oss-security mailing list

Follow @Openwall on Twitter for new release announcements and other news

oss-security mailing list

	Jan	Feb	Mar	Apr	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec
2026	141	103	190	181
2025	92	75	93	105	94	100	69	75	107	112	106	140
2024	80	100	178	197	72	47	128	107	58	52	87	44
2023	69	62	100	107	99	78	87	60	122	198	86	101
2022	116	50	47	79	83	58	77	86	76	70	95	108
2021	92	91	98	90	88	59	61	82	49	76	60	47
2020	52	47	38	82	70	67	76	64	71	85	90	66
2019	102	48	49	86	51	103	107	80	71	75	67	70
2018	122	81	84	81	71	104	71	135	78	120	75	84
2017	252	278	171	171	209	278	225	157	214	162	196	93
2016	258	207	271	183	267	193	214	184	287	294	257	241
2015	377	336	355	319	277	243	266	197	195	206	205	208
2014	214	252	249	211	183	317	273	201	413	485	382	318
2013	217	323	246	258	200	201	260	265	163	203	182	199
2012	333	189	294	216	234	128	150	207	234	192	191	161
2011	153	169	318	354	159	224	258	164	137	203	241	146
2010	72	96	123	118	115	142	119	144	203	84	187	139
2009	89	81	75	114	96	59	84	99	102	122	108	74
2008		104	103	143	136	112	150	125	127	123	128	107

Recent messages:

