🚨 CVE-2026-15163
Multiple protocol dissector infinite loops in Wireshark 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allow denial of service
🎖@cveNotify
Multiple protocol dissector infinite loops in Wireshark 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allow denial of service
🎖@cveNotify
GitLab
Fuzz job crash: fuzz-2026-05-25-14522946224.pcap (#21275) · Issues · Wireshark Foundation / Wireshark · GitLab
Problems have been found with the following capture file: https://www.wireshark.org/download/automated/captures/fuzz-2026-05-25-14522946224.pcap.gz stderr:
🚨 CVE-2026-15164
Crash in ciscodump 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allows denial of service
🎖@cveNotify
Crash in ciscodump 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allows denial of service
🎖@cveNotify
GitLab
ciscodump extcap: unbounded heap write in remote hex-dump parsers (heap buffer overflow) (#21375) · Issues · Wireshark Foundation…
Summary The ciscodump extcap capture tool parses text hex-dump output returned over an SSH session by a...
🚨 CVE-2026-15165
TLS ECH decryptor crash in Wireshark 4.6.0 to 4.6.6 allows denial of service
🎖@cveNotify
TLS ECH decryptor crash in Wireshark 4.6.0 to 4.6.6 allows denial of service
🎖@cveNotify
GitLab
[Security] TLS ECH transcript reconstruction: heap buffer overflow via repeated ech_outer_extensions (#21390) · Issues · Wireshark…
I am writing to report a heap-buffer-overflow (write) in tshark This is a security issue that was found by Anthropic using Claude to find vulnerabilities,...
🚨 CVE-2026-15167
DBS Etherwatch file parser crash in Wireshark 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allows denial of service
🎖@cveNotify
DBS Etherwatch file parser crash in Wireshark 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allows denial of service
🎖@cveNotify
GitLab
Buffer overflow in DBS Etherwatch capture file parser (#21352) · Issues · Wireshark Foundation / Wireshark · GitLab
Summary NGUYEN Huu Trung reported the following to the security mailing list: Hello Wireshark security team,...
🚨 CVE-2026-15169
UMTS FP protocol dissector crash in Wireshark 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allows denial of service
🎖@cveNotify
UMTS FP protocol dissector crash in Wireshark 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allows denial of service
🎖@cveNotify
GitLab
[Security] UMTS FP E-DCH Type-2: out-of-bounds write past static `subframes[16]` in `dissect_e_dch_t2_or_common_channel_info()`…
I am writing to report a global-buffer-overflow (write) that is triggerable by way of the Wireshark fuzzing harness tshark) This is a security issue that...
🚨 CVE-2026-15170
Z39.50 protocol dissector crash in Wireshark 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allows denial of service
🎖@cveNotify
Z39.50 protocol dissector crash in Wireshark 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allows denial of service
🎖@cveNotify
GitLab
[Security] Z39.50 MARC21 dissector: heap overflow (directory entry count floor/ceil mismatch) in dissect_marc_record() (ANT-2026…
I am writing to report a heap-buffer-overflow (write) that is triggerable by way of the Wireshark fuzzing harness fuzzshark There is a slight patch needed on
🚨 CVE-2026-15171
SSH protocol dissector crash in Wireshark 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allows denial of service
🎖@cveNotify
SSH protocol dissector crash in Wireshark 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allows denial of service
🎖@cveNotify
GitLab
NULL pointer dereference in ssh_keylog_process_line when opening a pcapng with malformed SSH Decryption Secrets (#21378) · Issues…
Summary When Wireshark ingests SSH decryption secrets from a pcapng Decryption Secrets Block (DSB), a malformed SSH key-log...
🚨 CVE-2026-15172
FMP/NOTIFY protocol dissector crash in Wireshark 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allows denial of service
🎖@cveNotify
FMP/NOTIFY protocol dissector crash in Wireshark 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allows denial of service
🎖@cveNotify
GitLab
FMP Notify dissector integer overflow (#21347) · Issues · Wireshark Foundation / Wireshark · GitLab
Build Information TShark (Wireshark) 4.6.6 (v4.6.6-0-g3a22c3ef473d). Copyright 1998-2026 Gerald Combs <gerald@wireshark.org> and contributors. Licensed under the terms of the...
