Dangerzone Security Dashboard

Target
ghcr.io/freedomofpress/dangerzone/v1:latest
Type
image
Checksum
sha256:ee2f6e8651591cdb780c1c20aba4c9fa67d9a1ce1efc8247df5ec72e22fcaaa2
Date
2026-04-29T05:32:44.533072955Z
Dangerzone Logo
Critical
2
High
41
Medium
171
Low
45
Unknown
0
Name Version Type Vulnerability Severity State Fixed In Description Related URLs PURL
login.defs 1:4.17.4-2 deb CVE-2024-56433 Low wont-fix N/A shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid. [] pkg:deb/debian/login.defs@1%3A4.17.4-2?arch=all&distro=debian-13&upstream=shadow
passwd 1:4.17.4-2 deb CVE-2024-56433 Low wont-fix N/A shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid. [] pkg:deb/debian/passwd@1%3A4.17.4-2?arch=amd64&distro=debian-13&upstream=shadow
libpython3.13 3.13.5-2 deb CVE-2025-6069 Medium wont-fix N/A The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service. [] pkg:deb/debian/libpython3.13@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-minimal 3.13.5-2 deb CVE-2025-6069 Medium wont-fix N/A The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service. [] pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-stdlib 3.13.5-2 deb CVE-2025-6069 Medium wont-fix N/A The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service. [] pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
python3.13 3.13.5-2 deb CVE-2025-6069 Medium wont-fix N/A The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service. [] pkg:deb/debian/python3.13@3.13.5-2?arch=amd64&distro=debian-13
python3.13-minimal 3.13.5-2 deb CVE-2025-6069 Medium wont-fix N/A The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service. [] pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13 3.13.5-2 deb CVE-2025-8194 High wont-fix N/A There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1 [] pkg:deb/debian/libpython3.13@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-minimal 3.13.5-2 deb CVE-2025-8194 High wont-fix N/A There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1 [] pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-stdlib 3.13.5-2 deb CVE-2025-8194 High wont-fix N/A There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1 [] pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
python3.13 3.13.5-2 deb CVE-2025-8194 High wont-fix N/A There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1 [] pkg:deb/debian/python3.13@3.13.5-2?arch=amd64&distro=debian-13
python3.13-minimal 3.13.5-2 deb CVE-2025-8194 High wont-fix N/A There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1 [] pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpoppler147 25.03.0-5+deb13u2 deb CVE-2019-9543 Low wont-fix N/A An issue was discovered in Poppler 0.74.0. A recursive function call, in JBIG2Stream::readGenericBitmap() located in JBIG2Stream.cc, can be triggered by sending a crafted pdf file to (for example) the pdfseparate binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. This is related to JArithmeticDecoder::decodeBit. [] pkg:deb/debian/libpoppler147@25.03.0-5%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=poppler
libmupdf25.1 1.25.1+ds1-6+deb13u1 deb CVE-2025-46206 Medium wont-fix N/A An issue in Artifex mupdf 1.25.6, 1.25.5 allows a remote attacker to cause a denial of service via an infinite recursion in the `mutool clean` utility. When processing a crafted PDF file containing cyclic /Next references in the outline structure, the `strip_outline()` function enters infinite recursion [] pkg:deb/debian/libmupdf25.1@1.25.1%2Bds1-6%2Bdeb13u1?arch=amd64&distro=debian-13&upstream=mupdf
python3-mupdf 1.25.1+ds1-6+deb13u1 deb CVE-2025-46206 Medium wont-fix N/A An issue in Artifex mupdf 1.25.6, 1.25.5 allows a remote attacker to cause a denial of service via an infinite recursion in the `mutool clean` utility. When processing a crafted PDF file containing cyclic /Next references in the outline structure, the `strip_outline()` function enters infinite recursion [] pkg:deb/debian/python3-mupdf@1.25.1%2Bds1-6%2Bdeb13u1?arch=amd64&distro=debian-13&upstream=mupdf
libopenjp2-7 2.5.3-2.1~deb13u1 deb CVE-2019-6988 Low wont-fix N/A An issue was discovered in OpenJPEG 2.3.0. It allows remote attackers to cause a denial of service (attempted excessive memory allocation) in opj_calloc in openjp2/opj_malloc.c, when called from opj_tcd_init_tile in openjp2/tcd.c, as demonstrated by the 64-bit opj_decompress. [] pkg:deb/debian/libopenjp2-7@2.5.3-2.1~deb13u1?arch=amd64&distro=debian-13&upstream=openjpeg2
libpython3.13 3.13.5-2 deb CVE-2025-12084 Medium wont-fix N/A When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents. [] pkg:deb/debian/libpython3.13@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-minimal 3.13.5-2 deb CVE-2025-12084 Medium wont-fix N/A When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents. [] pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-stdlib 3.13.5-2 deb CVE-2025-12084 Medium wont-fix N/A When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents. [] pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
python3.13 3.13.5-2 deb CVE-2025-12084 Medium wont-fix N/A When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents. [] pkg:deb/debian/python3.13@3.13.5-2?arch=amd64&distro=debian-13
python3.13-minimal 3.13.5-2 deb CVE-2025-12084 Medium wont-fix N/A When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents. [] pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
openjdk-21-jre-headless 21.0.10+7-1~deb13u1 deb CVE-2026-22016 High fixed
  • 21.0.11+10-1~deb13u2
 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). [] pkg:deb/debian/openjdk-21-jre-headless@21.0.10%2B7-1~deb13u1?arch=amd64&distro=debian-13&upstream=openjdk-21
libpython3.13 3.13.5-2 deb CVE-2026-0672 Medium wont-fix N/A When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters. [] pkg:deb/debian/libpython3.13@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-minimal 3.13.5-2 deb CVE-2026-0672 Medium wont-fix N/A When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters. [] pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-stdlib 3.13.5-2 deb CVE-2026-0672 Medium wont-fix N/A When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters. [] pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
python3.13 3.13.5-2 deb CVE-2026-0672 Medium wont-fix N/A When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters. [] pkg:deb/debian/python3.13@3.13.5-2?arch=amd64&distro=debian-13
python3.13-minimal 3.13.5-2 deb CVE-2026-0672 Medium wont-fix N/A When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters. [] pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libcairo2 1.18.4-1+b1 deb CVE-2017-7475 Low wont-fix N/A Cairo version 1.15.4 is vulnerable to a NULL pointer dereference related to the FT_Load_Glyph and FT_Render_Glyph resulting in an application crash. [] pkg:deb/debian/libcairo2@1.18.4-1%2Bb1?arch=amd64&distro=debian-13&upstream=cairo%401.18.4-1
libpoppler147 25.03.0-5+deb13u2 deb CVE-2019-9545 Low wont-fix N/A An issue was discovered in Poppler 0.74.0. A recursive function call, in JBIG2Stream::readTextRegion() located in JBIG2Stream.cc, can be triggered by sending a crafted pdf file to (for example) the pdfimages binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. This is related to JBIG2Bitmap::clearToZero. [] pkg:deb/debian/libpoppler147@25.03.0-5%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=poppler
libpython3.13 3.13.5-2 deb CVE-2026-0865 Medium wont-fix N/A User-controlled header names and values containing newlines can allow injecting HTTP headers. [] pkg:deb/debian/libpython3.13@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-minimal 3.13.5-2 deb CVE-2026-0865 Medium wont-fix N/A User-controlled header names and values containing newlines can allow injecting HTTP headers. [] pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-stdlib 3.13.5-2 deb CVE-2026-0865 Medium wont-fix N/A User-controlled header names and values containing newlines can allow injecting HTTP headers. [] pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
python3.13 3.13.5-2 deb CVE-2026-0865 Medium wont-fix N/A User-controlled header names and values containing newlines can allow injecting HTTP headers. [] pkg:deb/debian/python3.13@3.13.5-2?arch=amd64&distro=debian-13
python3.13-minimal 3.13.5-2 deb CVE-2026-0865 Medium wont-fix N/A User-controlled header names and values containing newlines can allow injecting HTTP headers. [] pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13 3.13.5-2 deb CVE-2025-8291 Medium wont-fix N/A The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value. [] pkg:deb/debian/libpython3.13@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-minimal 3.13.5-2 deb CVE-2025-8291 Medium wont-fix N/A The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value. [] pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-stdlib 3.13.5-2 deb CVE-2025-8291 Medium wont-fix N/A The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value. [] pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
python3.13 3.13.5-2 deb CVE-2025-8291 Medium wont-fix N/A The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value. [] pkg:deb/debian/python3.13@3.13.5-2?arch=amd64&distro=debian-13