2026/04/18 #5: CVE-2026-41113: RCE in sagredo fork of qmail (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/04/18 #4: Re: [CVE-2026-33691] OWASP CRS whitespace padding bypass vulnerability (Solar Designer <solar@...nwall.com>)
2026/04/18 #3: Re: [CVE-2026-33691] OWASP CRS whitespace padding bypass vulnerability (cyber security <cs7778503@...il.com>)
2026/04/18 #2: Re: [CVE-2026-33691] OWASP CRS whitespace padding bypass vulnerability (cyber security <cs7778503@...il.com>)
2026/04/18 #1: Re: lcms2 <= 2.18 CubeSize() integer overflow: stock Ubuntu 24.04 Poppler / evince-thumbnailer / OpenJDK crashers (diff… (Abhinav Agarwal <abhinavagarwal1996@gma…)
2026/04/17 #17: Re: Go 1.26.2 and Go 1.25.9 are released with 10 security fixes (Sam James <sam@...too.org>)
2026/04/17 #16: lcms2 <= 2.18 CubeSize() integer overflow: stock Ubuntu 24.04 Poppler / evince-thumbnailer / OpenJDK crashers (differen… (Abhinav Agarwal <abhinavagarwal1996@gma…)
2026/04/17 #15: Re: Go 1.26.2 and Go 1.25.9 are released with 10 security fixes (Eli Schwartz <eschwartz@...too.org>)
2026/04/17 #14: CVE-2026-40948: Apache Airflow Keycloak Provider: OAuth Login CSRF — Missing State Parameter in Keycloak Auth Manager (Jarek Potiuk <potiuk@...che.org>)
2026/04/17 #13: Xen Security Advisory 488 v1 - x86: Floating Point Divider State Sampling (Xen.org security team <security@....org>)
2026/04/17 #12: ngtcp2: qlog_parameters_set_transport_params_stack_overflow [CVE-2026-40170] (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/04/17 #11: cups: 8 various moderate vulnerabilities (Zdenek Dohnal <zdohnal@...hat.com>)
2026/04/17 #10: Re: Go 1.26.2 and Go 1.25.9 are released with 10 security fixes (Matthias Ferdinand <ml.oss-security@...dv.net>)
2026/04/17 #9: CVE-2026-25917: Apache Airflow: API extra-links triggers XCom deserialization/class instantiation (Airflow 3.1.5) (Rahul Vats <rahulvats@...che.org>)
2026/04/17 #8: CVE-2026-32228: Apache Airflow: Users with asset materialization permisssions could trigger Dags they had no access to (Rahul Vats <rahulvats@...che.org>)
2026/04/17 #7: CVE-2026-30898: Apache Airflow: Bad example of BashOperator shell injection via dag_run.conf (Rahul Vats <rahulvats@...che.org>)
2026/04/17 #6: CVE-2026-32690: Apache Airflow: 3.x - Nested Variable Secret Values Bypass Redaction via max_depth=1 (Rahul Vats <rahulvats@...che.org>)
2026/04/17 #5: CVE-2026-30912: Apache Airflow: Exposing stack trace in case of constraint error (Rahul Vats <rahulvats@...che.org>)
2026/04/17 #4: CVE-2025-66335: Apache Doris MCP Server: MCP SQL inject (Mingyu Chen <morningman@...che.org>)
2026/04/17 #3: CVE-2026-33558: Apache Kafka, Apache Kafka Clients: Information Exposure Through Network Client Log Output (Luke Chen <showuon@...che.org>)
2026/04/17 #2: CVE-2026-33557: Apache Kafka: Missing JWT token validation in OAUTHBEARER authentication (Luke Chen <showuon@...che.org>)
2026/04/17 #1: Re: Apache Kvrocks affected by CVE-2024-31449 and CVE-2025-49844 (Redis Lua); fixed but no formal advisory (yangjincheng1998@...il.com)
2026/04/16 #12: Re: [CVE-2026-33691] OWASP CRS whitespace padding bypass vulnerability (cyber security <cs7778503@...il.com>)
2026/04/16 #11: Re: Apache Kvrocks affected by CVE-2024-31449 and CVE-2025-49844 (Redis Lua); fixed but no formal advisory (Solar Designer <solar@...nwall.com>)
2026/04/16 #10: Re: Apache Kvrocks affected by CVE-2024-31449 and CVE-2025-49844 (Redis Lua); fixed but no formal advisory (yangjincheng1998@...il.com)
2026/04/16 #9: Re: UAF in rsync 3.4.1 and below (Salvatore Bonaccorso <carnil@...ian.org>)
2026/04/16 #8: Re: Apache Kvrocks affected by CVE-2024-31449 and CVE-2025-49844 (Redis Lua); fixed but no formal advisory (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/04/16 #7: CVE-2026-31987: Apache Airflow: JWT token appearing in logs (Rahul Vats <rahulvats@...che.org>)
2026/04/16 #6: Apache Kvrocks affected by CVE-2024-31449 and CVE-2025-49844 (Redis Lua); fixed but no formal advisory (yangjincheng1998@...il.com)
2026/04/16 #5: CVE-2025-27363: FontForge affected by FreeType heap-buffer-overflow; upstream maintainer declines under Community-guidelines #D1 (yangjincheng1998@...il.com)
2026/04/16 #4: Re: UAF in rsync 3.4.1 and below (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/04/16 #3: cosmic-greeter: Unsafe File System Operations in User Home Directories (CVE-2026-25704) (Matthias Gerstner <mgerstner@...e.de>)
2026/04/16 #2: UAF in rsync 3.4.1 and below (Przemyslaw Frasunek <przemyslaw@...sunek.com>)
2026/04/16 #1: Re: 7 vulnerabilities disclosed & patched in jq (Collin Funk <collin.funk1@...il.com>)