🚨 CVE-2026-35210
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 7.260326.0, an authorization bypass vulnerability in OpenCTI allows any authenticated user with KNOWLEDGE_KNUPDATE permission to bypass Confidence Level validation and Object Marking restrictions by injecting the synchronized-upsert: true HTTP header, enabling attackers to downgrade confidence levels, remove security markings such as TLP:RED, manipulate relationships, and affect STIX object types including Indicators, ThreatActors, Malware, and Reports. This issue is fixed in version 7.260326.0.
🎖@cveNotify
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 7.260326.0, an authorization bypass vulnerability in OpenCTI allows any authenticated user with KNOWLEDGE_KNUPDATE permission to bypass Confidence Level validation and Object Marking restrictions by injecting the synchronized-upsert: true HTTP header, enabling attackers to downgrade confidence levels, remove security markings such as TLP:RED, manipulate relationships, and affect STIX object types including Indicators, ThreatActors, Malware, and Reports. This issue is fixed in version 7.260326.0.
🎖@cveNotify
GitHub
[backend] Fix use of synchronized-upsert header (#14015) · OpenCTI-Platform/opencti@134531d
Open Cyber Threat Intelligence Platform. Contribute to OpenCTI-Platform/opencti development by creating an account on GitHub.
🚨 CVE-2026-54527
JupyterLab Git is a Git extension for JupyterLab. From 0.30.0b3 before 0.54.0, the PlainTextDiff.ts createHeader() method passes Git filenames directly to innerHTML when rendering renamed files in commit history, allowing a crafted filename to execute JavaScript when a victim views the rename diff in the Git History tab. This issue is fixed in version 0.54.0.
🎖@cveNotify
JupyterLab Git is a Git extension for JupyterLab. From 0.30.0b3 before 0.54.0, the PlainTextDiff.ts createHeader() method passes Git filenames directly to innerHTML when rendering renamed files in commit history, allowing a crafted filename to execute JavaScript when a victim views the rename diff in the Git History tab. This issue is fixed in version 0.54.0.
🎖@cveNotify
GitHub
Merge commit from fork · jupyterlab/jupyterlab-git@c6d37b8
A Git extension for JupyterLab. Contribute to jupyterlab/jupyterlab-git development by creating an account on GitHub.
🚨 CVE-2026-55195
py7zr is a Python-based library and utility to support 7zip archive compression, decompression, encryption and decryption. Prior to 1.1.3, py7zr's Worker.decompress() extracted archive entries without tracking total decompressed size, allowing a crafted .7z file such as a 15.6 KB archive that expands to 100 MB to exhaust disk or memory before extraction completes. This issue is fixed in version 1.1.3.
🎖@cveNotify
py7zr is a Python-based library and utility to support 7zip archive compression, decompression, encryption and decryption. Prior to 1.1.3, py7zr's Worker.decompress() extracted archive entries without tracking total decompressed size, allowing a crafted .7z file such as a 15.6 KB archive that expands to 100 MB to exhaust disk or memory before extraction completes. This issue is fixed in version 1.1.3.
🎖@cveNotify
GitHub
Add max_extract_size parameter to guard against decompression bombs · miurahr/py7zr@28faf10
- Add DecompressionBombError exception
- Add max_extract_size keyword parameter to SevenZipFile (default None, no limit)
- Track cumulative decompressed bytes in Worker.decompress and raise
Decom...
- Add max_extract_size keyword parameter to SevenZipFile (default None, no limit)
- Track cumulative decompressed bytes in Worker.decompress and raise
Decom...
🚨 CVE-2026-55596
Plate is a rich-text editor with AI and shadcn/ui. From 53.0.0 until 53.1.4, the media embed renderer trusts serialized provider or sourceUrl metadata in useMediaState and skips parseMediaUrl protocol validation, allowing a crafted Plate document to set a known video provider while keeping url as a javascript: iframe source that the registry MediaEmbedElement renders directly as an iframe src when a victim opens the document. This issue is fixed in version 53.1.4.
