nv
tcpdump<4.9.2 heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2017-11542
tcpdump<4.9.2 buffer-overflow https://nvd.nist.gov/vuln/detail/CVE-2017-11543
exiv2<0.27 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2017-11553
-# in stills2dv, not libjpeg-turbo-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2017-9614
libid3tag-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2017-11550
libid3tag-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2017-11551
sox-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2017-11332
@@ -14859,7 +14839,6 @@ awstats-[0-9]* information-disclosure ht
binutils<2.31 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2018-8945
zabbix<3.4.1 man-in-the-middle https://nvd.nist.gov/vuln/detail/CVE-2017-2825
nasm<2.14 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2018-10254
-# reported against tiff, see https://gitlab.com/libtiff/libtiff/-/issues/128
jpeg<9d null-pointer-dereference https://nvd.nist.gov/vuln/detail/CVE-2018-10126
mupdf<1.14.0 infinite-loop https://nvd.nist.gov/vuln/detail/CVE-2018-10289
curl<7.52.0 buffer-overflow https://nvd.nist.gov/vuln/detail/CVE-2016-9586
@@ -18875,7 +18854,6 @@ opensc-[0-9]* arbitrary-file-write https
p5-File-Temp-[0-9]* symlink-attack https://nvd.nist.gov/vuln/detail/CVE-2011-4116
perl-[0-9]* symlink-attack https://nvd.nist.gov/vuln/detail/CVE-2011-4116
p5-Module-Metadata<1.000015 arbitrary-code-execution https://nvd.nist.gov/vuln/detail/CVE-2013-1437
-# Disputed: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726578
#pwgen-[0-9]* weak-password-generator https://nvd.nist.gov/vuln/detail/CVE-2013-4441
py{26,27,33,34}-tornado<3.2.2 information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2014-9720
qt5-qtbase<5.15.0 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2015-9541
@@ -21286,9 +21264,7 @@ py{36,37,38,39}-django>=2.2<2.2.24 acces
py{36,37,38,39}-django>=3<3.2.4 access-bypass https://nvd.nist.gov/vuln/detail/CVE-2021-33571
rabbitmq<3.8.16 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2021-22116
wireshark<3.4.6 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2021-22222
-# rejected
#ansible-[0-9]* information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2021-3532
-# rejected
#ansible-[0-9]* information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2021-3533
apache>=2.4.6<2.4.48 authorization-bypass https://nvd.nist.gov/vuln/detail/CVE-2019-17567
apache>=2.4.41<2.4.48 null-pointer-dereference https://nvd.nist.gov/vuln/detail/CVE-2020-13950
@@ -21332,7 +21308,6 @@ firefox78<78.11 multiple-vulnerabilitie
mozjs78<78.11 multiple-vulnerabilities https://www.mozilla.org/en-US/security/advisories/mfsa2021-24/
tor-browser<10.0.17 multiple-vulnerabilities https://www.mozilla.org/en-US/security/advisories/mfsa2021-24/
thunderbird<78.11 multiple-vulnerabilities https://www.mozilla.org/en-US/security/advisories/mfsa2021-26/
-# rejected
#ImageMagick-[0-9]* memory-leak https://nvd.nist.gov/vuln/detail/CVE-2021-34183
ampache<4.4.3 code-injection https://nvd.nist.gov/vuln/detail/CVE-2021-32644
djvulibre-lib<3.5.29 out-of-bounds-write https://nvd.nist.gov/vuln/detail/CVE-2021-32490
@@ -21787,9 +21762,7 @@ mbedtls<2.24.0 sensitive-information-dis
mbedtls<2.25.0 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2020-36475
mit-krb5<1.18.5 null-pointer-dereference https://nvd.nist.gov/vuln/detail/CVE-2021-37750
ffmpeg4<4.4.1 buffer-overflow https://nvd.nist.gov/vuln/detail/CVE-2021-38171