2026/04/15 #9: Re: Fwd: X.Org Security Advisory: multiple security issues X.Org X server and Xwayland (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/04/15 #8: 7 vulnerabilities disclosed & patched in jq (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/04/15 #7: [vim-security] Command injection via backtick expansion in tag filenames in Vim < v9.2.0357 (Christian Brabandt <cb@...bit.org>)
2026/04/15 #6: [CVE-2026-5713] CPython: Out-of-bounds read/write during remote debugging when connecting to malicious target (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/04/15 #5: Re: CVE-2026-5088: Apache::API::Password versions through v0.5.2 for Perl can generate insecure random values for salts (Jacques Deguest <jack@...uest.jp>)
2026/04/15 #4: CVE-2026-5088: Apache::API::Password versions through v0.5.2 for Perl can generate insecure random values for salts (Robert Rothenberg <rrwo@...nsec.org>)
2026/04/15 #3: CVE-2026-25219: Apache Airlfow: Sensitive Azure Service Bus connection string (and possibly other providers) exposed to users … (Jarek Potiuk <potiuk@...che.org>)
2026/04/15 #2: CVE-2026-30778: Apache SkyWalking: The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information… (Kai Wan <wankai@...che.org>)
2026/04/15 #1: CVE-2025-54550: Apache Airflow: RCE by race condition in example_xcom dag (Jarek Potiuk <potiuk@...che.org>)
2026/04/14 #9: [OSSA-2026-007] OpenStack Keystone: LDAP identity backend does not convert enabled attribute to boolean (CVE PENDING) (Goutham Pacha Ravi <gouthampravi@...il.c…)
2026/04/14 #8: Fwd: X.Org Security Advisory: multiple security issues X.Org X server and Xwayland (Olivier Fourdan <ofourdan@...hat.com>)
2026/04/14 #7: [disclosure] Multiple unpatched CVEs in libav (unmaintained FFmpeg fork, last update 2019) (yangjincheng1998@...il.com)
2026/04/14 #6: wolfSSL 5.9.1 CVE and non-CVE fixes (Solar Designer <solar@...nwall.com>)
2026/04/14 #5: wolfSSL ML-DSA: same-process heap reuse exposes private signing material, enabling signature forgery (Abhinav Agarwal <abhinavagarwal1996@...il.com>)
2026/04/14 #4: CVE-2026-33929: Apache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example Code (Tilman Hausherr <tilman@...che.org>)
2026/04/14 #3: CVE-2026-31908: Apache APISIX: forward auth plugin allows header injection (Abhishek Choudhary <shreemaanabhishek@...che.org>)
2026/04/14 #2: CVE-2026-31924: Apache APISIX: Plugin tencent-cloud-cls log export uses plaintext HTTP (Abhishek Choudhary <shreemaanabhishek@...che.org>)
2026/04/14 #1: CVE-2026-31923: Apache APISIX: Openid-connect `tls_verify` field is disabled by default (Abhishek Choudhary <shreemaanabhishek@...che.org>)
2026/04/13 #12: CVE-2026-5086: Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to timing attacks (Robert Rothenberg <rrwo@...nsec.org>)
2026/04/13 #11: [CVE-2026-4786] CPython: Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.… (Alan Coopersmith <alan.coopersmith@...c…)
2026/04/13 #10: [CVE-2026-6100] CPython: Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use … (Alan Coopersmith <alan.coopersmith@...c…)
2026/04/13 #9: Re: Security Audit of Hex, the Erlang package manager (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/04/13 #8: CVE-2026-39816: Apache NiFi: Missing Execute Code Required Permission on TinkerpopClientService (David Handermann <exceptionfactory@...che.org>)
2026/04/13 #7: CVE-2026-33858: Apache Airflow: Unsafe Deserialization via Legacy Serialization Keys (__type/__var) Bypass in XCom API (Rahul Vats <rahulvats@...che.org>)
2026/04/13 #6: CVE-2025-66236: Apache Airflow: Secrets from Airflow config file logged in plain text in DAG run logs UI (Rahul Vats <rahulvats@...che.org>)
2026/04/13 #5: CVE-2026-34884: Apache SkyWalking MCP: SSRF via set_skywalking_url Tool and GraphQL Expression Injection in MCP Server (Qiuxia Fan <qiuxiafan@...che.org>)
2026/04/13 #4: CVE-2026-34476: Apache SkyWalking MCP: Server-Side Request Forgery via SW-URL Header in MCP Server (Qiuxia Fan <qiuxiafan@...che.org>)
2026/04/13 #3: CVE-2025-54057: Apache SkyWalking: Stored XSS vulnerability (Zhenxu Ke <kezhenxu94@...che.org>)
2026/04/13 #2: CVE-2026-5085: Solstice::Session versions through 1440 for Perl generates session ids insecurely (Robert Rothenberg <rrwo@...nsec.org>)
2026/04/13 #1: Re: Security Audit of Hex, the Erlang package manager (Alexander Patrakov <patrakov@...il.com>)
2026/04/12 #7: CVE-2026-35565: Apache Storm UI: Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Storm UI (Richard Zowalla <rzo1@...che.org>)
2026/04/12 #6: CVE-2026-35337: Apache Storm Client: RCE through Unsafe Deserialization via Kerberos TGT Credential Handling (Richard Zowalla <rzo1@...che.org>)
2026/04/12 #5: Re: GNU tar: listing/extraction desynchronization allows hidden file injection (Paul Eggert <eggert@...ucla.edu>)