🎖@cveNotify
Plate is a rich-text editor with AI and shadcn/ui. From 53.0.0 until 53.1.4, the media embed renderer trusts serialized provider or sourceUrl metadata in useMediaState and skips parseMediaUrl protocol validation, allowing a crafted Plate document to set a known video provider while keeping url as a javascript: iframe source that the registry MediaEmbedElement renders directly as an iframe src when a victim opens the document. This issue is fixed in version 53.1.4.
🎖@cveNotify
GitHub
Fix media embed URL sanitization (#5014) · udecode/plate@6214914
Rich-text editor with AI and shadcn/ui. Contribute to udecode/plate development by creating an account on GitHub.
🚨 CVE-2026-55778
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.11 and 8.6.81, the default fileUpload.fileExtensions blocklist could be bypassed by uploading a file with a non-standard or compound extension and dangerous content type, allowing storage adapters such as S3 and GCS to serve attacker-supplied active content and enable stored cross-site scripting. This issue is fixed in versions 9.9.1-alpha.11 and 8.6.81.
🎖@cveNotify
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.11 and 8.6.81, the default fileUpload.fileExtensions blocklist could be bypassed by uploading a file with a non-standard or compound extension and dangerous content type, allowing storage adapters such as S3 and GCS to serve attacker-supplied active content and enable stored cross-site scripting. This issue is fixed in versions 9.9.1-alpha.11 and 8.6.81.
🎖@cveNotify
GitHub
fix: Stored XSS via non-standard file extension bypassing file upload… · parse-community/parse-server@97c6a78
… extension blocklist ([GHSA-v8x7-r927-cc93](https://github.com/parse-community/parse-server/security/advisories/GHSA-v8x7-r927-cc93)) (#10506)
🚨 CVE-2026-57480
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.12 and 8.6.82, deeply nested $or, $and, and $nor query condition operators in the REST API or LiveQuery query handling could trigger exponential-time processing in the internal query-traversal helper and block the Node.js event loop. This issue is fixed in versions 9.9.1-alpha.12 and 8.6.82.
🎖@cveNotify
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.12 and 8.6.82, deeply nested $or, $and, and $nor query condition operators in the REST API or LiveQuery query handling could trigger exponential-time processing in the internal query-traversal helper and block the Node.js event loop. This issue is fixed in versions 9.9.1-alpha.12 and 8.6.82.
🎖@cveNotify
GitHub
fix: Denial of service via exponential-time processing of deeply nest… · parse-community/parse-server@0f5d2ad
…ed query operators ([GHSA-cgxm-vr2f-6fj8](https://github.com/parse-community/parse-server/security/advisories/GHSA-cgxm-vr2f-6fj8)) (#10512)
🚨 CVE-2026-58192
Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver protocol. Prior to 1.1.6, the Appium storage plugin exposes POST /storage/delete, whose handler passes the user-supplied name value directly into path.join(storageRoot, name) and fs.rimraf() without path sanitization, allowing an unauthenticated remote client to escape the storage root with ../ sequences and recursively delete arbitrary writable files or directories. This issue is fixed in version 1.1.6.
🎖@cveNotify
Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver protocol. Prior to 1.1.6, the Appium storage plugin exposes POST /storage/delete, whose handler passes the user-supplied name value directly into path.join(storageRoot, name) and fs.rimraf() without path sanitization, allowing an unauthenticated remote client to escape the storage root with ../ sequences and recursively delete arbitrary writable files or directories. This issue is fixed in version 1.1.6.
🎖@cveNotify
GitHub
fix(storage-plugin): add fs.sanitizeName for the delete request as we… · appium/appium@5fee017
…ll (#22362)
* fix(storage-plugin): add fs.sanitizeName for the delete request
* move empty check as well
* fix: apply formatter
* return false for exception cases
* return false for exception...
* fix(storage-plugin): add fs.sanitizeName for the delete request
* move empty check as well
* fix: apply formatter
* return false for exception cases
* return false for exception...
🚨 CVE-2026-58208
NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a WebSocket listener could route requests for the MQTT-over-WebSocket path into MQTT handling even when MQTT was not configured, allowing an unauthenticated client with access to the WebSocket listener to reach uninitialized MQTT state and crash the server process. This issue is fixed in versions 2.14.3 and 2.12.12.