-# not reproducible? https://github.com/Exiv2/exiv2/issues/759
#exiv2-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2020-18774
-# not reproducible? https://github.com/Exiv2/exiv2/issues/760
#exiv2-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2020-18773
exiv2<0.27.1 buffer-overflow https://nvd.nist.gov/vuln/detail/CVE-2020-18771
plib-[0-9]* integer-overflow https://nvd.nist.gov/vuln/detail/CVE-2021-38714
@@ -22842,7 +22815,6 @@ grafana<8.3.5 information-disclosure ht
htmldoc<1.9.15 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2022-0534
jenkins<2.334 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2022-0538
kate<21.12.2 arbitrary-code-execution https://nvd.nist.gov/vuln/detail/CVE-2022-23853
-# "can't be fixed" according to https://bugzilla.redhat.com/show_bug.cgi?id=2054686
#git-base-[0-9]* information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2022-24975
php{56,73,74,80,81}-concrete5<9.0 cross-site-request-forgery https://nvd.nist.gov/vuln/detail/CVE-2021-22954
php{56,73,74,80,81}-piwigo-[0-9]* cross-site-scripting https://nvd.nist.gov/vuln/detail/CVE-2021-45357
@@ -23295,7 +23267,6 @@ php{56,73,74,80,81}-piwigo-[0-9]* sql-in
powerdns<4.4.3 security-bypass https://nvd.nist.gov/vuln/detail/CVE-2022-27227
powerdns-recursor<4.4.8 security-bypass https://nvd.nist.gov/vuln/detail/CVE-2022-27227
ruby{25,26,27,30,31}-nokogiri<1.13.4 xml-external-entity https://nvd.nist.gov/vuln/detail/CVE-2022-24836
-# affects ghostpcl, not part of standard ghostscript, see e.g. https://ubuntu.com/security/CVE-2022-1350
#ghostscript-agpl-[0-9]* memory-corruption https://nvd.nist.gov/vuln/detail/CVE-2022-1350
neomutt<20220415 buffer-overflow https://nvd.nist.gov/vuln/detail/CVE-2022-1328
php{56,73,74,80,81}-memcached<2.1.0 cross-site-scripting https://nvd.nist.gov/vuln/detail/CVE-2022-26635
@@ -27240,7 +27211,6 @@ chromium<138.0.7204.168 heap-corruption
php{56,73,74,80,81,82,83,84}-xdebug-[0-9]* command-injection https://nvd.nist.gov/vuln/detail/CVE-2015-10141
apache<2.4.65 invalid-validation https://nvd.nist.gov/vuln/detail/CVE-2025-54090
py{27,39,310,311,312,313}-mezzanine<6.1.1 cross-site-scripting https://nvd.nist.gov/vuln/detail/CVE-2025-50481
-# disputed because abuse of the commands network protocol is not a violation of the Redis Security Model
#redis-[0-9]* memory-corruption https://nvd.nist.gov/vuln/detail/CVE-2025-46686
thunderbird<140 multiple-vulnerabilities https://www.mozilla.org/en-US/security/advisories/mfsa2025-54/
thunderbird<128.12 multiple-vulnerabilities https://www.mozilla.org/security/advisories/mfsa2025-55/
@@ -27282,7 +27252,6 @@ openexr<3.3.3 heap-overflow https://n
openexr<3.3.3 null-pointer-dereference https://nvd.nist.gov/vuln/detail/CVE-2025-48073
openexr<3.3.3 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2025-48074
php{56,74,81,82,83,84}-piwigo<15.0.0 sql-injection https://nvd.nist.gov/vuln/detail/CVE-2024-43018
-# https://github.com/jpadilla/pyjwt/issues/1080
#py{27,39,310,311,312,313}-JWT-[0-9]* weak-encryption https://nvd.nist.gov/vuln/detail/CVE-2025-45768
qemu>=10.0.0 unspecified https://nvd.nist.gov/vuln/detail/CVE-2025-54566
qemu>=10.0.0 unspecified https://nvd.nist.gov/vuln/detail/CVE-2025-54567
@@ -27408,7 +27377,6 @@ postgresql-server>=15<15.14 code-injecti
postgresql-server>=16<16.10 code-injection https://nvd.nist.gov/vuln/detail/CVE-2025-8715
