Open Source Security Mailing List

Discussion of security flaws, concepts, and practices in the Open Source community

List Archives

Latest Posts

Re: Proposal: Add separate oss-security-vulnerability-reports mailing list (for AI vulnpocalypse) David A. Wheeler (Jun 17)
That sounds good to me. "Have to" will be in the eye of the beholder.
It appears we have about ~400-500 messages/month. I hope people will be
willing to create a new list if we reach 5x or 10x as many per month.

Frankly, I'd love to see the split anyway. Those who want to see both could
subscribe to both.

--- David A. Wheeler

CVE-2026-49268: Apache Shiro: LDAP DN Injection in DefaultLdapRealm Lenny Primak (Jun 17)
Severity:

Affected versions:

- Apache Shiro (org.apache.shiro:shiro-core) through 2.2.0
- Apache Shiro (org.apache.shiro:shiro-core) 3.0.0-alpha-0 through 3.0.0-alpha-1

Description:

A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm
class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253
special characters....

CVE-2026-41280: Apache DolphinScheduler: Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects Wenjun Ruan (Jun 16)
Severity: moderate

Affected versions:

- Apache DolphinScheduler (org.apache.dolphinscheduler:dolphinscheduler-api) before 3.4.2

Description:

Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in
unauthorized projects

This issue affects Apache DolphinScheduler versions prior to 3.4.2.

Users are recommended to upgrade to version 3.4.2, which fixes this issue.

Credit:

Yicheng Yu(...

CVE-2026-49050: Apache DolphinScheduler: General user can mint admin access tokens via /access-tokens Wenjun Ruan (Jun 16)
Severity: moderate

Affected versions:

- Apache DolphinScheduler (org.apache.dolphinscheduler:dolphinscheduler-api) before 3.4.2

Description:

General user can mint admin access tokens via /access-tokens

This issue affects Apache DolphinScheduler: before 3.4.2.

Users are recommended to upgrade to version 3.4.2, which fixes the issue.

Credit:

George Chen(https://github.com/geo-chen) (finder)

References:

https://dolphinscheduler.apache.org...

CVE-2026-47340: Apache DolphinScheduler: An incorrect authorization vulnerability allows authenticated users to access alert instances associated with alert groups they do not have permission to access. Wenjun Ruan (Jun 16)
Severity: moderate

Affected versions:

- Apache DolphinScheduler (org.apache.dolphinscheduler:dolphinscheduler-api) before 3.4.2

Description:

Allow authenticated users to access alert instances associated with alert groups they do not have permission to access.
in Apache DolphinScheduler.

This issue affects Apache DolphinScheduler: before 3.4.2.

Users are recommended to upgrade to version 3.4.2, which fixes the issue.

Credit:

thesecguy45...

CVE-2026-42357: Apache DolphinScheduler: Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access. Wenjun Ruan (Jun 16)
Severity: moderate

Affected versions:

- Apache DolphinScheduler (org.apache.dolphinscheduler:dolphinscheduler-api) before 3.4.1

Description:

Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they
do not have permission to access.

This issue affects Apache DolphinScheduler versions prior to 3.4.2.

Users are recommended to upgrade to version 3.4.2, which fixes this issue....

CVE-2026-32967: Apache DolphinScheduler: The `/v2` experimental interface lacks permission checks Wenjun Ruan (Jun 16)
Severity: moderate

Affected versions:

- Apache DolphinScheduler (org.apache.dolphinscheduler:dolphinscheduler-api) before 3.4.2

Description:

Incorrect Authorization vulnerability of `/v2` experimental interface in Apache DolphinScheduler.

This issue affects Apache DolphinScheduler: before 3.4.2.

Users are recommended to upgrade to version 3.4.2, which fixes the issue.

Credit:

b0b0haha (603571786 () qq com) (finder)
j311yl0v3u (2439839508...

CVE-2026-32966: Apache DolphinScheduler: DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure Wenjun Ruan (Jun 16)
Severity: moderate

Affected versions:

- Apache DolphinScheduler (org.apache.dolphinscheduler:dolphinscheduler-api) before 3.4.2

Description:

DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure in Apache
DolphinScheduler.

This issue affects Apache DolphinScheduler: before 3.4.2.

