oss-security mailing list

Follow @Openwall on Twitter for new release announcements and other news

oss-security mailing list

	Jan	Feb	Mar	Apr	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec
2026	141	103	190	311	455	266
2025	92	75	93	105	94	100	69	75	107	112	106	140
2024	80	100	178	197	72	47	128	107	58	52	87	44
2023	69	62	100	107	99	78	87	60	122	198	86	101
2022	116	50	47	79	83	58	77	86	76	70	95	108
2021	92	91	98	90	88	59	61	82	49	76	60	47
2020	52	47	38	82	70	67	76	64	71	85	90	66
2019	102	48	49	86	51	103	107	80	71	75	67	70
2018	122	81	84	81	71	104	71	135	78	120	75	84
2017	252	278	171	171	209	278	225	157	214	162	196	93
2016	258	207	271	183	267	193	214	184	287	294	257	241
2015	377	336	355	319	277	243	266	197	195	206	205	208
2014	214	252	249	211	183	317	273	201	413	485	382	318
2013	217	323	246	258	200	201	260	265	163	203	182	199
2012	333	189	294	216	234	128	150	207	234	192	191	161
2011	153	169	318	354	159	224	258	164	137	203	241	146
2010	72	96	123	118	115	142	119	144	203	84	187	139
2009	89	81	75	114	96	59	84	99	102	122	108	74
2008		104	103	143	136	112	150	125	127	123	128	107

Recent messages:

2026/06/25 #6: PowerDNS Security Advisory 2026-07: Insufficient input validation of internal web server (Miod Vallat <miod.vallat@...erdns.com>)
2026/06/25 #5: CVE-2026-54226: Apache Kvrocks: RESTORE IntSet Integer Overflow Leads to Remote DoS (Hulk Lin <hulk@...che.org>)
2026/06/25 #4: CVE-2026-46752: Apache Kvrocks: Stack buffer overflow in Lua bit.tohex() (Hulk Lin <hulk@...che.org>)
2026/06/25 #3: CVE-2026-46751: Apache Kvrocks: Does not remove the unsafe loadstring function from its Lua sandbox, allowing a user who can run EVA… (Hulk Lin <hulk@...che.org>)
2026/06/25 #2: CVE-2026-45188: Apache Kvrocks: Replication Fullsync Path Traversal via Unvalidated Filename Handling (Hulk Lin <hulk@...che.org>)
2026/06/25 #1: CVE-2026-41566: Apache Kvrocks: Improper permission for the APPLYBATCH command (Hulk Lin <hulk@...che.org>)
2026/06/24 #9: [vim-security] Out-of-bounds Write in SAL Soundfolding in Vim < 9.2.0725 (Christian Brabandt <cb@...bit.org>)
2026/06/24 #8: CVE-2026-56130: Apache Shiro: Remember-me cookie isn't checked for expiry on the server (Lenny Primak <lprimak@...che.org>)
2026/06/24 #7: CVE-2026-56091: Apache Shiro: Authentication bypass in Guice-Web integration (Lenny Primak <lprimak@...che.org>)
2026/06/24 #6: Re: libssh2: CVE-2026-55200 (critical), CVE-2025-15661 (high), CVE-2026-55199 (high) (Sevan Janiyan <venture37@...klan.co.uk>)
2026/06/24 #5: Re: Squid CVE-2026-47729 and CVE-2026-50012 (Rolf Reintjes <rolf.reintjes@....de>)
2026/06/24 #4: Multiple vulnerabilities in Jenkins plugins (Kevin Guerroudj <kguerroudj@...udbees.com>)
2026/06/24 #3: Re: libssh2: CVE-2026-55200 (critical), CVE-2025-15661 (high), CVE-2026-55199 (high) (Sevan Janiyan <venture37@...klan.co.uk>)
2026/06/24 #2: Re: Squid CVE-2026-47729 and CVE-2026-50012 (Christian Fischer <christian.fischer@...enbone.net>)
2026/06/24 #1: [SECURITY ADVISORIES] for curl 8.21.0 (Daniel Stenberg <daniel@...x.se>)
2026/06/23 #11: Re: libssh2: CVE-2026-55200 (critical), CVE-2025-15661 (high), CVE-2026-55199 (high) (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/06/23 #10: libssh2: CVE-2026-55200 (critical), CVE-2025-15661 (high), CVE-2026-55199 (high) (James Addison <james@...iperadar.com>)
2026/06/23 #9: Plone: various security fixes 20260623 (Maurits van Rees <maurits@...rees.org>)
2026/06/23 #8: icalendar: Denial of Service CVE-2026-55099 (Maurits van Rees <maurits@...rees.org>)
2026/06/23 #7: [CVE-2026-50160] Hoppscotch: Unauthenticated JWT Secret Overwrite (CVSS 10.0) (Aditi Bhatnagar <aditi@...gridsec.com>)
2026/06/23 #6: [CVE-2026-11940] Cpython: tarfile extraction filter bypass allows escaping the destination directory (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/06/23 #5: [OSSA-2026-024] OpenStack Swift: Swift proxy-server SSRF via header injection (CVE-2026-50221) (Goutham Pacha Ravi <gouthampravi@...il.com>)
2026/06/23 #4: CVE-2026-55556: rsyslog imhttp Basic Auth heap overflow (Rainer Gerhards <rgerhards@...adiscon.com>)
2026/06/23 #3: Re: Common PKCS#7 / CMS parsing issues in OpenSSL, WolfSSL, Bouncy Castle, & GnuPG (Peter Gutmann <pgut001@...auckland.ac.nz>)
2026/06/23 #2: pwnlift: symlink following and TOCTOU in privileged upload handler allow arbitrary file write as root (GregD <gregdurys.security@...ton.me>)
2026/06/23 #1: CVE-2026-9733: Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parame… (Robert Rothenberg <rrwo@...nsec.org>)
2026/06/22 #7: Common PKCS#7 / CMS parsing issues in OpenSSL, WolfSSL, Bouncy Castle, & GnuPG (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/06/22 #6: Re: Proposal: Add separate oss-security-vulnerability-reports mailing list (for AI vulnpocalypse) (Jeremy Stanley <fungi@...goth.org>)
2026/06/22 #5: Re: Proposal: Add separate oss-security-vulnerability-reports mailing list (for AI vulnpocalypse) (Sylvain Beucler <beuc@...c.net>)
2026/06/22 #4: CVE-2026-11373: Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections (Robert Rothenberg <rrwo@...nsec.org>)
2026/06/22 #3: CVE-2026-6653: libxml2: use after free in xmlParseInternalSubset (>=2.9.11, <2.11.0) (Sudhakar Verma <sudhakar.verma@...onical.com>)
2026/06/22 #2: Re: Squid CVE-2026-47729 and CVE-2026-50012 (Salvatore Bonaccorso <carnil@...ian.org>)
2026/06/22 #1: CVE-2025-66336: Apache Doris MCP Server: SQL injection leading the authentication bypass (Calvin Kirs <kirs@...che.org>)
2026/06/21 #2: [vim-security] Arbitrary Code Execution via Python Omni-Completion Docstrings in Vim < 9.2.0699 (Christian Brabandt <cb@...bit.org>)
2026/06/21 #1: [vim-security] Out-of-bounds Write in SOFO Soundfolding in Vim < 9.2.0698 (Christian Brabandt <cb@...bit.org>)