postgresql-server>=17<17.6 code-injection https://nvd.nist.gov/vuln/detail/CVE-2025-8715
proftpd<1.3.3d backdoor https://nvd.nist.gov/vuln/detail/CVE-2010-20103
-# disputed, this is how Python's import works
#py{27,39,310,311,312,313}-future-[0-9]* arbitrary-code-execution https://nvd.nist.gov/vuln/detail/CVE-2025-50817
py{27,39,310,311,312,313}-pdf<6.0.0 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2025-55197
retroarch<1.21.0 out-of-bounds-read https://nvd.nist.gov/vuln/detail/CVE-2025-9136
@@ -27565,7 +27533,6 @@ xenkernel418-[0-9]* race-condition htt
xenkernel420<4.20.2 null-pointer-dereference https://nvd.nist.gov/vuln/detail/CVE-2025-27466
xenkernel420<4.20.2 null-pointer-dereference https://nvd.nist.gov/vuln/detail/CVE-2025-58142
xenkernel420<4.20.2 race-condition https://nvd.nist.gov/vuln/detail/CVE-2025-58143
-# xenkernel for ARM, not packaged in pkgsrc
#xenkernel-[0-9]* null-pointer-dereference https://nvd.nist.gov/vuln/detail/CVE-2025-58144
#xenkernel-[0-9]* privilege-escalation https://nvd.nist.gov/vuln/detail/CVE-2025-58145
zabbix-server-{mysql,postgresql}>=7.0<7.0.14 information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2025-27238
@@ -27745,7 +27712,6 @@ ap24-auth-openidc<2.4.13.2 denial-of-ser
ap24-auth-openidc<2.4.15.2 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2024-24814
ap24-auth-openidc<2.4.16.11 information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2025-31492
ap24-auth-openidc<2.4.13.2 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2025-3891
-# disputed by upstream, see https://modsecurity.org/20241011/about-cve-2024-46292-2024-october/
#ap24-modsecurity-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2024-46292
ap24-modsecurity<2.9.9 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2025-47947
ffmpeg5<5.1.7 out-of-bounds-write https://nvd.nist.gov/vuln/detail/CVE-2025-59728
@@ -28124,7 +28090,6 @@ dav1d<1.2.0 denial-of-service https://nv
dav1d<1.4.0 integer-overflow https://nvd.nist.gov/vuln/detail/CVE-2024-1580
dbus<1.15.6 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2023-34969
dmidecode<3.5 arbitrary-file-write https://nvd.nist.gov/vuln/detail/CVE-2023-30630
-# not an issue in pkgsrc due how it is installed
#dnscrypt-proxy-[0-9]* privilege-escalation https://nvd.nist.gov/vuln/detail/CVE-2024-36587
dnsdist>=1.9.0<1.9.4 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2024-25581
dnsdist<1.9.10 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2025-30193
@@ -28398,13 +28363,8 @@ frr<10.1.2 invalid-validation https://nv
tiff<4.7.0 buffer-overflow https://nvd.nist.gov/vuln/detail/CVE-2023-3164
ganglia-webfrontend-[0-9]* cross-site-scripting https://nvd.nist.gov/vuln/detail/CVE-2024-52762
ganglia-webfrontend-[0-9]* cross-site-scripting https://nvd.nist.gov/vuln/detail/CVE-2024-52763
-# disputed by the GCC project as missed hardening bug, not a vulnerability
#gcc-[0-9]* security-bypass https://nvd.nist.gov/vuln/detail/CVE-2023-4039
-# not considered a vulnerability issue, --no-absolute-filenames option should
-# be used instead:
-# <https://lists.gnu.org/archive/html/bug-cpio/2024-03/msg00000.html>
#gcpio-[0-9]* symlink-attack https://nvd.nist.gov/vuln/detail/CVE-2023-7216
-# not reproducible, rejected by uptsream
#gdal-lib-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2025-29480
gdb<14.1 stack-overflow https://nvd.nist.gov/vuln/detail/CVE-2023-39128
gdb<14.0 use-after-free https://nvd.nist.gov/vuln/detail/CVE-2023-39129