python3.13-minimal 3.13.5-2 deb CVE-2025-8291 Medium wont-fix N/A The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value. [] pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libmupdf25.1 1.25.1+ds1-6+deb13u1 deb CVE-2025-55780 High wont-fix N/A A null pointer dereference occurs in the function break_word_for_overflow_wrap() in MuPDF 1.26.4 when rendering a malformed EPUB document. Specifically, the function calls fz_html_split_flow() to split a FLOW_WORD node, but does not check if node->next is valid before accessing node->next->overflow_wrap, resulting in a crash if the split fails or returns a partial node chain. [] pkg:deb/debian/libmupdf25.1@1.25.1%2Bds1-6%2Bdeb13u1?arch=amd64&distro=debian-13&upstream=mupdf
python3-mupdf 1.25.1+ds1-6+deb13u1 deb CVE-2025-55780 High wont-fix N/A A null pointer dereference occurs in the function break_word_for_overflow_wrap() in MuPDF 1.26.4 when rendering a malformed EPUB document. Specifically, the function calls fz_html_split_flow() to split a FLOW_WORD node, but does not check if node->next is valid before accessing node->next->overflow_wrap, resulting in a crash if the split fails or returns a partial node chain. [] pkg:deb/debian/python3-mupdf@1.25.1%2Bds1-6%2Bdeb13u1?arch=amd64&distro=debian-13&upstream=mupdf
libtasn1-6 4.20.0-2 deb CVE-2025-13151 High wont-fix N/A Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string. [] pkg:deb/debian/libtasn1-6@4.20.0-2?arch=amd64&distro=debian-13
libc-bin 2.41-12+deb13u2 deb CVE-2026-5450 Critical wont-fix N/A Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow. [] pkg:deb/debian/libc-bin@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=glibc
libc6 2.41-12+deb13u2 deb CVE-2026-5450 Critical wont-fix N/A Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow. [] pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=glibc
libpython3.13 3.13.5-2 deb CVE-2025-15366 Medium wont-fix N/A The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. [] pkg:deb/debian/libpython3.13@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13 3.13.5-2 deb CVE-2025-15367 Medium wont-fix N/A The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. [] pkg:deb/debian/libpython3.13@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-minimal 3.13.5-2 deb CVE-2025-15366 Medium wont-fix N/A The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. [] pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-minimal 3.13.5-2 deb CVE-2025-15367 Medium wont-fix N/A The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. [] pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-stdlib 3.13.5-2 deb CVE-2025-15366 Medium wont-fix N/A The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. [] pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-stdlib 3.13.5-2 deb CVE-2025-15367 Medium wont-fix N/A The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. [] pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
python3.13 3.13.5-2 deb CVE-2025-15366 Medium wont-fix N/A The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. [] pkg:deb/debian/python3.13@3.13.5-2?arch=amd64&distro=debian-13
python3.13 3.13.5-2 deb CVE-2025-15367 Medium wont-fix N/A The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. [] pkg:deb/debian/python3.13@3.13.5-2?arch=amd64&distro=debian-13
python3.13-minimal 3.13.5-2 deb CVE-2025-15366 Medium wont-fix N/A The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. [] pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
python3.13-minimal 3.13.5-2 deb CVE-2025-15367 Medium wont-fix N/A The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. [] pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libavahi-client3 0.8-16 deb CVE-2024-52616 Medium wont-fix N/A A flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs randomly only once at startup, incrementing them sequentially after that. This predictable behavior facilitates DNS spoofing attacks, allowing attackers to guess transaction IDs. [] pkg:deb/debian/libavahi-client3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi
libavahi-common-data 0.8-16 deb CVE-2024-52616 Medium wont-fix N/A A flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs randomly only once at startup, incrementing them sequentially after that. This predictable behavior facilitates DNS spoofing attacks, allowing attackers to guess transaction IDs. [] pkg:deb/debian/libavahi-common-data@0.8-16?arch=amd64&distro=debian-13&upstream=avahi
libavahi-common3 0.8-16 deb CVE-2024-52616 Medium wont-fix N/A A flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs randomly only once at startup, incrementing them sequentially after that. This predictable behavior facilitates DNS spoofing attacks, allowing attackers to guess transaction IDs. [] pkg:deb/debian/libavahi-common3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi
libc-bin 2.41-12+deb13u2 deb CVE-2026-4437 High wont-fix N/A Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer. [] pkg:deb/debian/libc-bin@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=glibc
libc6 2.41-12+deb13u2 deb CVE-2026-4437 High wont-fix N/A Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer. [] pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=glibc
libnss3 2:3.110-1+deb13u1 deb CVE-2026-6772 High not-fixed N/A Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. [] pkg:deb/debian/libnss3@2%3A3.110-1%2Bdeb13u1?arch=amd64&distro=debian-13&upstream=nss
libexpat1 2.7.1-2 deb CVE-2025-59375 High wont-fix N/A libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing. [] pkg:deb/debian/libexpat1@2.7.1-2?arch=amd64&distro=debian-13&upstream=expat
libcurl3t64-gnutls 8.14.1-2+deb13u2 deb CVE-2026-1965 Medium wont-fix N/A libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criterion must first be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. One underlying reason being that Negotiate sometimes authenticates *connections* and not *requests*, contrary to how HTTP is designed to work. An application that allows Negotiate authentication to a server (that responds wanting Negotiate) with `user1:password1` and then does another operation to the same server also using Negotiate but with `user2:password2` (while the previous connection is still alive) - the second request wrongly reused the same connection and since it then sees that the Negotiate negotiation is already made, it just sends the request over that connection thinking it uses the user2 credentials when it is in fact still using the connection authenticated for user1... The set of authentication methods to use is set with `CURLOPT_HTTPAUTH`. Applications can disable libcurl's reuse of connections and thus mitigate this problem, by using one of the following libcurl options to alter how connections are or are not reused: `CURLOPT_FRESH_CONNECT`, `CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the curl_multi API). [] pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=curl
libcurl4t64 8.14.1-2+deb13u2 deb CVE-2026-1965 Medium wont-fix N/A libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criterion must first be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. One underlying reason being that Negotiate sometimes authenticates *connections* and not *requests*, contrary to how HTTP is designed to work. An application that allows Negotiate authentication to a server (that responds wanting Negotiate) with `user1:password1` and then does another operation to the same server also using Negotiate but with `user2:password2` (while the previous connection is still alive) - the second request wrongly reused the same connection and since it then sees that the Negotiate negotiation is already made, it just sends the request over that connection thinking it uses the user2 credentials when it is in fact still using the connection authenticated for user1... The set of authentication methods to use is set with `CURLOPT_HTTPAUTH`. Applications can disable libcurl's reuse of connections and thus mitigate this problem, by using one of the following libcurl options to alter how connections are or are not reused: `CURLOPT_FRESH_CONNECT`, `CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the curl_multi API). [] pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=curl
libopenjp2-7 2.5.3-2.1~deb13u1 deb CVE-2023-39329 Medium wont-fix N/A A flaw was found in OpenJPEG. A resource exhaustion can occur in the opj_t1_decode_cblks function in tcd.c through a crafted image file, causing a denial of service. [] pkg:deb/debian/libopenjp2-7@2.5.3-2.1~deb13u1?arch=amd64&distro=debian-13&upstream=openjpeg2
libharfbuzz-icu0 10.2.0-1+b1 deb CVE-2026-22693 Medium wont-fix N/A HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then attempts to call the constructor on this null pointer using placement new syntax, resulting in undefined behavior and a Segmentation Fault. This issue has been patched in version 12.3.0. [] pkg:deb/debian/libharfbuzz-icu0@10.2.0-1%2Bb1?arch=amd64&distro=debian-13&upstream=harfbuzz%4010.2.0-1
libharfbuzz0b 10.2.0-1+b1 deb CVE-2026-22693 Medium wont-fix N/A HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then attempts to call the constructor on this null pointer using placement new syntax, resulting in undefined behavior and a Segmentation Fault. This issue has been patched in version 12.3.0. [] pkg:deb/debian/libharfbuzz0b@10.2.0-1%2Bb1?arch=amd64&distro=debian-13&upstream=harfbuzz%4010.2.0-1
