Open Source Security Mailing List
Discussion of security flaws, concepts, and practices in the Open Source community
List Archives
Latest Posts
rust-openssl-v0.10.78 fixes 5 CVEs
Alan Coopersmith (Apr 24)
https://github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78
was released on April 19, with a number of fixes, including these 5
security advisories:
https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-pqf5-4pqq-29f5 advises:
https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xmgf-hq76-4vx2 states:
https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-8c75-8mhr-p7r9 cautions:...
CVE-2026-40690: Apache Airflow: Assets graph view bypasses DAG level access control displaying unrelated topologies and all DAGs names to unauthorized users
Rahul Vats (Apr 24)
Severity: low
Affected versions:
- Apache Airflow (apache-airflow) before 3.2.1
Description:
The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at
least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of
DAGs and assets outside their authorized scope.
Users are recommended to upgrade to version 3.2.1, which...
CVE-2026-38743: Apache Airflow: Dags endpoint might provide access to otherwise inaccessible entities
Rahul Vats (Apr 24)
Severity: low
Affected versions:
- Apache Airflow (apache-airflow) before 3.2.1
Description:
The authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop (HITL) and
TaskInstance records: a logged-in Airflow user with read access to at least one DAG could retrieve HITL prompts
(including their request parameters) and full TaskInstance details for DAGs outside their authorized scope. Because
HITL...
CVE-2025-62233: Apache DolphinScheduler: Deserialization of untrusted data in RPC
Wenjun Ruan (Apr 23)
Severity: Moderate
Affected versions:
- Apache DolphinScheduler (org.apache.dolphinscheduler:dolphinscheduler-extract-base) 3.2.0 before 3.3.1
Description:
Deserialization of Untrusted Data vulnerability in Apache DolphinScheduler RPC module.
This issue affects Apache DolphinScheduler:
Version >= 3.2.0 and < 3.3.1.
Attackers who can access the Master or Worker nodes can compromise the system by creating a StandardRpcRequest,...
CVE-2026-23902: Apache DolphinScheduler: Users are able to use tenants that are not defined on the platform during workflow execution.
Wenjun Ruan (Apr 23)
Severity: moderate
Affected versions:
- Apache DolphinScheduler (org.apache.dolphinscheduler:dolphinscheduler-api) before 3.4.1
Description:
Incorrect Authorization vulnerability in Apache DolphinScheduler allows authenticated users with system login
permissions to use tenants that are not defined on the platform during workflow execution.
This issue affects Apache DolphinScheduler versions prior to 3.4.1.
Users are recommended to...
CVE-2026-41044: Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All: Authenticated user can perform RCE via DestinationView MBean exposed by Jolokia
Christopher L. Shannon (Apr 23)
Severity: important
Affected versions:
- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.6
- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.5
- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.6
- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before 6.2.5
- Apache ActiveMQ All (org.apache.activemq:activemq-all) before 5.19.6
- Apache ActiveMQ All...
CVE-2026-41043: Apache ActiveMQ, Apache ActiveMQ Web: ActiveMQ Web Console - XSS vulnerability when browsing queues
Christopher L. Shannon (Apr 23)
Severity: important
Affected versions:
- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.6
- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.5
- Apache ActiveMQ Web (org.apache.activemq:activemq-web) before 5.19.6
- Apache ActiveMQ Web (org.apache.activemq:activemq-web) 6.0.0 before 6.2.5
Description:
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache...
CVE-2026-40466: Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Possible bypass of CVE-2026-34197 via HTTP discovery second-stage URI
Christopher L. Shannon (Apr 23)
Severity: important
Affected versions:
- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.6
- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before 6.2.5
- Apache ActiveMQ All (org.apache.activemq:activemq-all) before 5.19.6
- Apache ActiveMQ All (org.apache.activemq:activemq-all) 6.0.0 before 6.2.5
- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.6
- Apache ActiveMQ...
PowerDNS Authoritative Server 4.9.14 and 5.0.4 released
Miod Vallat (Apr 23)
Today, we are releasing two new versions of the PowerDNS Authoritative
Server. These 4.9.14 and 5.0.4 versions provide fixes for the following
PowerDNS Security Advisory:
* [1]PowerDNS Security Advisory 2026-05: Multiple Issues
The security issues being fixed with these releases are low or
medium-severity, and most of them involve specific backends and/or
configurations. They are:
* CVE-2026-33257 An attacker can send a web request that...
CVE-2026-41564: CryptX versions before 0.088 for Perl do not reseed the Crypt::PK PRNG state after forking
Stig Palmquist (Apr 23)
========================================================================
CVE-2026-41564 CPAN Security Group
========================================================================
CVE ID: CVE-2026-41564
Distribution: CryptX
Versions: before 0.088
MetaCPAN: https://metacpan.org/dist/CryptX
VCS Repo: https://github.com/DCIT/perl-CryptX
CryptX versions before 0.088 for Perl do not...
PowerDNS Security Advisory 2026-03 for PowerDNS Recursor: Multiple issues
Otto Moerbeek (Apr 23)
We have released PowerDNS Recursor 5.2.9, 5.3.6 and 5.4.1.
These releases provide fixes for PowerDNS Security Advisory
* 2026-03 for PowerDNS Recursor: Multiple issues
There are several CVEs associated with this advisory, all of severity
Medium.
__________________________________________________________________
* CVE-2026-33256 Unbounded memory allocation by internal web server,
affected 5.3.5, 5.4.0
*...
[vim-security] OS Command Injection in netrw affects Vim < 9.2.0383
Christian Brabandt (Apr 22)
OS Command Injection in netrw affects Vim < 9.2.0383
=====================================================
Date: 21.04.2026
Severity: Medium
CVE: *requested, not yet assigned*
CWE: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
## Summary
An OS command injection vulnerability exists in the `netrw` standard
plugin bundled with Vim. By inducing a user to open a crafted URL (e.g.,...
Re: CVE-2017-20230: Storable versions before 3.05 for Perl has a stack overflow
Steffen Nurpmeso (Apr 22)
Sam James wrote in
<87bjfcnh0n.fsf () gentoo org>:
|Sam James <sam () gentoo org> writes:
|> Robert Rothenberg <rrwo () cpansec org> writes:
...
|>> CVE ID: CVE-2017-20230
|>> Distribution: Storable
|>> Versions: before 3.05
|>>
|>> MetaCPAN: https://metacpan.org/dist/Storable
|>> VCS Repo: https://github.com/Perl/perl5/...
CVE-2026-41651: TOCTOU vulnerability in PackageKit <= 1.3.4 leads to local root exploit
Matthias Klumpp (Apr 22)
Hello everyone!
I am the maintainer of PackageKit, a D-Bus abstraction layer for
distribution package management that is commonly used on non-atomic
(Linux) desktop distributions, as well as some servers running
management software that make use of it.
A vulnerability was reported to the project by Deutsche Telekom’s Red
Team that allows the user to install/remove arbitrary packages, leading
to a local root exploit on most systems....
[SECURITY] CVE-2026-40542: Apache HttpClient 5.6 SCRAM-SHA-256 mutual authentication bypass
Arturo Bernal (Apr 22)
Severity: important
Affected versions:
- Apache HttpClient 5.6
Description:
A missing critical step in authentication in Apache HttpClient 5.6 may
allow an attacker to cause the client to accept SCRAM-SHA-256
authentication without proper mutual authentication verification.
Users are recommended to upgrade to Apache HttpClient 5.6.1. which corrects
this issue.
Credit:
This issue was reported by Rasmus Moorats.
References:...
More Lists
Dozens of other network security lists are archived at SecLists.Org.