@@ -28501,7 +28461,6 @@ zabbix-agent<6.0.18 code-injection https
gindent<2.2.14 heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2023-40305
gindent<2.2.14 heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2024-0911
git-base<2.6.1 sensitive-information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2024-50338
-# disputed: https://lore.kernel.org/git/aQd_iisOrwX909Fr%fruit.crustytoothpaste.net@localhost/T/#t
#git-base-[0-9]* input-validation https://nvd.nist.gov/vuln/detail/CVE-2024-52005
git-base<2.26.1 sensitive-information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2024-52006
git-lfs<3.6.1 sensitive-information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2024-53263
@@ -28519,7 +28478,6 @@ glib2<2.82.5 integer-overflow https://nv
glib2<2.84.2 buffer-underflow https://nvd.nist.gov/vuln/detail/CVE-2025-4373
global<6.6.13 arbitrary-code-execution https://nvd.nist.gov/vuln/detail/CVE-2024-38448
glslang-[0-9]* null-pointer-dereference https://nvd.nist.gov/vuln/detail/CVE-2025-3010
-# disputed by upstream, considered a feature
#gnome-settings-daemon-[0-9]* unspecified https://nvd.nist.gov/vuln/detail/CVE-2024-38394
gnome-shell<44.5 security-bypass https://nvd.nist.gov/vuln/detail/CVE-2023-43090
gnome-shell<44.5 security-bypass https://nvd.nist.gov/vuln/detail/CVE-2023-50977
@@ -28700,7 +28658,6 @@ bitcoin<30.0 denial-of-service https://n
bitcoin<30.0 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2025-54605
consul<1.22.0 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2025-11374
consul<1.22.0 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2025-11375
-# Questionable, needs to change the configuration files, see <https://www.openwall.com/lists/oss-security/2025/10/27/1>
#dnsmasq-[0-9]* heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2025-12198
#dnsmasq-[0-9]* null-pointer-dereference https://nvd.nist.gov/vuln/detail/CVE-2025-12199
#dnsmasq-[0-9]* null-pointer-dereference https://nvd.nist.gov/vuln/detail/CVE-2025-12200
@@ -28758,7 +28715,6 @@ moodle<5.0.3 improper-authentication h
moodle<5.0.3 brute-force https://nvd.nist.gov/vuln/detail/CVE-2025-62399
moodle<5.0.3 information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2025-62400
moodle<5.0.3 improper-authorization https://nvd.nist.gov/vuln/detail/CVE-2025-62401
-# Only alpha and beta releases affected, never packaged in pkgsrc
#openvpn>=2.7_alpha1<2.7_beta1 command-injection https://nvd.nist.gov/vuln/detail/CVE-2025-10680
py{27,39,310,311,312,313,314}-authlib<1.6.5 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2025-62706
py{27,39,310,311,312,313,314}-pdf<6.1.3 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2025-62707
@@ -28817,7 +28773,6 @@ gstreamer1<1.24.10 out-of-bounds-read ht
gstreamer1<1.24.10 out-of-bounds-read https://nvd.nist.gov/vuln/detail/CVE-2024-47778
gstreamer1<1.24.10 use-after-free https://nvd.nist.gov/vuln/detail/CVE-2024-47834
gstreamer1<1.24.10 null-pointer-dereference https://nvd.nist.gov/vuln/detail/CVE-2024-47835
-# Gstreamer Installer, not used by pkgsrc
#gstreamer1-[0-9]* privilege-escalation https://nvd.nist.gov/vuln/detail/CVE-2025-2759
gstreamer1<1.26.1 stack-overflow https://nvd.nist.gov/vuln/detail/CVE-2025-3887
gstreamer1<1.222.4 integer-overflow https://nvd.nist.gov/vuln/detail/CVE-2023-37327
@@ -28871,7 +28826,6 @@ chromium<140.0.7339.80 arbitrary-code-ex
chromium<140.0.7339.80 information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2025-12909