openjdk-21-jre-headless 21.0.10+7-1~deb13u1 deb CVE-2026-34282 High fixed
  • 21.0.11+10-1~deb13u2
 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). [] pkg:deb/debian/openjdk-21-jre-headless@21.0.10%2B7-1~deb13u1?arch=amd64&distro=debian-13&upstream=openjdk-21
libavahi-client3 0.8-16 deb CVE-2024-52615 Medium wont-fix N/A A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries. This issue simplifies attacks where malicious DNS responses are injected. [] pkg:deb/debian/libavahi-client3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi
libavahi-common-data 0.8-16 deb CVE-2024-52615 Medium wont-fix N/A A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries. This issue simplifies attacks where malicious DNS responses are injected. [] pkg:deb/debian/libavahi-common-data@0.8-16?arch=amd64&distro=debian-13&upstream=avahi
libavahi-common3 0.8-16 deb CVE-2024-52615 Medium wont-fix N/A A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries. This issue simplifies attacks where malicious DNS responses are injected. [] pkg:deb/debian/libavahi-common3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi
bsdutils 1:2.41-5 deb CVE-2026-3184 Low wont-fix N/A A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access. [] pkg:deb/debian/bsdutils@1%3A2.41-5?arch=amd64&distro=debian-13&upstream=util-linux%402.41-5
libblkid1 2.41-5 deb CVE-2026-3184 Low wont-fix N/A A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access. [] pkg:deb/debian/libblkid1@2.41-5?arch=amd64&distro=debian-13&upstream=util-linux
liblastlog2-2 2.41-5 deb CVE-2026-3184 Low wont-fix N/A A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access. [] pkg:deb/debian/liblastlog2-2@2.41-5?arch=amd64&distro=debian-13&upstream=util-linux
libmount1 2.41-5 deb CVE-2026-3184 Low wont-fix N/A A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access. [] pkg:deb/debian/libmount1@2.41-5?arch=amd64&distro=debian-13&upstream=util-linux
libsmartcols1 2.41-5 deb CVE-2026-3184 Low wont-fix N/A A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access. [] pkg:deb/debian/libsmartcols1@2.41-5?arch=amd64&distro=debian-13&upstream=util-linux
libuuid1 2.41-5 deb CVE-2026-3184 Low wont-fix N/A A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access. [] pkg:deb/debian/libuuid1@2.41-5?arch=amd64&distro=debian-13&upstream=util-linux
login 1:4.16.0-2+really2.41-5 deb CVE-2026-3184 Low wont-fix N/A A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access. [] pkg:deb/debian/login@1%3A4.16.0-2%2Breally2.41-5?arch=amd64&distro=debian-13&upstream=util-linux%402.41-5
mount 2.41-5 deb CVE-2026-3184 Low wont-fix N/A A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access. [] pkg:deb/debian/mount@2.41-5?arch=amd64&distro=debian-13&upstream=util-linux
util-linux 2.41-5 deb CVE-2026-3184 Low wont-fix N/A A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access. [] pkg:deb/debian/util-linux@2.41-5?arch=amd64&distro=debian-13
libncursesw6 6.5+20250216-2 deb CVE-2025-6141 Medium wont-fix N/A A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocess_termcap of the file tinfo/parse_entry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to version 6.5-20250329 is able to address this issue. It is recommended to upgrade the affected component. [] pkg:deb/debian/libncursesw6@6.5%2B20250216-2?arch=amd64&distro=debian-13&upstream=ncurses
libtinfo6 6.5+20250216-2 deb CVE-2025-6141 Medium wont-fix N/A A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocess_termcap of the file tinfo/parse_entry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to version 6.5-20250329 is able to address this issue. It is recommended to upgrade the affected component. [] pkg:deb/debian/libtinfo6@6.5%2B20250216-2?arch=amd64&distro=debian-13&upstream=ncurses
ncurses-base 6.5+20250216-2 deb CVE-2025-6141 Medium wont-fix N/A A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocess_termcap of the file tinfo/parse_entry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to version 6.5-20250329 is able to address this issue. It is recommended to upgrade the affected component. [] pkg:deb/debian/ncurses-base@6.5%2B20250216-2?arch=all&distro=debian-13&upstream=ncurses
ncurses-bin 6.5+20250216-2 deb CVE-2025-6141 Medium wont-fix N/A A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocess_termcap of the file tinfo/parse_entry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to version 6.5-20250329 is able to address this issue. It is recommended to upgrade the affected component. [] pkg:deb/debian/ncurses-bin@6.5%2B20250216-2?arch=amd64&distro=debian-13&upstream=ncurses
libc-bin 2.41-12+deb13u2 deb CVE-2026-5928 High wont-fix N/A Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash. A bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets. [] pkg:deb/debian/libc-bin@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=glibc
libc6 2.41-12+deb13u2 deb CVE-2026-5928 High wont-fix N/A Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash. A bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets. [] pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=glibc
libxml2 2.12.7+dfsg+really2.9.14-2.1+deb13u2 deb CVE-2026-0990 Medium wont-fix N/A A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications. [] pkg:deb/debian/libxml2@2.12.7%2Bdfsg%2Breally2.9.14-2.1%2Bdeb13u2?arch=amd64&distro=debian-13
libnss3 2:3.110-1+deb13u1 deb CVE-2026-6766 High not-fixed N/A Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. [] pkg:deb/debian/libnss3@2%3A3.110-1%2Bdeb13u1?arch=amd64&distro=debian-13&upstream=nss
libc-bin 2.41-12+deb13u2 deb CVE-2026-4046 High wont-fix N/A The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application. This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them. [] pkg:deb/debian/libc-bin@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=glibc
libc6 2.41-12+deb13u2 deb CVE-2026-4046 High wont-fix N/A The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application. This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them. [] pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=glibc
libpython3.13 3.13.5-2 deb CVE-2026-1502 Medium wont-fix N/A CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host. [] pkg:deb/debian/libpython3.13@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-minimal 3.13.5-2 deb CVE-2026-1502 Medium wont-fix N/A CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host. [] pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-stdlib 3.13.5-2 deb CVE-2026-1502 Medium wont-fix N/A CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host. [] pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
python3.13 3.13.5-2 deb CVE-2026-1502 Medium wont-fix N/A CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host. [] pkg:deb/debian/python3.13@3.13.5-2?arch=amd64&distro=debian-13
python3.13-minimal 3.13.5-2 deb CVE-2026-1502 Medium wont-fix N/A CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host. [] pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
liblzma5 5.8.1-1 deb CVE-2026-34743 Medium wont-fix N/A XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3. [] pkg:deb/debian/liblzma5@5.8.1-1?arch=amd64&distro=debian-13&upstream=xz-utils
liblcms2-2 2.16-2 deb CVE-2026-41254 High not-fixed N/A Little CMS (lcms2) through 2.18 has an integer overflow in CubeSize in cmslut.c because the overflow check is performed after the multiplication. [] pkg:deb/debian/liblcms2-2@2.16-2?arch=amd64&distro=debian-13&upstream=lcms2
openjdk-21-jre-headless 21.0.10+7-1~deb13u1 deb CVE-2026-22013 Medium fixed
  • 21.0.11+10-1~deb13u2
 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JGSS). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N). [] pkg:deb/debian/openjdk-21-jre-headless@21.0.10%2B7-1~deb13u1?arch=amd64&distro=debian-13&upstream=openjdk-21
libavahi-client3 0.8-16 deb CVE-2025-59529 Medium wont-fix N/A Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions up to and including 0.9-rc2, the simple protocol server ignores the documented client limit and accepts unlimited connections, allowing for easy local DoS. Although `CLIENTS_MAX` is defined, `server_work()` unconditionally `accept()`s and `client_new()` always appends the new client and increments `n_clients`. There is no check against the limit. When client cannot be accepted as a result of maximal socket number of avahi-daemon, it logs unconditionally error per each connection. Unprivileged local users can exhaust daemon memory and file descriptors, causing a denial of service system-wide for mDNS/DNS-SD. Exhausting local file descriptors causes increased system load caused by logging errors of each of request. Overloading prevents glibc calls using nss-mdns plugins to resolve `*.local.` names and link-local addresses. As of time of publication, no known patched versions are available, but a candidate fix is available in pull request 808, and some workarounds are available. Simple clients are offered for nss-mdns package functionality. It is not possible to disable the unix socket `/run/avahi-daemon/socket`, but resolution requests received via DBus are not affected directly. Tools avahi-resolve, avahi-resolve-address and avahi-resolve-host-name are not affected, they use DBus interface. It is possible to change permissions of unix socket after avahi-daemon is started. But avahi-daemon does not provide any configuration for it. Additional access restrictions like SELinux can also prevent unwanted tools to access the socket and keep resolution working for trusted users. [] pkg:deb/debian/libavahi-client3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi
libavahi-common-data 0.8-16 deb CVE-2025-59529 Medium wont-fix N/A Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions up to and including 0.9-rc2, the simple protocol server ignores the documented client limit and accepts unlimited connections, allowing for easy local DoS. Although `CLIENTS_MAX` is defined, `server_work()` unconditionally `accept()`s and `client_new()` always appends the new client and increments `n_clients`. There is no check against the limit. When client cannot be accepted as a result of maximal socket number of avahi-daemon, it logs unconditionally error per each connection. Unprivileged local users can exhaust daemon memory and file descriptors, causing a denial of service system-wide for mDNS/DNS-SD. Exhausting local file descriptors causes increased system load caused by logging errors of each of request. Overloading prevents glibc calls using nss-mdns plugins to resolve `*.local.` names and link-local addresses. As of time of publication, no known patched versions are available, but a candidate fix is available in pull request 808, and some workarounds are available. Simple clients are offered for nss-mdns package functionality. It is not possible to disable the unix socket `/run/avahi-daemon/socket`, but resolution requests received via DBus are not affected directly. Tools avahi-resolve, avahi-resolve-address and avahi-resolve-host-name are not affected, they use DBus interface. It is possible to change permissions of unix socket after avahi-daemon is started. But avahi-daemon does not provide any configuration for it. Additional access restrictions like SELinux can also prevent unwanted tools to access the socket and keep resolution working for trusted users. [] pkg:deb/debian/libavahi-common-data@0.8-16?arch=amd64&distro=debian-13&upstream=avahi
libavahi-common3 0.8-16 deb CVE-2025-59529 Medium wont-fix N/A Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions up to and including 0.9-rc2, the simple protocol server ignores the documented client limit and accepts unlimited connections, allowing for easy local DoS. Although `CLIENTS_MAX` is defined, `server_work()` unconditionally `accept()`s and `client_new()` always appends the new client and increments `n_clients`. There is no check against the limit. When client cannot be accepted as a result of maximal socket number of avahi-daemon, it logs unconditionally error per each connection. Unprivileged local users can exhaust daemon memory and file descriptors, causing a denial of service system-wide for mDNS/DNS-SD. Exhausting local file descriptors causes increased system load caused by logging errors of each of request. Overloading prevents glibc calls using nss-mdns plugins to resolve `*.local.` names and link-local addresses. As of time of publication, no known patched versions are available, but a candidate fix is available in pull request 808, and some workarounds are available. Simple clients are offered for nss-mdns package functionality. It is not possible to disable the unix socket `/run/avahi-daemon/socket`, but resolution requests received via DBus are not affected directly. Tools avahi-resolve, avahi-resolve-address and avahi-resolve-host-name are not affected, they use DBus interface. It is possible to change permissions of unix socket after avahi-daemon is started. But avahi-daemon does not provide any configuration for it. Additional access restrictions like SELinux can also prevent unwanted tools to access the socket and keep resolution working for trusted users. [] pkg:deb/debian/libavahi-common3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi
libexpat1 2.7.1-2 deb CVE-2026-41080 High wont-fix N/A libexpat before 2.7.6 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document. [] pkg:deb/debian/libexpat1@2.7.1-2?arch=amd64&distro=debian-13&upstream=expat
libavahi-client3 0.8-16 deb CVE-2026-24401 Medium wont-fix N/A Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., "h.local" as a CNAME for "h.local"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524. [] pkg:deb/debian/libavahi-client3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi
libavahi-common-data 0.8-16 deb CVE-2026-24401 Medium wont-fix N/A Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., "h.local" as a CNAME for "h.local"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524. [] pkg:deb/debian/libavahi-common-data@0.8-16?arch=amd64&distro=debian-13&upstream=avahi
libavahi-common3 0.8-16 deb CVE-2026-24401 Medium wont-fix N/A Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., "h.local" as a CNAME for "h.local"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524. [] pkg:deb/debian/libavahi-common3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi
libnss3 2:3.110-1+deb13u1 deb CVE-2026-6767 Medium not-fixed N/A Other issue in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. [] pkg:deb/debian/libnss3@2%3A3.110-1%2Bdeb13u1?arch=amd64&distro=debian-13&upstream=nss
libglib2.0-0t64 2.84.4-3~deb13u2 deb CVE-2026-0988 Low wont-fix N/A A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS). [] pkg:deb/debian/libglib2.0-0t64@2.84.4-3~deb13u2?arch=amd64&distro=debian-13&upstream=glib2.0
openjdk-21-jre-headless 21.0.10+7-1~deb13u1 deb CVE-2026-22021 Medium fixed
  • 21.0.11+10-1~deb13u2
 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). [] pkg:deb/debian/openjdk-21-jre-headless@21.0.10%2B7-1~deb13u1?arch=amd64&distro=debian-13&upstream=openjdk-21
libpython3.13 3.13.5-2 deb CVE-2025-15282 Medium wont-fix N/A User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype. [] pkg:deb/debian/libpython3.13@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13 3.13.5-2 deb CVE-2026-1299 Medium wont-fix N/A The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator". [] pkg:deb/debian/libpython3.13@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-minimal 3.13.5-2 deb CVE-2025-15282 Medium wont-fix N/A User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype. [] pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-minimal 3.13.5-2 deb CVE-2026-1299 Medium wont-fix N/A The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator". [] pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-stdlib 3.13.5-2 deb CVE-2025-15282 Medium wont-fix N/A User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype. [] pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-stdlib 3.13.5-2 deb CVE-2026-1299 Medium wont-fix N/A The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator". [] pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
python3.13 3.13.5-2 deb CVE-2025-15282 Medium wont-fix N/A User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype. [] pkg:deb/debian/python3.13@3.13.5-2?arch=amd64&distro=debian-13
python3.13 3.13.5-2 deb CVE-2026-1299 Medium wont-fix N/A The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator". [] pkg:deb/debian/python3.13@3.13.5-2?arch=amd64&distro=debian-13
python3.13-minimal 3.13.5-2 deb CVE-2025-15282 Medium wont-fix N/A User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype. [] pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
python3.13-minimal 3.13.5-2 deb CVE-2026-1299 Medium wont-fix N/A The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator". [] pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13 3.13.5-2 deb CVE-2026-3644 Medium wont-fix N/A The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output(). [] pkg:deb/debian/libpython3.13@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-minimal 3.13.5-2 deb CVE-2026-3644 Medium wont-fix N/A The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output(). [] pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-stdlib 3.13.5-2 deb CVE-2026-3644 Medium wont-fix N/A The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output(). [] pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
python3.13 3.13.5-2 deb CVE-2026-3644 Medium wont-fix N/A The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output(). [] pkg:deb/debian/python3.13@3.13.5-2?arch=amd64&distro=debian-13
python3.13-minimal 3.13.5-2 deb CVE-2026-3644 Medium wont-fix N/A The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output(). [] pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libsystemd0 257.9-1~deb13u1 deb CVE-2026-40225 Medium wont-fix N/A In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output. [] pkg:deb/debian/libsystemd0@257.9-1~deb13u1?arch=amd64&distro=debian-13&upstream=systemd
libudev1 257.9-1~deb13u1 deb CVE-2026-40225 Medium wont-fix N/A In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output. [] pkg:deb/debian/libudev1@257.9-1~deb13u1?arch=amd64&distro=debian-13&upstream=systemd
