Open Source Security mailing list

X.⁠Org Security Advisory: June 2, 2026 https://t.co/2PL48XWMnw 8 issues in X server and Xwayland, all with ZDI-CAN identifiers, one also already has a CVE

CVE-2026-41115: Apache Kafka: Improper Authorization in CONSUMER_GROUP_DESCRIBE API https://t.co/T44GdvSVKk Severity: moderate

BIRD/BIRD2: Stack buffer overflow in BGP AS_PATH mask matching https://t.co/6qUl1f3iNC The confirmed impact is remote BGP peer-triggered DoS. Memory corruption was observed under ASan. Remote code execution has not been demonstrated.

7 CVEs in GPAC/MP4Box https://t.co/GZEdqJty9j and https://t.co/z0YAlAmgSM Most are NULL Pointer Dereference, but 2 are worse: CVE-2025-55664: Heap-based Buffer Overflow via m2tsdmx_send_packet on crafted MPEG-2 TS file CVE-2025-60486: Use-After-Free via dasher_process on [ditto]

CVE-2026-46718: Apache Calcite: A user-controled model can load arbitrary classes, leading to code execution https://t.co/JDLPkVroc8

CVE-2026-8643: pip can extract console_scripts and gui_scripts outside installation directory https://t.co/eJRoSdV9of

CVE-2026-49328: Apache Fesod (Incubating): Improper validation of user-supplied URLs leading to SSRF https://t.co/s1uoTrNTcE

CVE-2026-35563: Apache Directory LDAP API: LDAP client implementation does not verify if the server certificate matches the intended LDAP hostname https://t.co/IVL6mdTdwQ Severity: important

6 CVEs in Apache ActiveMQ and related components https://t.co/GVo30ehDnB including many "Severity: important"

17 CVEs in Apache Airflow https://t.co/GVo30ehDnB and https://t.co/si2uJNvOzE including a few with "Severity: important" or "Severity: high"

CVE-2025-70103: JPEG XL: Heap-based Buffer Overflow in libjxl/cjxl via jxl::extras::DecodeImagePNM on crafted PBM file https://t.co/0XIDgDfkUU "WRITE of size 24"

Perl CPAN CVE-2026-8594: Text::LineFold through 2019.001 duplicate the output based on the number of special break characters https://t.co/ULh114BGqS CVE-2026-8796: Sereal::Decoder before 5.005 allow heap out-of-bounds read via crafted input https://t.co/lmbcSYzkbz

Perl CPAN CVE-2026-46740: Mojolicious::Plugin::Statsd through 0.04 allowed metric injections https://t.co/ZAvEzH059g CVE-2026-8647: Crypt::ScryptKDF through 0.010 uses insecure random number source when no CSPRNG module is available https://t.co/tkyFARtJBg

Perl CPAN CVE-2026-9658: Plack::Middleware::Security::Common before 0.13.1 did not block header injections in request paths https://t.co/uueuOps8qV CVE-2026-41565: CryptX before 0.088_001 have a stack buffer overflow in four AEAD decrypt_verify helpers https://t.co/tZrppTBXf8

CVE-2026-49361: Apache Fluss Netty Frame Decoder Memory Exhaustion https://t.co/3glTyePiyO Severity: important

Vim: Out-of-bounds Read in Terminal Screen Snapshot in Vim < 9.2.565 https://t.co/55s6rB7vpX

Vim: Arbitrary Code Execution via Python Omni-Completion in Vim < 9.2.561 https://t.co/s6zfyaS7E1

CVE-2026-47187, CVE-2026-48711: sshfs <= 3.7.5 symlink escape (local file read/write) and ssh argument injection (local command execution) https://t.co/CDODWFAiSy Fixed in 3.7.6

CVE-2026-48827: Apache MINA SSHD: Path traversal in org.apache.sshd:sshd-git https://t.co/N00HgnX5f2 in git-upload-pack, git-receive-pack, and other git operations allows users authenticated over SSH access to git repositories outside the configured git server root directory

CVE-2026-44825: Apache Solr: Enabling BasicAuth using bin/solr CLI configures additional insecure users https://t.co/304ESHyzlb Severity: High Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable)

CVE-2026-48840: Exim: PROXY-protocol uninitialised-stack information disclosure https://t.co/Y3iCMLHhw2 The leaked bytes are confirmed to be live userspace VA pointers, making this an ASLR-defeat primitive usable as a chain component. Fixed in 4.99.4.