chromium<140.0.7339.80 sensitive-information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2025-12910
chromium<140.0.7339.80 ui-spoofing https://nvd.nist.gov/vuln/detail/CVE-2025-12911
-# wolfssh not supported in pkgsrc
#curl<8.17.0 man-in-the-middle-attack https://nvd.nist.gov/vuln/detail/CVE-2025-10966
ffmpeg5<5.1.7 null-pointer-dereference https://nvd.nist.gov/vuln/detail/CVE-2025-7700
ffmpeg6<6.1.3 null-pointer-dereference https://nvd.nist.gov/vuln/detail/CVE-2025-7700
@@ -29002,7 +28956,6 @@ tinyproxy<1.11.3 integer-overflow https:
wireshark<4.6.1 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2025-13674
webkit-gtk<2.50.2 multiple-vulnerabilities https://webkitgtk.org/security/WSA-2025-0008.html
kissfft-[0-9]* heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2025-34297
-# Only alpha, beta and rc1 affected
#openvpn>=2.7_alpha1<2.7rc2 out-of-bounds-read https://nvd.nist.gov/vuln/detail/CVE-2025-12106
python310-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2025-13836
python311-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2025-13836
@@ -29333,7 +29286,6 @@ chromium<143.0.7499.192 code-injection
libtasn1<4.21.0 stack-overflow https://nvd.nist.gov/vuln/detail/CVE-2025-13151
lmdb-[0-9]* out-of-bounds-read https://nvd.nist.gov/vuln/detail/CVE-2026-22185
py{27,310,311,312,313,314}-urllib3<2.6.3 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2026-21441
-# curl not built with ngtcp2
#curl>=8.8.0<8.18.0 improper-certificate-validation https://nvd.nist.gov/vuln/detail/CVE-2025-13034
curl<8.18.0 improper-certificate-validation https://nvd.nist.gov/vuln/detail/CVE-2025-14017
curl<8.18.0 sensitive-information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2025-14524
@@ -29825,3 +29777,137 @@ ImageMagick<7.1.2.15 heap-overflow http
ImageMagick6<6.9.13.40 heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2026-26284
ImageMagick<7.1.2.15 null-pointer-dereference https://nvd.nist.gov/vuln/detail/CVE-2026-26983
ImageMagick6<6.9.13.40 null-pointer-dereference https://nvd.nist.gov/vuln/detail/CVE-2026-26983
+KeePass<2.44 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2020-37178
+SOGo-[0-9]* cross-site-scripting https://nvd.nist.gov/vuln/detail/CVE-2026-3054
+admesh-[0-9]* heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2026-2653
+apache-tomcat<9.0.113 input-validation https://nvd.nist.gov/vuln/detail/CVE-2025-66614
+apache-tomcat>=10<10.1.50 input-validation https://nvd.nist.gov/vuln/detail/CVE-2025-66614
+apache-tomcat>=11<11.0.15 input-validation https://nvd.nist.gov/vuln/detail/CVE-2025-66614
+apache-tomcat<9.0.113 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-24733
+apache-tomcat>=10<10.1.50 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-24733
+apache-tomcat>=11<11.0.15 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-24733
+apache-tomcat<9.0.115 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-24734
+apache-tomcat>=10<10.1.52 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-24734
+apache-tomcat>=11<11.0.18 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-24734
+caddy<2.11.1 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-27585
+caddy<2.11.1 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-27586
+caddy<2.11.1 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-27587
+caddy<2.11.1 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-27588