libxslt1.1 1.1.35-1.2+deb13u2 deb CVE-2025-11731 Low wont-fix N/A A flaw was found in the exsltFuncResultComp() function of libxslt, which handles EXSLT <func:result> elements during stylesheet parsing. Due to improper type handling, the function may treat an XML document node as a regular XML element node, resulting in a type confusion. This can cause unexpected memory reads and potential crashes. While difficult to exploit, the flaw could lead to application instability or denial of service. [] pkg:deb/debian/libxslt1.1@1.1.35-1.2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=libxslt
libcurl3t64-gnutls 8.14.1-2+deb13u2 deb CVE-2025-14819 Medium wont-fix N/A When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not. [] pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=curl
libcurl4t64 8.14.1-2+deb13u2 deb CVE-2025-14819 Medium wont-fix N/A When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not. [] pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=curl
libcurl3t64-gnutls 8.14.1-2+deb13u2 deb CVE-2026-3805 High wont-fix N/A When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory. [] pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=curl
libcurl4t64 8.14.1-2+deb13u2 deb CVE-2026-3805 High wont-fix N/A When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory. [] pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=curl
libpython3.13 3.13.5-2 deb CVE-2026-4224 Medium wont-fix N/A When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs. [] pkg:deb/debian/libpython3.13@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-minimal 3.13.5-2 deb CVE-2026-4224 Medium wont-fix N/A When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs. [] pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-stdlib 3.13.5-2 deb CVE-2026-4224 Medium wont-fix N/A When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs. [] pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
python3.13 3.13.5-2 deb CVE-2026-4224 Medium wont-fix N/A When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs. [] pkg:deb/debian/python3.13@3.13.5-2?arch=amd64&distro=debian-13
python3.13-minimal 3.13.5-2 deb CVE-2026-4224 Medium wont-fix N/A When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs. [] pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13 3.13.5-2 deb CVE-2025-13837 Medium wont-fix N/A When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues [] pkg:deb/debian/libpython3.13@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-minimal 3.13.5-2 deb CVE-2025-13837 Medium wont-fix N/A When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues [] pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-stdlib 3.13.5-2 deb CVE-2025-13837 Medium wont-fix N/A When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues [] pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
python3.13 3.13.5-2 deb CVE-2025-13837 Medium wont-fix N/A When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues [] pkg:deb/debian/python3.13@3.13.5-2?arch=amd64&distro=debian-13
python3.13-minimal 3.13.5-2 deb CVE-2025-13837 Medium wont-fix N/A When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues [] pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libnghttp2-14 1.64.0-1.1 deb CVE-2026-27135 High not-fixed N/A nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available. [] pkg:deb/debian/libnghttp2-14@1.64.0-1.1?arch=amd64&distro=debian-13&upstream=nghttp2
libmupdf25.1 1.25.1+ds1-6+deb13u1 deb CVE-2026-25556 High wont-fix N/A MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fz_fill_pixmap_from_display_list() when an exception occurs during display list rendering. The function accepts a caller-owned fz_pixmap pointer but incorrectly drops the pixmap in its error handling path before rethrowing the exception. Callers (including the barcode decoding path in fz_decode_barcode_from_display_list) also drop the same pixmap in cleanup, resulting in a double-free that can corrupt the heap and crash the process. This issue affects applications that enable and use MuPDF barcode decoding and can be triggered by processing crafted input that causes a rendering-time error while decoding barcodes. [] pkg:deb/debian/libmupdf25.1@1.25.1%2Bds1-6%2Bdeb13u1?arch=amd64&distro=debian-13&upstream=mupdf
python3-mupdf 1.25.1+ds1-6+deb13u1 deb CVE-2026-25556 High wont-fix N/A MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fz_fill_pixmap_from_display_list() when an exception occurs during display list rendering. The function accepts a caller-owned fz_pixmap pointer but incorrectly drops the pixmap in its error handling path before rethrowing the exception. Callers (including the barcode decoding path in fz_decode_barcode_from_display_list) also drop the same pixmap in cleanup, resulting in a double-free that can corrupt the heap and crash the process. This issue affects applications that enable and use MuPDF barcode decoding and can be triggered by processing crafted input that causes a rendering-time error while decoding barcodes. [] pkg:deb/debian/python3-mupdf@1.25.1%2Bds1-6%2Bdeb13u1?arch=amd64&distro=debian-13&upstream=mupdf
libc-bin 2.41-12+deb13u2 deb CVE-2026-4438 Medium wont-fix N/A Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification. [] pkg:deb/debian/libc-bin@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=glibc
libc6 2.41-12+deb13u2 deb CVE-2026-4438 Medium wont-fix N/A Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification. [] pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=glibc
libpython3.13 3.13.5-2 deb CVE-2025-6075 Medium wont-fix N/A If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables. [] pkg:deb/debian/libpython3.13@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-minimal 3.13.5-2 deb CVE-2025-6075 Medium wont-fix N/A If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables. [] pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-stdlib 3.13.5-2 deb CVE-2025-6075 Medium wont-fix N/A If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables. [] pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
python3.13 3.13.5-2 deb CVE-2025-6075 Medium wont-fix N/A If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables. [] pkg:deb/debian/python3.13@3.13.5-2?arch=amd64&distro=debian-13
python3.13-minimal 3.13.5-2 deb CVE-2025-6075 Medium wont-fix N/A If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables. [] pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
openjdk-21-jre-headless 21.0.10+7-1~deb13u1 deb CVE-2026-22018 Low fixed
  • 21.0.11+10-1~deb13u2
 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). [] pkg:deb/debian/openjdk-21-jre-headless@21.0.10%2B7-1~deb13u1?arch=amd64&distro=debian-13&upstream=openjdk-21
python3-fitz 1.25.4+ds1-3 deb CVE-2026-3029 High wont-fix N/A A path traversal and arbitrary file write vulnerability exist in the embedded get function in '_main_.py' in PyMuPDF version, 1.26.5. [] pkg:deb/debian/python3-fitz@1.25.4%2Bds1-3?arch=all&distro=debian-13&upstream=pymupdf
python3-pymupdf 1.25.4+ds1-3 deb CVE-2026-3029 High wont-fix N/A A path traversal and arbitrary file write vulnerability exist in the embedded get function in '_main_.py' in PyMuPDF version, 1.26.5. [] pkg:deb/debian/python3-pymupdf@1.25.4%2Bds1-3?arch=amd64&distro=debian-13&upstream=pymupdf
tar 1.35+dfsg-3.1 deb CVE-2026-5704 Medium wont-fix N/A A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files onto a system without detection. [] pkg:deb/debian/tar@1.35%2Bdfsg-3.1?arch=amd64&distro=debian-13
libpoppler147 25.03.0-5+deb13u2 deb CVE-2025-52885 Medium wont-fix N/A Poppler ia a library for rendering PDF files, and examining or modifying their structure. A use-after-free (write) vulnerability has been detected in versions Poppler prior to 25.10.0 within the StructTreeRoot class. The issue arises from the use of raw pointers to elements of a `std::vector`, which can lead to dangling pointers when the vector is resized. The vulnerability stems from the way that refToParentMap stores references to `std::vector` elements using raw pointers. These pointers may become invalid when the vector is resized. This vulnerability is a common security problem involving the use of raw pointers to `std::vectors`. Internally, `std::vector `stores its elements in a dynamically allocated array. When the array reaches its capacity and a new element is added, the vector reallocates a larger block of memory and moves all the existing elements to the new location. At this point if any pointers to elements are stored before a resize occurs, they become dangling pointers once the reallocation happens. Version 25.10.0 contains a patch for the issue. [] pkg:deb/debian/libpoppler147@25.03.0-5%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=poppler
libpython3.13 3.13.5-2 deb CVE-2026-3446 Medium wont-fix N/A When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use "validate=True" to enable stricter processing of base64 data. [] pkg:deb/debian/libpython3.13@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-minimal 3.13.5-2 deb CVE-2026-3446 Medium wont-fix N/A When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use "validate=True" to enable stricter processing of base64 data. [] pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-stdlib 3.13.5-2 deb CVE-2026-3446 Medium wont-fix N/A When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use "validate=True" to enable stricter processing of base64 data. [] pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