2026/06/20 #7: CVE-2026-54665: Apache NiFi: Missing Validation for Proxy Host Headers (David Handermann <exceptionfactory@...che.org>)
2026/06/20 #6: CVE-2026-44914: Apache NiFi: Missing Authorization of Restricted Permissions when Replacing Flow Contents (David Handermann <exceptionfactory@...che.org>)
2026/06/20 #5: CVE-2026-44913: Apache NiFi: Improper Escaping of Table Names in CaptureChangeMySQL (David Handermann <exceptionfactory@...che.org>)
2026/06/20 #4: CVE-2026-44911: Apache NiFi: Incorrect Authorization for Configuration Verification Requests (David Handermann <exceptionfactory@...che.org>)
2026/06/20 #3: [vim-security] Out-of-bounds Read with Text Properties in Vim >= 9.2.0320 && Vim < 9.2.0679 (Christian Brabandt <cb@...bit.org>)
2026/06/20 #2: [vim-security] PowerShell Command Injection in zip.vim via Crafted Archive Entry Names in Vim > 9.1.1783 && Vim < 9.2.0678 (Christian Brabandt <cb@...bit.org>)
2026/06/20 #1: CVE-2025-62198: Apache Atlas: Stored XSS in Create Entity page (Madhan Neethiraj <madhan@...che.org>)
2026/06/19 #16: Re: Fwd: Node.js security updates for all active release lines, June 2026 (Solar Designer <solar@...nwall.com>)
2026/06/19 #15: CVE-2026-49872: Apache APISIX: Improper authentication in cas-auth plugin (Abhishek Choudhary <shreemaanabhishek@...che.org>)
2026/06/19 #14: CVE-2026-49871: Apache APISIX: cas-auth login CSRF / session injection issue (Abhishek Choudhary <shreemaanabhishek@...che.org>)
2026/06/19 #13: CVE-2026-49231: Apache APISIX: Identity spoofing issue in APISIX opa plugin (Abhishek Choudhary <shreemaanabhishek@...che.org>)
2026/06/19 #12: CVE-2026-49230: Apache APISIX: Authentication bypass in jwe-decrypt (Abhishek Choudhary <shreemaanabhishek@...che.org>)
2026/06/19 #11: CVE-2026-48895: Apache APISIX: Cas-auth Host header influence on CAS service URL (Abhishek Choudhary <shreemaanabhishek@...che.org>)
2026/06/19 #10: CVE-2026-47341: Apache APISIX: Session replay issue in hmac-auth (Abhishek Choudhary <shreemaanabhishek@...che.org>)
2026/06/19 #9: CVE-2026-47339: Apache APISIX: authz-casdoor incorrect session sharing (Abhishek Choudhary <shreemaanabhishek@...che.org>)
2026/06/19 #8: CVE-2026-44915: Apache APISIX: Cas-auth plugin open redirect via unsanitized cookie value (Abhishek Choudhary <shreemaanabhishek@...che.org>)
2026/06/19 #7: CVE-2026-44087: Apache APISIX: Openid-connect plugin Identity Header Spoofing (Abhishek Choudhary <shreemaanabhishek@...che.org>)
2026/06/19 #6: CVE-2026-44046: Apache APISIX: wolf-rbac plugin Identity Spoofing (Abhishek Choudhary <shreemaanabhishek@...che.org>)
2026/06/19 #5: CVE-2026-39999: Apache APISIX: JWT Algorithm Confusion allows authentication bypass (Abhishek Choudhary <shreemaanabhishek@...che.org>)
2026/06/19 #4: CVE-2026-39998: Apache APISIX: Identity Injection via forward-auth Plugin Missing Header Cleanup (Abhishek Choudhary <shreemaanabhishek@...che.org>)
2026/06/19 #3: OpenBSD mpls_do_error: Remote Kernel Stack Disclosure via MPLS Label Stack Over-read (shj <shahriyar@...eray.co.uk>)
2026/06/19 #2: [containerd] Patch releases addressing CVE-2026-50195, CVE-2026-53488, CVE-2026-53492, CVE-2026-53489, and CVE-2026-47262 (Samuel Karp <sam@...uelkarp.com>)
2026/06/19 #1: Re: Squid CVE-2026-47729 and CVE-2026-50012 (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/06/18 #7: [vim-security] Out-of-bounds Read with libsodium-encrypted Files in Vim < 9.2.0671 (Christian Brabandt <cb@...bit.org>)
2026/06/18 #6: CVE-2026-9692: Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely (Robert Rothenberg <rrwo@...nsec.org>)
2026/06/18 #5: Re: Proposal: Add separate oss-security-vulnerability-reports mailing list (for AI vulnpocalypse) (Jeremy Stanley <fungi@...goth.org>)
2026/06/18 #4: Fwd: Node.js security updates for all active release lines, June 2026 (Rafael Gonzaga <work@...aelgss.dev>)
2026/06/18 #3: Re: Proposal: Add separate oss-security-vulnerability-reports mailing list (for AI vulnpocalypse) (Sylvain Beucler <beuc@...c.net>)
2026/06/18 #2: Re: How to request CVE numbers? (Marta Rybczynska <rybczynska@...il.com>)
2026/06/18 #1: [CVE-2026-43495] Linux kernel: slab out-of-bounds read in MediaTek t7xx WWAN driver (Pavitra Jha <jhapavitra98@...il.com>)
2026/06/17 #10: [vim-security] Out-of-bounds Read in Text Property Count in Vim < 9.2.0670 (Christian Brabandt <cb@...bit.org>)
2026/06/17 #9: Re: Proposal: Add separate oss-security-vulnerability-reports mailing list (for AI vulnpocalypse) ("David A. Wheeler" <dwheeler@...eeler.com>)
2026/06/17 #8: CVE-2026-49268: Apache Shiro: LDAP DN Injection in DefaultLdapRealm (Lenny Primak <lprimak@...che.org>)