+caddy<2.11.1 cross-site-request-forgery https://nvd.nist.gov/vuln/detail/CVE-2026-27589
+caddy<2.11.1 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-27590
+calibre<9.3.0 path-traversal https://nvd.nist.gov/vuln/detail/CVE-2026-26064
+calibre<9.3.0 path-traversal https://nvd.nist.gov/vuln/detail/CVE-2026-26065
+chromium<145.0.7632.45 heap-corruption https://nvd.nist.gov/vuln/detail/CVE-2026-2313
+chromium<145.0.7632.45 heap-corruption https://nvd.nist.gov/vuln/detail/CVE-2026-2314
+chromium<145.0.7632.45 out-of-bounds-access https://nvd.nist.gov/vuln/detail/CVE-2026-2315
+chromium<145.0.7632.45 ui-spoofing https://nvd.nist.gov/vuln/detail/CVE-2026-2316
+chromium<145.0.7632.45 information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2026-2317
+chromium<145.0.7632.45 ui-spoofing https://nvd.nist.gov/vuln/detail/CVE-2026-2318
+chromium<145.0.7632.45 ui-spoofing https://nvd.nist.gov/vuln/detail/CVE-2026-2319
+chromium<145.0.7632.45 ui-spoofing https://nvd.nist.gov/vuln/detail/CVE-2026-2320
+chromium<145.0.7632.45 heap-corruption https://nvd.nist.gov/vuln/detail/CVE-2026-2321
+chromium<145.0.7632.45 ui-spoofing https://nvd.nist.gov/vuln/detail/CVE-2026-2322
+chromium<145.0.7632.45 ui-spoofing https://nvd.nist.gov/vuln/detail/CVE-2026-2323
+chromium<145.0.7632.75 use-after-free https://nvd.nist.gov/vuln/detail/CVE-2026-2441
+chromium<145.0.7632.109 out-of-bounds-write https://nvd.nist.gov/vuln/detail/CVE-2026-2648
+chromium<145.0.7632.109 heap-corruption https://nvd.nist.gov/vuln/detail/CVE-2026-2649
+chromium<145.0.7632.109 heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2026-2650
+chromium<145.0.7632.116 out-of-bounds-write https://nvd.nist.gov/vuln/detail/CVE-2026-3061
+chromium<145.0.7632.116 out-of-bounds-write https://nvd.nist.gov/vuln/detail/CVE-2026-3062
+chromium<145.0.7632.116 code-injection https://nvd.nist.gov/vuln/detail/CVE-2026-3063
+clamav-[0-9]* code-injection https://nvd.nist.gov/vuln/detail/CVE-2020-37167
+coturn<4.9.0 improper-access-control https://nvd.nist.gov/vuln/detail/CVE-2026-27624
+curl<8.18.0 arbitrary-file-overwrite https://nvd.nist.gov/vuln/detail/CVE-2025-11563
+dropbear>=2024.84<2025.88 privilege-escalation https://nvd.nist.gov/vuln/detail/CVE-2025-14282
+erlang<27.3.4.8 path-traversal https://nvd.nist.gov/vuln/detail/CVE-2026-21620
+ffmpeg7<7.1.2 null-pointer-dereference https://nvd.nist.gov/vuln/detail/CVE-2025-10256
+ffmpeg8<8.0 null-pointer-dereference https://nvd.nist.gov/vuln/detail/CVE-2025-10256
+ffmpeg7<7.1.2 double-free https://nvd.nist.gov/vuln/detail/CVE-2025-12343
+ffmpeg8<8.1 double-free https://nvd.nist.gov/vuln/detail/CVE-2025-12343
+gimp<3.0.8 heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2026-0797
+gimp<3.0.8 remote-code-execution https://nvd.nist.gov/vuln/detail/CVE-2026-2044
+gimp<3.0.8 out-of-bounds-write https://nvd.nist.gov/vuln/detail/CVE-2026-2045
+gimp<3.0.8 heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2026-2047
+gimp<3.0.8 out-of-bounds-write https://nvd.nist.gov/vuln/detail/CVE-2026-2048
+grafana<12.2.0 cross-site-scripting https://nvd.nist.gov/vuln/detail/CVE-2025-41117
+grafana<12.2.0 security-bypass https://nvd.nist.gov/vuln/detail/CVE-2026-21722
+gsoap-[0-9]* path-traversal https://nvd.nist.gov/vuln/detail/CVE-2019-25355
+hdf5<1.14.4.2 heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2026-26200
+janet<1.41.0 out-of-bounds-read https://nvd.nist.gov/vuln/detail/CVE-2026-2869