python3.13 3.13.5-2 deb CVE-2026-3446 Medium wont-fix N/A When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use "validate=True" to enable stricter processing of base64 data. [] pkg:deb/debian/python3.13@3.13.5-2?arch=amd64&distro=debian-13
python3.13-minimal 3.13.5-2 deb CVE-2026-3446 Medium wont-fix N/A When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use "validate=True" to enable stricter processing of base64 data. [] pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libcurl3t64-gnutls 8.14.1-2+deb13u2 deb CVE-2025-14524 Medium wont-fix N/A When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host. [] pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=curl
libcurl4t64 8.14.1-2+deb13u2 deb CVE-2025-14524 Medium wont-fix N/A When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host. [] pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=curl
libcurl3t64-gnutls 8.14.1-2+deb13u2 deb CVE-2026-3784 Medium wont-fix N/A curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection. [] pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=curl
libcurl4t64 8.14.1-2+deb13u2 deb CVE-2026-3784 Medium wont-fix N/A curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection. [] pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=curl
libopenjp2-7 2.5.3-2.1~deb13u1 deb CVE-2023-39327 Medium wont-fix N/A A flaw was found in OpenJPEG. Maliciously constructed pictures can cause the program to enter a large loop and continuously print warning messages on the terminal. [] pkg:deb/debian/libopenjp2-7@2.5.3-2.1~deb13u1?arch=amd64&distro=debian-13&upstream=openjpeg2
libcurl3t64-gnutls 8.14.1-2+deb13u2 deb CVE-2026-3783 Medium wont-fix N/A When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would pass on the bearer token set for the first host also to the second one. [] pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=curl
libcurl4t64 8.14.1-2+deb13u2 deb CVE-2026-3783 Medium wont-fix N/A When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would pass on the bearer token set for the first host also to the second one. [] pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=curl
libsystemd0 257.9-1~deb13u1 deb CVE-2026-29111 Medium wont-fix N/A systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available. [] pkg:deb/debian/libsystemd0@257.9-1~deb13u1?arch=amd64&distro=debian-13&upstream=systemd
libudev1 257.9-1~deb13u1 deb CVE-2026-29111 Medium wont-fix N/A systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available. [] pkg:deb/debian/libudev1@257.9-1~deb13u1?arch=amd64&distro=debian-13&upstream=systemd
libavahi-client3 0.8-16 deb CVE-2026-34933 Medium wont-fix N/A Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, any unprivileged local user can crash avahi-daemon by sending a single D-Bus method call with conflicting publish flags. This issue has been patched in version 0.9-rc4. [] pkg:deb/debian/libavahi-client3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi
libavahi-common-data 0.8-16 deb CVE-2026-34933 Medium wont-fix N/A Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, any unprivileged local user can crash avahi-daemon by sending a single D-Bus method call with conflicting publish flags. This issue has been patched in version 0.9-rc4. [] pkg:deb/debian/libavahi-common-data@0.8-16?arch=amd64&distro=debian-13&upstream=avahi
libavahi-common3 0.8-16 deb CVE-2026-34933 Medium wont-fix N/A Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, any unprivileged local user can crash avahi-daemon by sending a single D-Bus method call with conflicting publish flags. This issue has been patched in version 0.9-rc4. [] pkg:deb/debian/libavahi-common3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi
libpython3.13 3.13.5-2 deb CVE-2026-6019 Low wont-fix N/A http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value. [] pkg:deb/debian/libpython3.13@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-minimal 3.13.5-2 deb CVE-2026-6019 Low wont-fix N/A http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value. [] pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-stdlib 3.13.5-2 deb CVE-2026-6019 Low wont-fix N/A http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value. [] pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
python3.13 3.13.5-2 deb CVE-2026-6019 Low wont-fix N/A http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value. [] pkg:deb/debian/python3.13@3.13.5-2?arch=amd64&distro=debian-13
python3.13-minimal 3.13.5-2 deb CVE-2026-6019 Low wont-fix N/A http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value. [] pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libavahi-client3 0.8-16 deb CVE-2025-68471 Medium wont-fix N/A Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart. [] pkg:deb/debian/libavahi-client3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi
libavahi-common-data 0.8-16 deb CVE-2025-68471 Medium wont-fix N/A Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart. [] pkg:deb/debian/libavahi-common-data@0.8-16?arch=amd64&distro=debian-13&upstream=avahi
libavahi-common3 0.8-16 deb CVE-2025-68471 Medium wont-fix N/A Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart. [] pkg:deb/debian/libavahi-common3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi
libpython3.13 3.13.5-2 deb CVE-2026-2297 Medium wont-fix N/A The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire. [] pkg:deb/debian/libpython3.13@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-minimal 3.13.5-2 deb CVE-2026-2297 Medium wont-fix N/A The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire. [] pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-stdlib 3.13.5-2 deb CVE-2026-2297 Medium wont-fix N/A The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire. [] pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
python3.13 3.13.5-2 deb CVE-2026-2297 Medium wont-fix N/A The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire. [] pkg:deb/debian/python3.13@3.13.5-2?arch=amd64&distro=debian-13
python3.13-minimal 3.13.5-2 deb CVE-2026-2297 Medium wont-fix N/A The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire. [] pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libxslt1.1 1.1.35-1.2+deb13u2 deb CVE-2025-10911 Medium wont-fix N/A A use-after-free vulnerability was found in libxslt while parsing xsl nodes that may lead to the dereference of expired pointers and application crash. [] pkg:deb/debian/libxslt1.1@1.1.35-1.2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=libxslt
libglib2.0-0t64 2.84.4-3~deb13u2 deb CVE-2026-1489 Medium wont-fix N/A A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable. [] pkg:deb/debian/libglib2.0-0t64@2.84.4-3~deb13u2?arch=amd64&distro=debian-13&upstream=glib2.0
libpython3.13 3.13.5-2 deb CVE-2025-12781 Medium wont-fix N/A When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues. This behavior can only be insecure if your application uses an alternate base64 alphabet (without "+/"). If your application does not use the "altchars" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet. The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted "+" or "/" outside of altchars. [] pkg:deb/debian/libpython3.13@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-minimal 3.13.5-2 deb CVE-2025-12781 Medium wont-fix N/A When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues. This behavior can only be insecure if your application uses an alternate base64 alphabet (without "+/"). If your application does not use the "altchars" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet. The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted "+" or "/" outside of altchars. [] pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-stdlib 3.13.5-2 deb CVE-2025-12781 Medium wont-fix N/A When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues. This behavior can only be insecure if your application uses an alternate base64 alphabet (without "+/"). If your application does not use the "altchars" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet. The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted "+" or "/" outside of altchars. [] pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
python3.13 3.13.5-2 deb CVE-2025-12781 Medium wont-fix N/A When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues. This behavior can only be insecure if your application uses an alternate base64 alphabet (without "+/"). If your application does not use the "altchars" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet. The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted "+" or "/" outside of altchars. [] pkg:deb/debian/python3.13@3.13.5-2?arch=amd64&distro=debian-13
python3.13-minimal 3.13.5-2 deb CVE-2025-12781 Medium wont-fix N/A When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues. This behavior can only be insecure if your application uses an alternate base64 alphabet (without "+/"). If your application does not use the "altchars" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet. The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted "+" or "/" outside of altchars. [] pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libxml2 2.12.7+dfsg+really2.9.14-2.1+deb13u2 deb CVE-2026-6732 Medium not-fixed N/A A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition (XSD) validated document that includes an internal entity reference. An attacker could exploit this by providing a malicious document, leading to a type confusion error that causes the application to crash. This results in a denial of service (DoS), making the affected system or application unavailable. [] pkg:deb/debian/libxml2@2.12.7%2Bdfsg%2Breally2.9.14-2.1%2Bdeb13u2?arch=amd64&distro=debian-13