2026/06/17 #7: CVE-2026-41280: Apache DolphinScheduler: Incorrect Authorization vulnerability allows users with system login privileges to del… (Wenjun Ruan <wenjun@...che.org>)
2026/06/17 #6: CVE-2026-49050: Apache DolphinScheduler: General user can mint admin access tokens via /access-tokens (Wenjun Ruan <wenjun@...che.org>)
2026/06/17 #5: CVE-2026-47340: Apache DolphinScheduler: An incorrect authorization vulnerability allows authenticated users to access alert i… (Wenjun Ruan <wenjun@...che.org>)
2026/06/17 #4: CVE-2026-42357: Apache DolphinScheduler: Incorrect Authorization vulnerability allows users to access workflow instance informa… (Wenjun Ruan <wenjun@...che.org>)
2026/06/17 #3: CVE-2026-32967: Apache DolphinScheduler: The `/v2` experimental interface lacks permission checks (Wenjun Ruan <wenjun@...che.org>)
2026/06/17 #2: CVE-2026-32966: Apache DolphinScheduler: DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Dis… (Wenjun Ruan <wenjun@...che.org>)
2026/06/17 #1: [CVE-2026-36849] libtiff: Denial of Service via large SamplesPerPixel tag (Ryo utomo <utomoryo395@...il.com>)
2026/06/16 #13: [vim-security] Vimscript Code Injection in netrw NetrwLocalRmFile() via crafted filename affects Vim < 9.2.0663 (Christian Brabandt <cb@...bit.org>)
2026/06/16 #12: [vim-security] Out-of-bounds Write in Spell File Prefix Dump in Vim < 9.2.0662 (Christian Brabandt <cb@...bit.org>)
2026/06/16 #11: [OSSN-0100] Ironic: Command Injection in IPA (CVE-2026-43003) (Jay Faulkner <jay@....cc>)
2026/06/16 #10: [OSSA-2026-023] Ironic: Sensitive properties returned unredacted in POST and PATCH HTTP responses (CVE-2026-54421) (Jay Faulkner <jay@....cc>)
2026/06/16 #9: OpenBSD sppp_pap_input: PAP authentication bypass (shj <shahriyar@...eray.co.uk>)
2026/06/16 #8: [CVE-2026-12003] CPython In-tree (development) search paths can be enabled without modifying install directory (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/06/16 #7: Re: Proposal: Add separate oss-security-vulnerability-reports mailing list (for AI vulnpocalypse) (3v <ventic@...fi>)
2026/06/16 #6: Pacemaker: Denial of Service via integer overflow in remote message decompression (CVE-2026-10649) (Marco Benatto <mbenatto@...hat.com>)
2026/06/16 #5: [OSSA-2026-022] OpenStack Nova: Nova scheduler hint injection bypasses Placement resource claims and scheduling constra… (Goutham Pacha Ravi <gouthampravi@...il.…)
2026/06/16 #4: Re: Proposal: Add separate oss-security-vulnerability-reports mailing list (for AI vulnpocalypse) (Prentice Bisbal <prentice@...r.edu>)
2026/06/16 #3: CVE-2026-50203: Apache Airflow SFTP provider: Path traversal in SFTPHook.retrieve_directory allows local file write outside th… (Jarek Potiuk <potiuk@...che.org>)
2026/06/16 #2: 'rcp' and friends meet escape characters and quoting (Collin Funk <collin.funk1@...il.com>)
2026/06/16 #1: Fwd: gsasl-2.2.4 released - fixes heap disclosure (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/06/15 #11: CVE-2026-11832: Dancer2::Plugin::Auth::OAuth versions before 0.22 for Perl default to a predictable nonce (Robert Rothenberg <rrwo@...nsec.org>)
2026/06/15 #10: CVE-2026-12087: Socket versions before 2.041 for Perl have an out-of-bounds heap read (Robert Rothenberg <rrwo@...nsec.org>)
2026/06/15 #9: [OSSA-2026-017] Errata 1: Ironic: Script injection during node boot via linux command line override (CVE-2026-46447) (Jay Faulkner <jay@....cc>)
2026/06/15 #8: [vim-security] Out-of-bounds Write in Spell File Word Count in Vim < 9.2.0653 (Christian Brabandt <cb@...bit.org>)
2026/06/15 #7: tmux 3.6b fixes CVE-2026-11623 (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/06/15 #6: Re: Proposal: Add separate oss-security-vulnerability-reports mailing list (for AI vulnpocalypse) (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/06/15 #5: Re: How to request CVE numbers? (Salvatore Bonaccorso <carnil@...ian.org>)
2026/06/15 #4: CVE-2026-12205: Crypt::DSA versions before 1.21 for Perl reused the nonce across signatures, leading to private-key recove… (Timothy Legge <timlegge@...nsec.org>)
2026/06/15 #3: Re: Squid CVE-2026-47729 and CVE-2026-50012 (Amos Jeffries <squid3@...enet.co.nz>)
2026/06/15 #2: Re: Proposal: Add separate oss-security-vulnerability-reports mailing list (for AI vulnpocalypse) (Stuart Henderson <stu@...cehopper.org>)
2026/06/15 #1: Re: Proposal: Add separate oss-security-vulnerability-reports mailing list (for AI vulnpocalypse) ("David A. Wheeler" <dwheeler@...eeler.com>)
2026/06/14 #5: CVE-2026-11527: Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a 2-arg open(… (Paul Johnson <paul@...j.net>)

33333 messages

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.