+jenkins<2.551 cross-site-scripting https://nvd.nist.gov/vuln/detail/CVE-2026-27099
+jenkins<2.551 information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2026-27100
+libde265-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2025-61147
+libjxl<0.11.2 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2025-12474
+libjxl<0.11.2 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2026-1837
+libsixel<1.8.8 memory-leak https://nvd.nist.gov/vuln/detail/CVE-2025-61146
+libsoup<3.6.6 out-of-bounds-read https://nvd.nist.gov/vuln/detail/CVE-2026-2443
+libvips-[0-9]* heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2026-2913
+libvips-[0-9]* memory-corruption https://nvd.nist.gov/vuln/detail/CVE-2026-3145
+libvips-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2026-3146
+libvips-[0-9]* heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2026-3147
+metabase<0.58.7 code-injection https://nvd.nist.gov/vuln/detail/CVE-2026-27464
+minisat-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2026-2644
+moodle<5.0.5 code-injection https://nvd.nist.gov/vuln/detail/CVE-2026-26045
+moodle<5.0.5 command-injection https://nvd.nist.gov/vuln/detail/CVE-2026-26046
+moodle<5.0.5 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2026-26047
+nats-server<2.12.3 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2026-27571
+openbabel-[0-9]* out-of-bounds-read https://nvd.nist.gov/vuln/detail/CVE-2026-2704
+openbabel-[0-9]* out-of-bounds-read https://nvd.nist.gov/vuln/detail/CVE-2026-2705
+openexr<3.4.5 out-of-bounds-read https://nvd.nist.gov/vuln/detail/CVE-2026-26981
+p5-Crypt-URandom<0.55 heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2026-2474
+p5-Image-ExifTool<13.50 command-injection https://nvd.nist.gov/vuln/detail/CVE-2026-3102
+php{56,74,81,82,83,84}-owncloud-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2019-25337
+php{56,74,81,82,83,84}-piwigo<15.0.0 insufficiently-random-numbers https://nvd.nist.gov/vuln/detail/CVE-2024-48928
+php{56,74,81,82,83,84}-piwigo-[0-9]* information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2025-62512
+postgresql-server<14.21 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-2003
+postgresql-server>=15<15.16 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-2003
+postgresql-server>=16<16.12 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-2003
+postgresql-server>=17<17.8 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-2003
+postgresql-server>=18<18.2 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-2003
+postgresql-server<14.21 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-2004
+postgresql-server>=15<15.16 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-2004
+postgresql-server>=15<15.16 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-2004
+postgresql-server>=15<15.16 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-2004
+postgresql-server>=15<15.16 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-2004
+postgresql-server>=15<15.16 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-2004
+postgresql-server>=16<16.12 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-2004
+postgresql-server>=17<17.8 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-2004
+postgresql-server>=18<18.2 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-2004
+postgresql-server<14.21 heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2026-2005