libglib2.0-0t64 2.84.4-3~deb13u2 deb CVE-2026-1484 Medium wont-fix N/A A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably. [] pkg:deb/debian/libglib2.0-0t64@2.84.4-3~deb13u2?arch=amd64&distro=debian-13&upstream=glib2.0
libpng16-16t64 1.6.48-1+deb13u4 deb CVE-2026-34757 Medium not-fixed N/A LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.0.9 to before 1.6.57, passing a pointer obtained from png_get_PLTE, png_get_tRNS, or png_get_hIST back into the corresponding setter on the same png_struct/png_info pair causes the setter to read from freed memory and copy its contents into the replacement buffer. The setter frees the internal buffer before copying from the caller-supplied pointer, which now dangles. The freed region may contain stale data (producing silently corrupted chunk metadata) or data from subsequent heap allocations (leaking unrelated heap contents into the chunk struct). This vulnerability is fixed in 1.6.57. [] pkg:deb/debian/libpng16-16t64@1.6.48-1%2Bdeb13u4?arch=amd64&distro=debian-13&upstream=libpng1.6
libavahi-client3 0.8-16 deb CVE-2025-68468 Medium wont-fix N/A Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. As soon as they expire avahi-daemon crashes. [] pkg:deb/debian/libavahi-client3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi
libavahi-common-data 0.8-16 deb CVE-2025-68468 Medium wont-fix N/A Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. As soon as they expire avahi-daemon crashes. [] pkg:deb/debian/libavahi-common-data@0.8-16?arch=amd64&distro=debian-13&upstream=avahi
libavahi-common3 0.8-16 deb CVE-2025-68468 Medium wont-fix N/A Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. As soon as they expire avahi-daemon crashes. [] pkg:deb/debian/libavahi-common3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi
libcairo2 1.18.4-1+b1 deb CVE-2025-50422 Low wont-fix N/A Cairo through 1.18.4, as used in Poppler through 25.08.0, has an "unscaled->face == NULL" assertion failure for _cairo_ft_unscaled_font_fini in cairo-ft-font.c. [] pkg:deb/debian/libcairo2@1.18.4-1%2Bb1?arch=amd64&distro=debian-13&upstream=cairo%401.18.4-1
bsdutils 1:2.41-5 deb CVE-2026-27456 Medium wont-fix N/A util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4. [] pkg:deb/debian/bsdutils@1%3A2.41-5?arch=amd64&distro=debian-13&upstream=util-linux%402.41-5
libblkid1 2.41-5 deb CVE-2026-27456 Medium wont-fix N/A util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4. [] pkg:deb/debian/libblkid1@2.41-5?arch=amd64&distro=debian-13&upstream=util-linux
liblastlog2-2 2.41-5 deb CVE-2026-27456 Medium wont-fix N/A util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4. [] pkg:deb/debian/liblastlog2-2@2.41-5?arch=amd64&distro=debian-13&upstream=util-linux
libmount1 2.41-5 deb CVE-2026-27456 Medium wont-fix N/A util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4. [] pkg:deb/debian/libmount1@2.41-5?arch=amd64&distro=debian-13&upstream=util-linux
libsmartcols1 2.41-5 deb CVE-2026-27456 Medium wont-fix N/A util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4. [] pkg:deb/debian/libsmartcols1@2.41-5?arch=amd64&distro=debian-13&upstream=util-linux
libuuid1 2.41-5 deb CVE-2026-27456 Medium wont-fix N/A util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4. [] pkg:deb/debian/libuuid1@2.41-5?arch=amd64&distro=debian-13&upstream=util-linux
login 1:4.16.0-2+really2.41-5 deb CVE-2026-27456 Medium wont-fix N/A util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4. [] pkg:deb/debian/login@1%3A4.16.0-2%2Breally2.41-5?arch=amd64&distro=debian-13&upstream=util-linux%402.41-5
mount 2.41-5 deb CVE-2026-27456 Medium wont-fix N/A util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4. [] pkg:deb/debian/mount@2.41-5?arch=amd64&distro=debian-13&upstream=util-linux
util-linux 2.41-5 deb CVE-2026-27456 Medium wont-fix N/A util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4. [] pkg:deb/debian/util-linux@2.41-5?arch=amd64&distro=debian-13
libxml2 2.12.7+dfsg+really2.9.14-2.1+deb13u2 deb CVE-2026-0989 Low wont-fix N/A A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk. [] pkg:deb/debian/libxml2@2.12.7%2Bdfsg%2Breally2.9.14-2.1%2Bdeb13u2?arch=amd64&distro=debian-13
libsystemd0 257.9-1~deb13u1 deb CVE-2026-4105 Medium wont-fix N/A A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system. [] pkg:deb/debian/libsystemd0@257.9-1~deb13u1?arch=amd64&distro=debian-13&upstream=systemd
libudev1 257.9-1~deb13u1 deb CVE-2026-4105 Medium wont-fix N/A A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system. [] pkg:deb/debian/libudev1@257.9-1~deb13u1?arch=amd64&distro=debian-13&upstream=systemd
libgcrypt20 1.11.0-7 deb CVE-2026-41989 Medium not-fixed N/A Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt. [] pkg:deb/debian/libgcrypt20@1.11.0-7?arch=amd64&distro=debian-13
libopenjp2-7 2.5.3-2.1~deb13u1 deb CVE-2023-39328 Medium wont-fix N/A A vulnerability was found in OpenJPEG similar to CVE-2019-6988. This flaw allows an attacker to bypass existing protections and cause an application crash through a maliciously crafted file. [] pkg:deb/debian/libopenjp2-7@2.5.3-2.1~deb13u1?arch=amd64&distro=debian-13&upstream=openjpeg2
libxml2 2.12.7+dfsg+really2.9.14-2.1+deb13u2 deb CVE-2026-0992 Low wont-fix N/A A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition. [] pkg:deb/debian/libxml2@2.12.7%2Bdfsg%2Breally2.9.14-2.1%2Bdeb13u2?arch=amd64&distro=debian-13
openjdk-21-jre-headless 21.0.10+7-1~deb13u1 deb CVE-2026-22007 Low fixed
  • 21.0.11+10-1~deb13u2
 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 2.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). [] pkg:deb/debian/openjdk-21-jre-headless@21.0.10%2B7-1~deb13u1?arch=amd64&distro=debian-13&upstream=openjdk-21
openjdk-21-jre-headless 21.0.10+7-1~deb13u1 deb CVE-2026-34268 Low fixed
  • 21.0.11+10-1~deb13u2
 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 2.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). [] pkg:deb/debian/openjdk-21-jre-headless@21.0.10%2B7-1~deb13u1?arch=amd64&distro=debian-13&upstream=openjdk-21
libncursesw6 6.5+20250216-2 deb CVE-2025-69720 High wont-fix N/A The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c. [] pkg:deb/debian/libncursesw6@6.5%2B20250216-2?arch=amd64&distro=debian-13&upstream=ncurses
libtinfo6 6.5+20250216-2 deb CVE-2025-69720 High wont-fix N/A The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c. [] pkg:deb/debian/libtinfo6@6.5%2B20250216-2?arch=amd64&distro=debian-13&upstream=ncurses
ncurses-base 6.5+20250216-2 deb CVE-2025-69720 High wont-fix N/A The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c. [] pkg:deb/debian/ncurses-base@6.5%2B20250216-2?arch=all&distro=debian-13&upstream=ncurses
ncurses-bin 6.5+20250216-2 deb CVE-2025-69720 High wont-fix N/A The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c. [] pkg:deb/debian/ncurses-bin@6.5%2B20250216-2?arch=amd64&distro=debian-13&upstream=ncurses
libcurl3t64-gnutls 8.14.1-2+deb13u2 deb CVE-2025-13034 Medium wont-fix N/A When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification. [] pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=curl
libcurl4t64 8.14.1-2+deb13u2 deb CVE-2025-13034 Medium wont-fix N/A When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification. [] pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=curl
dirmngr 2.4.7-21+deb13u1+b2 deb CVE-2026-24882 High wont-fix N/A In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys. [] pkg:deb/debian/dirmngr@2.4.7-21%2Bdeb13u1%2Bb2?arch=amd64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1
gnupg 2.4.7-21+deb13u1 deb CVE-2026-24882 High wont-fix N/A In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys. [] pkg:deb/debian/gnupg@2.4.7-21%2Bdeb13u1?arch=all&distro=debian-13&upstream=gnupg2
gnupg-l10n 2.4.7-21+deb13u1 deb CVE-2026-24882 High wont-fix N/A In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys. [] pkg:deb/debian/gnupg-l10n@2.4.7-21%2Bdeb13u1?arch=all&distro=debian-13&upstream=gnupg2
gpg 2.4.7-21+deb13u1+b2 deb CVE-2026-24882 High wont-fix N/A In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys. [] pkg:deb/debian/gpg@2.4.7-21%2Bdeb13u1%2Bb2?arch=amd64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1
gpg-agent 2.4.7-21+deb13u1+b2 deb CVE-2026-24882 High wont-fix N/A In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys. [] pkg:deb/debian/gpg-agent@2.4.7-21%2Bdeb13u1%2Bb2?arch=amd64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1
gpgconf 2.4.7-21+deb13u1+b2 deb CVE-2026-24882 High wont-fix N/A In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys. [] pkg:deb/debian/gpgconf@2.4.7-21%2Bdeb13u1%2Bb2?arch=amd64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1
gpgsm 2.4.7-21+deb13u1+b2 deb CVE-2026-24882 High wont-fix N/A In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys. [] pkg:deb/debian/gpgsm@2.4.7-21%2Bdeb13u1%2Bb2?arch=amd64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1