🎖@cveNotify
NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a WebSocket listener could route requests for the MQTT-over-WebSocket path into MQTT handling even when MQTT was not configured, allowing an unauthenticated client with access to the WebSocket listener to reach uninitialized MQTT state and crash the server process. This issue is fixed in versions 2.14.3 and 2.12.12.
🎖@cveNotify
GitHub
[FIXED] WebSocket /mqtt upgrade panics when MQTT is disabled · nats-io/nats-server@73b3dd9
Signed-off-by: Maurice van Veen <github@mauricevanveen.com>
🚨 CVE-2026-58494
Wasmtime is a runtime for WebAssembly. Prior to 24.0.11, 36.0.12, 45.0.3, and 46.0.1, wasmtime-wasi hard-link creation and renaming check directory permissions but not matching FilePerms on source and destination preopens, allowing a WASI guest with a read-only source file capability to overwrite host files exposed as FilePerms::READ through wasip1, wasip2, or wasip3 filesystem interfaces. This issue is fixed in versions 24.0.11, 36.0.12, 45.0.3, and 46.0.1.
🎖@cveNotify
Wasmtime is a runtime for WebAssembly. Prior to 24.0.11, 36.0.12, 45.0.3, and 46.0.1, wasmtime-wasi hard-link creation and renaming check directory permissions but not matching FilePerms on source and destination preopens, allowing a WASI guest with a read-only source file capability to overwrite host files exposed as FilePerms::READ through wasip1, wasip2, or wasip3 filesystem interfaces. This issue is fixed in versions 24.0.11, 36.0.12, 45.0.3, and 46.0.1.
🎖@cveNotify
GitHub
Test and remediate ghsa-4ch3 for release-46.0.0 (#13726) · bytecodealliance/wasmtime@5ddfd5f
* Test and remediate ghsa-4ch3 for release-46.0.0
* add failing tests demonstrating reported behavior
* add a test for renaming file across perm domains
* remediate hardlink creation and renaming ...
* add failing tests demonstrating reported behavior
* add a test for renaming file across perm domains
* remediate hardlink creation and renaming ...
🚨 CVE-2026-60105
Monsta FTP before 2.14.5 contains a server-side request forgery vulnerability in the fetchRemoteFile action caused by an incomplete IP blocklist check in the isBlockedIP() function, which fails to detect embedded IPv4 addresses within IPv4-mapped IPv6 addresses. An unauthenticated attacker can obtain a CSRF token from the public getSystemVars endpoint and submit a fetchRemoteFile request with a source URL resolving to an IPv4-mapped address, causing the server to issue HTTP requests to internal services and write responses to an attacker-controlled FTP destination, enabling retrieval of cloud instance metadata credentials.
🎖@cveNotify
Monsta FTP before 2.14.5 contains a server-side request forgery vulnerability in the fetchRemoteFile action caused by an incomplete IP blocklist check in the isBlockedIP() function, which fails to detect embedded IPv4 addresses within IPv4-mapped IPv6 addresses. An unauthenticated attacker can obtain a CSRF token from the public getSystemVars endpoint and submit a fetchRemoteFile request with a source URL resolving to an IPv4-mapped address, causing the server to issue HTTP requests to internal services and write responses to an attacker-controlled FTP destination, enabling retrieval of cloud instance metadata credentials.
🎖@cveNotify
🚨 CVE-2026-6352
GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user with auditor-level access to modify compliance violation records due to improper authorization on certain GraphQL operations.
🎖@cveNotify
GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user with auditor-level access to modify compliance violation records due to improper authorization on certain GraphQL operations.
🎖@cveNotify
🚨 CVE-2026-6896
GitLab has remediated an issue in GitLab EE affecting all versions from 13.11 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to execute arbitrary scripts in another user's browser session due to improper sanitization of user-supplied input.
🎖@cveNotify
GitLab has remediated an issue in GitLab EE affecting all versions from 13.11 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to execute arbitrary scripts in another user's browser session due to improper sanitization of user-supplied input.
🎖@cveNotify
🚨 CVE-2026-7492
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.1 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an unauthenticated user to determine the existence of a private project due to improper authorization controls on cross-project reference pages.
🎖@cveNotify
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.1 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an unauthenticated user to determine the existence of a private project due to improper authorization controls on cross-project reference pages.
🎖@cveNotify