+postgresql-server>=15<15.16 heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2026-2005
+postgresql-server>=16<16.12 heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2026-2005
+postgresql-server>=17<17.8 heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2026-2005
+postgresql-server>=17<17.8 heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2026-2005
+postgresql-server>=18<18.2 heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2026-2005
+postgresql-server<14.21 arbitrary-code-execution https://nvd.nist.gov/vuln/detail/CVE-2026-2006
+postgresql-server>=15<15.16 arbitrary-code-execution https://nvd.nist.gov/vuln/detail/CVE-2026-2006
+postgresql-server>=16<16.12 arbitrary-code-execution https://nvd.nist.gov/vuln/detail/CVE-2026-2006
+postgresql-server>=17<17.8 arbitrary-code-execution https://nvd.nist.gov/vuln/detail/CVE-2026-2006
+postgresql-server>=18<18.2 arbitrary-code-execution https://nvd.nist.gov/vuln/detail/CVE-2026-2006
+postgresql-server>=18<18.2 heap-overflow https://nvd.nist.gov/vuln/detail/CVE-2026-2007
+py{27,310,311,312,313,314}-Pillow<12.1.1 out-of-bounds-write https://nvd.nist.gov/vuln/detail/CVE-2026-25990
+py{27,310,311,312,313,314}-flask<3.1.3 sensitive-information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2026-27205
+py{27,310,311,312,313,314}-nltk<3.9.3 arbitrary-code-execution https://nvd.nist.gov/vuln/detail/CVE-2025-14009
+py{27,310,311,312,313,314}-pdf<6.7.1 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2026-27024
+py{27,310,311,312,313,314}-pdf<6.7.1 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2026-27025
+py{27,310,311,312,313,314}-pdf<6.7.1 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2026-27026
+py{27,310,311,312,313,314}-pdf<6.7.2 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2026-27628
+py{27,310,311,312,313,314}-werkzeug<3.1.6 input-validation https://nvd.nist.gov/vuln/detail/CVE-2026-27199
+qemu-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2025-14876
+qemu<10.1.0 sensitive-information-disclosure https://nvd.nist.gov/vuln/detail/CVE-2025-8860
+qemu-[0-9]* out-of-bounds-write https://nvd.nist.gov/vuln/detail/CVE-2026-0665
+qemu-[0-9]* out-of-bounds-read https://nvd.nist.gov/vuln/detail/CVE-2026-2243
+re2c-[0-9]* denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2026-2903
+ruby{32,33,34,40}-rack2<2.2.22 path-traversal https://nvd.nist.gov/vuln/detail/CVE-2026-22860
+ruby{32,33,34,40}-rack<3.2.5 path-traversal https://nvd.nist.gov/vuln/detail/CVE-2026-22860
+ruby{32,33,34,40}-rack2<2.2.22 cross-site-scripting https://nvd.nist.gov/vuln/detail/CVE-2026-25500
+ruby{32,33,34,40}-rack<3.2.5 cross-site-scripting https://nvd.nist.gov/vuln/detail/CVE-2026-25500
+tiff<4.7.1 null-pointer-dereference https://nvd.nist.gov/vuln/detail/CVE-2025-61143
+tiff<4.7.1 stack-overflow https://nvd.nist.gov/vuln/detail/CVE-2025-61144
+tiff<4.7.1 double-free https://nvd.nist.gov/vuln/detail/CVE-2025-61145
+vaultwarden<1.35.3 improper-authorization https://nvd.nist.gov/vuln/detail/CVE-2026-26012
+vim<9.1.2148 stack-overflow https://nvd.nist.gov/vuln/detail/CVE-2026-26269
+yt-dlp<2026.02.21 command-injection https://nvd.nist.gov/vuln/detail/CVE-2026-26331
+zlib<1.3.2 denial-of-service https://nvd.nist.gov/vuln/detail/CVE-2026-27171
+zoneminder-[0-9]* command-injection https://nvd.nist.gov/vuln/detail/CVE-2025-65791
+zoneminder<1.38.1 sql-injection https://nvd.nist.gov/vuln/detail/CVE-2026-27470
Home |
Main Index |
Thread Index |
Old Index