2026/04/12 #4: Security Audit of Hex, the Erlang package manager (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/04/12 #3: Re: GNU tar: listing/extraction desynchronization allows hidden file injection (Collin Funk <collin.funk1@...il.com>)
2026/04/12 #2: Re: GNU tar: listing/extraction desynchronization allows hidden file injection (Solar Designer <solar@...nwall.com>)
2026/04/12 #1: Re: GNU tar: listing/extraction desynchronization allows hidden file injection (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/04/11 #11: Re: GNU tar: listing/extraction desynchronization allows hidden file injection (Collin Funk <collin.funk1@...il.com>)
2026/04/11 #10: GNU tar: listing/extraction desynchronization allows hidden file injection (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/04/11 #9: Avahi: Reachable assertion in transport_flags_from_domain (CVE-2026-34933) (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/04/11 #8: LibRaw 0.22.1 Release with security fixes (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/04/11 #7: Re: CVE-2026-35537+more: Roundcube arbitrary write + ID/XSS/etc. prior to 1.6.14 (Valtteri Vuorikoski <vuori@...com.org>)
2026/04/11 #6: CVE-2026-35537+more: Roundcube arbitrary write + ID/XSS/etc. prior to 1.6.14 (Valtteri Vuorikoski <vuori@...com.org>)
2026/04/11 #5: CPython [CVE-2026-3446] Base64 decoding stops at first padded quad by default (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/04/11 #4: CPython [CVE-2026-1502] HTTP client proxy tunnel headers not validated for CR/LF (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/04/11 #3: [kubernetes] CVE-2026-3865: CSI Driver for SMB path traversal via subDir may delete unintended directories on the SMB s… (Vinayak Goyal <vinayakankugoyal@...il.c…)
2026/04/11 #2: CVE-2026-40199: Net::CIDR::Lite versions before 0.23 for Perl mishandles IPv4 mapped IPv6 addresses, which may allow IP ACL bypas… (Stig Palmquist <stig@...g.io>)
2026/04/11 #1: CVE-2026-40198: Net::CIDR::Lite versions before 0.23 for Perl does not validate IPv6 group count, which may allow IP ACL bypass (Stig Palmquist <stig@...g.io>)
2026/04/10 #15: xdg-dbus-proxy CVE-2026-34080: Eavesdrop filter bypass allows message interception (Simon McVittie <smcv@...ian.org>)
2026/04/10 #14: xdg-desktop-portal GHSA-rqr9-jwwf-wxgj: Trashing of arbitrary host files (Simon McVittie <smcv@...ian.org>)
2026/04/10 #13: CVE-2026-40200: musl libc: stack corruption in qsort with sufficiently large inputs (Rich Felker <dalias@...c.org>)
2026/04/10 #12: CVE-2026-40023: Apache Log4cxx, Apache Log4cxx (Conan), Apache Log4cxx (Brew): Silent log event loss in XMLLayout due to un… (Piotr Karwasz <pkarwasz@...che.org>)
2026/04/10 #11: CVE-2026-40021: Apache Log4net: Silent log event loss in XmlLayout and XmlLayoutSchemaLog4J due to unescaped XML 1.0 forbid… (Piotr Karwasz <pkarwasz@...che.org>)
2026/04/10 #10: CVE-2026-34481: Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTempla… (Piotr Karwasz <pkarwasz@...che.org>)
2026/04/10 #9: CVE-2026-34480: Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters (Piotr Karwasz <pkarwasz@...che.org>)
2026/04/10 #8: CVE-2026-34479: Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidd… (Piotr Karwasz <pkarwasz@...che.org>)
2026/04/10 #7: CVE-2026-34478: Apache Log4j Core: Log injection in Rfc5424Layout due to silent configuration incompatibility (Piotr Karwasz <pkarwasz@...che.org>)
2026/04/10 #6: CVE-2026-34477: Apache Log4j Core: verifyHostName attribute silently ignored in TLS configuration, allowing hostname verifi… (Piotr Karwasz <pkarwasz@...che.org>)
2026/04/10 #5: CVE-2026-4631 [cockpit] Unauthenticated remote code execution due to SSH command-line argument injection (Jelle van der Waa <jelle@...aa.nl>)
2026/04/10 #4: Re: systemd-journald in systemd 259 does not escape characters in emerg messages that are wall'd to other user's terminals (Vincent Lefevre <vincent@...c17.net>)
2026/04/10 #3: Re: Go 1.26.2 and Go 1.25.9 are released with 10 security fixes (Solar Designer <solar@...nwall.com>)
2026/04/10 #2: Re: X41 Advisory X41-2026-001: Guardrail Sandbox Escape in LiteLLM (Solar Designer <solar@...nwall.com>)
2026/04/10 #1: Re: systemd-journald in systemd 259 does not escape characters in emerg messages that are wall'd to other user's terminal… (Aaron Rainbolt <arraybolt3@...il.com>)
2026/04/09 #30: [OSSA-2026-006] OpenStack Skyline: DOM-based XSS in Skyline Console via unsanitized instance console log rendering (CVE… (Goutham Pacha Ravi <gouthampravi@...il.…)
2026/04/09 #29: CVE-2026-34500: Apache Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled (Mark Thomas <markt@...che.org>)
2026/04/09 #28: CVE-2026-34487: Apache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token (Mark Thomas <markt@...che.org>)

32482 messages

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.