libexpat1 2.7.1-2 deb CVE-2026-25210 High wont-fix N/A In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation. [] pkg:deb/debian/libexpat1@2.7.1-2?arch=amd64&distro=debian-13&upstream=expat
libsystemd0 257.9-1~deb13u1 deb CVE-2026-40226 Medium wont-fix N/A In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file. [] pkg:deb/debian/libsystemd0@257.9-1~deb13u1?arch=amd64&distro=debian-13&upstream=systemd
libudev1 257.9-1~deb13u1 deb CVE-2026-40226 Medium wont-fix N/A In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file. [] pkg:deb/debian/libudev1@257.9-1~deb13u1?arch=amd64&distro=debian-13&upstream=systemd
zlib1g 1:1.3.dfsg+really1.3.1-1+b1 deb CVE-2026-27171 Medium wont-fix N/A zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition. [] pkg:deb/debian/zlib1g@1%3A1.3.dfsg%2Breally1.3.1-1%2Bb1?arch=amd64&distro=debian-13&upstream=zlib%401%3A1.3.dfsg%2Breally1.3.1-1
libopenjp2-7 2.5.3-2.1~deb13u1 deb CVE-2026-6192 Low not-fixed N/A A vulnerability was identified in uclouvain openjpeg up to 2.5.4. This impacts the function opj_pi_initialise_encode in the library src/lib/openjp2/pi.c. The manipulation leads to integer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. The identifier of the patch is 839936aa33eb8899bbbd80fda02796bb65068951. It is suggested to install a patch to address this issue. [] pkg:deb/debian/libopenjp2-7@2.5.3-2.1~deb13u1?arch=amd64&distro=debian-13&upstream=openjpeg2
libsystemd0 257.9-1~deb13u1 deb CVE-2026-40228 Low wont-fix N/A In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a "logger -p emerg" command is executed, if ForwardToWall=yes is set. [] pkg:deb/debian/libsystemd0@257.9-1~deb13u1?arch=amd64&distro=debian-13&upstream=systemd
libudev1 257.9-1~deb13u1 deb CVE-2026-40228 Low wont-fix N/A In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a "logger -p emerg" command is executed, if ForwardToWall=yes is set. [] pkg:deb/debian/libudev1@257.9-1~deb13u1?arch=amd64&distro=debian-13&upstream=systemd
libexpat1 2.7.1-2 deb CVE-2025-66382 Medium wont-fix N/A In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time. [] pkg:deb/debian/libexpat1@2.7.1-2?arch=amd64&distro=debian-13&upstream=expat
libpython3.13 3.13.5-2 deb CVE-2025-13462 Low wont-fix N/A The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations. [] pkg:deb/debian/libpython3.13@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-minimal 3.13.5-2 deb CVE-2025-13462 Low wont-fix N/A The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations. [] pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-stdlib 3.13.5-2 deb CVE-2025-13462 Low wont-fix N/A The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations. [] pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
python3.13 3.13.5-2 deb CVE-2025-13462 Low wont-fix N/A The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations. [] pkg:deb/debian/python3.13@3.13.5-2?arch=amd64&distro=debian-13
python3.13-minimal 3.13.5-2 deb CVE-2025-13462 Low wont-fix N/A The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations. [] pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libavahi-client3 0.8-16 deb CVE-2025-68276 Medium wont-fix N/A Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an unprivileged local users can crash avahi-daemon (with wide-area disabled) by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This can be done by either calling the RecordBrowserNew method directly or creating hostname/address/service resolvers/browsers that create those browsers internally themselves. [] pkg:deb/debian/libavahi-client3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi
libavahi-common-data 0.8-16 deb CVE-2025-68276 Medium wont-fix N/A Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an unprivileged local users can crash avahi-daemon (with wide-area disabled) by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This can be done by either calling the RecordBrowserNew method directly or creating hostname/address/service resolvers/browsers that create those browsers internally themselves. [] pkg:deb/debian/libavahi-common-data@0.8-16?arch=amd64&distro=debian-13&upstream=avahi
libavahi-common3 0.8-16 deb CVE-2025-68276 Medium wont-fix N/A Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an unprivileged local users can crash avahi-daemon (with wide-area disabled) by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This can be done by either calling the RecordBrowserNew method directly or creating hostname/address/service resolvers/browsers that create those browsers internally themselves. [] pkg:deb/debian/libavahi-common3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi
libcap2 1:2.75-10+b8 deb CVE-2026-4878 High wont-fix N/A A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the `cap_set_file()` function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation. [] pkg:deb/debian/libcap2@1%3A2.75-10%2Bb8?arch=amd64&distro=debian-13&upstream=libcap2%401%3A2.75-10
libpoppler147 25.03.0-5+deb13u2 deb CVE-2025-43718 Low wont-fix N/A Poppler 24.06.1 through 25.x before 25.04.0 allows stack consumption and a SIGSEGV via deeply nested structures within the metadata (such as GTS_PDFEVersion) of a PDF document, e.g., a regular expression for a long pdfsubver string. This occurs in Dict::lookup, Catalog::getMetadata, and associated functions in PDFDoc, with deep recursion in the regex executor (std::__detail::_Executor). [] pkg:deb/debian/libpoppler147@25.03.0-5%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=poppler
libexpat1 2.7.1-2 deb CVE-2026-32776 Medium wont-fix N/A libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content. [] pkg:deb/debian/libexpat1@2.7.1-2?arch=amd64&distro=debian-13&upstream=expat
libexpat1 2.7.1-2 deb CVE-2026-32778 Medium wont-fix N/A libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition. [] pkg:deb/debian/libexpat1@2.7.1-2?arch=amd64&distro=debian-13&upstream=expat
libexpat1 2.7.1-2 deb CVE-2026-32777 Medium wont-fix N/A libexpat before 2.7.5 allows an infinite loop while parsing DTD content. [] pkg:deb/debian/libexpat1@2.7.1-2?arch=amd64&distro=debian-13&upstream=expat
libpython3.13 3.13.5-2 deb CVE-2026-4519 Low wont-fix N/A The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open(). [] pkg:deb/debian/libpython3.13@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-minimal 3.13.5-2 deb CVE-2026-4519 Low wont-fix N/A The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open(). [] pkg:deb/debian/libpython3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libpython3.13-stdlib 3.13.5-2 deb CVE-2026-4519 Low wont-fix N/A The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open(). [] pkg:deb/debian/libpython3.13-stdlib@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
python3.13 3.13.5-2 deb CVE-2026-4519 Low wont-fix N/A The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open(). [] pkg:deb/debian/python3.13@3.13.5-2?arch=amd64&distro=debian-13
python3.13-minimal 3.13.5-2 deb CVE-2026-4519 Low wont-fix N/A The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open(). [] pkg:deb/debian/python3.13-minimal@3.13.5-2?arch=amd64&distro=debian-13&upstream=python3.13
libmupdf25.1 1.25.1+ds1-6+deb13u1 deb CVE-2026-40505 Medium wont-fix N/A MuPDF before 1.27 contains an ANSI injection vulnerability in mutool that allows attackers to inject arbitrary ANSI escape sequences through crafted PDF metadata fields. Attackers can embed malicious ANSI escape codes in PDF metadata that are passed unsanitized to terminal output when running mutool info, enabling them to manipulate terminal display for social engineering attacks such as presenting fake prompts or spoofed commands. [] pkg:deb/debian/libmupdf25.1@1.25.1%2Bds1-6%2Bdeb13u1?arch=amd64&distro=debian-13&upstream=mupdf
python3-mupdf 1.25.1+ds1-6+deb13u1 deb CVE-2026-40505 Medium wont-fix N/A MuPDF before 1.27 contains an ANSI injection vulnerability in mutool that allows attackers to inject arbitrary ANSI escape sequences through crafted PDF metadata fields. Attackers can embed malicious ANSI escape codes in PDF metadata that are passed unsanitized to terminal output when running mutool info, enabling them to manipulate terminal display for social engineering attacks such as presenting fake prompts or spoofed commands. [] pkg:deb/debian/python3-mupdf@1.25.1%2Bds1-6%2Bdeb13u1?arch=amd64&distro=debian-13&upstream=mupdf
libglib2.0-0t64 2.84.4-3~deb13u2 deb CVE-2026-1485 Low wont-fix N/A A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability. [] pkg:deb/debian/libglib2.0-0t64@2.84.4-3~deb13u2?arch=amd64&distro=debian-13&upstream=glib2.0
libexpat1 2.7.1-2 deb CVE-2026-24515 Low wont-fix N/A In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data. [] pkg:deb/debian/libexpat1@2.7.1-2?arch=amd64&distro=debian-13&upstream=expat
sed 4.9-2 deb CVE-2026-5958 Low wont-fix N/A When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path: 1. resolves symlink to its target and stores the resolved path for determining when output is written, 2. opens the original symlink path (not the resolved one) to read the file. Between these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1. This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process. This issue was fixed in version 4.10. [] pkg:deb/debian/sed@4.9-2?arch=amd64&distro=debian-13