Users are recommended to upgrade to version 3.4.2, which fixes the issue.

Credit:

b0b0haha (603571786 () qq com)...

[CVE-2026-36849] libtiff: Denial of Service via large SamplesPerPixel tag Ryo utomo (Jun 16)
Hi,

I would like to disclose CVE-2026-36849, a denial of service vulnerability
in libtiff.

== Summary ==

An issue in libtiff v4.7.1 allows an attacker to cause a denial of service
via a crafted TIFF file containing a large SamplesPerPixel tag value.

== Affected Versions ==

libtiff v4.7.1 and prior

== Patch ==

https://gitlab.com/gitlab-org/build/omnibus-mirror/libtiff/-/commit/eedba405d3695b52faae65994c5904f228eca0bf

== References ==

-...

[vim-security] Vimscript Code Injection in netrw NetrwLocalRmFile() via crafted filename affects Vim < 9.2.0663 Christian Brabandt (Jun 16)
Vimscript Code Injection in netrw NetrwLocalRmFile() via crafted filename affects Vim < 9.2.0663
================================================================================================
Date: 16.06.2026
Severity: Medium
CVE: *requested, not yet assigned*
CWE: Improper Control of Generation of Code (CWE-94) /
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)

## Summary
A...

[vim-security] Out-of-bounds Write in Spell File Prefix Dump in Vim < 9.2.0662 Christian Brabandt (Jun 16)
Out-of-bounds Write in Spell File Prefix Dump in Vim < 9.2.0662
===============================================================
Date: 16.06.2026
Severity: Medium
CVE: *requested, not yet assigned*
CWE: Out-of-bounds Write (CWE-787)

## Summary
The `dump_prefixes()` function in `src/spell.c` walks a spell-file prefix trie
iteratively with a depth counter while dumping the prefixes that apply to a
word. The counter is bounded only by the trie...

[OSSN-0100] Ironic: Command Injection in IPA (CVE-2026-43003) Jay Faulkner (Jun 16)
Command Injection in IPA via chroot Execution of Tenant-Controlled binaries
---

### Summary ###
Tuomo Tanskanen (Ericsson Software Technology) and Dmitry Tantsur (Red Hat)
from the Metal3.io Security Team reported a vulnerability in Ironic Python
Agent (IPA) when deploying a partition image that lacks boot artifacts.
A malicious partition image can include crafted grub-install
binary or other arbitrary binaries in the chroot path which IPA...

[OSSA-2026-023] Ironic: Sensitive properties returned unredacted in POST and PATCH HTTP responses (CVE-2026-54421) Jay Faulkner (Jun 16)
========================================================================================
OSSA-2026-023: Sensitive properties returned unredacted in POST and
PATCH HTTP responses
========================================================================================

:Date: June 16, 2026
:CVE: CVE-2026-54421

Affects
~~~~~~~
- Ironic: >=17.0.0 <29.0.6, >=30.0.0 <32.0.2, >=33.0.0 <35.0.2, >=36.0.0
<37.0.1

Description...

OpenBSD sppp_pap_input: PAP authentication bypass shj (Jun 16)
------------------------------------------------------------------------
OpenBSD sppp_pap_input: PAP Authentication Bypass via Zero-Length bcmp
------------------------------------------------------------------------

Affected:  OpenBSD all versions through 7.6 (fixed in -current)
Vendor:    OpenBSD
Severity:  High
Reporter:  Argus
Date:      2026-06-16

1. SUMMARY
==========

The sppp_pap_input() function in sys/net/if_spppsubr.c uses...

[oss-security][CVE-2026-12003] CPython In-tree (development) search paths can be enabled without modifying install directory Alan Coopersmith (Jun 16)
-------- Forwarded Message --------
Subject: [Security-announce][CVE-2026-12003] In-tree (development) search paths
can be enabled without modifying install directory
Date: Tue, 16 Jun 2026 16:01:03 +0100
From: Steve Dower <steve.dower () python org>
Reply-To: security-sig () python org
To: security-announce () python org

There is a MODERATE (CVSSv4 5.3) severity vulnerability affecting CPython up to
(and including) 3.11.15, 3.12.13,...

More Lists

Dozens of other network security lists are archived at SecLists.Org.