Open Source Security Mailing List

• Current Quarter
• RSS Feed
• About List
• All Lists

Discussion of security flaws, concepts, and practices in the Open Source community

List Archives

• Jan–Mar
• Apr–Jun
• Jul–Sep
• Oct–Dec
• 2026
• 431
• 765
• –
• –
• 2025
• 262
• 289
• 251
• 361
• 2024
• 358
• 314
• 293
• 183
• 2023
• 220
• 284
• 269
• 356
• 2022
• 212
• 220
• 239
• 273
• 2021
• 281
• 236
• 193
• 182
• 2020
• 131
• 219
• 211
• 241
• 2019
• 199
• 237
• 257
• 176
• 2018
• 287
• 256
• 284
• 279
• 2017
• 701
• 658
• 596
• 437
• 2016
• 738
• 637
• 689
• 788
• 2015
• 1068
• 839
• 658
• 618
• 2014
• 714
• 711
• 886
• 1185
• 2013
• 777
• 648
• 688
• 583
• 2012
• 815
• 578
• 591
• 549
• 2011
• 640
• 738
• 550
• 591
• 2010
• 291
• 376
• 465
• 383
• 2009
• 250
• 264
• 272
• 304
• 2008
• 206
• 390
• 402
• 358

Latest Posts

CVE-2026-45192: Apache Airflow: Incomplete Redaction of Sensitive Fields in Connection Extra API Response Rahul Vats (May 31)
Severity: low

Affected versions:

- Apache Airflow (apache-airflow) before 3.2.2

Description:

A bug in the GET `/api/v2/connections/{connection_id}` REST API endpoint in Apache Airflow allowed an authenticated
UI/API user with Connection-read permission to retrieve secrets stored in a Connection's `extra` JSON blob under field
names not present in the redaction allowlist (`DEFAULT_SENSITIVE_FIELDS`) — for example, official...

CVE-2026-35563: Apache Directory LDAP API: LDAP client implementation does not verify if the server certificate matches the intended LDAP hostname Emmanuel Lécharny (May 31)
Severity: important

Affected versions:

- Apache Directory LDAP API (org.apache.directory.api:api-ldap-client-api) 2.0.0 through 2.1.7

Description:

It was identified that the LDAP client implementation in version 2.1.7 does not verify if the server certificate
matches the intended LDAP
hostname. While the underlying code validates the certificate chain
against a trusted authority, the absence of endpoint identification
allows a valid...

CVE-2026-8796: Sereal::Decoder versions before 5.005 for Perl allow heap out-of-bounds read via crafted input Paul Johnson (May 31)
========================================================================
CVE-2026-8796 CPAN Security Group
========================================================================

CVE ID: CVE-2026-8796
Distribution: Sereal-Decoder
Versions: before 5.005

MetaCPAN: https://metacpan.org/dist/Sereal-Decoder
VCS Repo: https://github.com/Sereal/Sereal

Sereal::Decoder versions...

Re: CVE request experience Fabian Keil (May 31)
Fabian Keil <freebsd-listen () fabiankeil de> wrote on 2026-05-18 at 10:02:48:

The patches have been pushed to git today ([1], [2]).

The official Privoxy 4.2.0 release will probably happen tomorrow.

Quoting relevant parts of the preliminary announcement at [3] which
I'll have to modify before the release as the reporter responded today:

| Privoxy 4.2.0 fixes a couple of bugs including two reported security
| issues and brings a...

CVE-2026-49270: Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All: Durable Subscription Disclosure via Crafted BrokerInfo (OpenWire) Christopher L. Shannon (May 31)
Severity: moderate

Affected versions:

- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 5.14.0 before 5.19.7
- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before 6.2.6
- Apache ActiveMQ (org.apache.activemq:activemq-all) 5.14.0 before 5.19.7
- Apache ActiveMQ (org.apache.activemq:activemq-all) 6.0.0 before 6.2.6
- Apache ActiveMQ All (org.apache.activemq:apache-activemq) 5.14.0 before 5.19.7
- Apache...

CVE-2026-49157: Apache ActiveMQ: Authenticated low-privilege Web users retain Jolokia broker-management capability by default Christopher L. Shannon (May 31)
Severity: important

Affected versions:

- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.7
- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.6

Description:

Incorrect Default Permissions vulnerability in Apache ActiveMQ.

This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.

The default Jolokia authorization settings granted non-admin (low-privilege) web-login accounts access...

CVE-2026-46605: Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Incomplete authorization during destination removal Christopher L. Shannon (May 31)
Severity: moderate

Affected versions:

- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.7
- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before 6.2.6
- Apache ActiveMQ All (org.apache.activemq:activemq-all) before 5.19.7
- Apache ActiveMQ All (org.apache.activemq:activemq-all) 6.0.0 before 6.2.6
- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.7
- Apache ActiveMQ...

CVE-2026-45505: Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Jolokia `addNetworkConnector` Discovery Wrapper Bypass Christopher L. Shannon (May 31)
Severity: important

Affected versions:

- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.7
- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before 6.2.6
- Apache ActiveMQ All (org.apache.activemq:activemq-all) before 5.19.7
- Apache ActiveMQ All (org.apache.activemq:activemq-all) 6.0.0 before 6.2.6
- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.7
- Apache ActiveMQ...

CVE-2026-42588: Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Remote Code Execution via Jolokia addNetworkConnector Christopher L. Shannon (May 31)
Severity: important

Affected versions:

- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.7
- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before 6.2.6
- Apache ActiveMQ All (org.apache.activemq:activemq-all) before 5.19.7
- Apache ActiveMQ All (org.apache.activemq:activemq-all) 6.0.0 before 6.2.6
- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.7
- Apache ActiveMQ...

CVE-2026-42253: Apache ActiveMQ, Apache ActiveMQ Web: HTTP Response Header Injection via JMS Message Properties Christopher L. Shannon (May 31)
Severity: important

Affected versions:

- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.7
- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.6
- Apache ActiveMQ Web (org.apache.activemq:activemq-web) before 5.19.7
- Apache ActiveMQ Web (org.apache.activemq:activemq-web) 6.0.0 before 6.2.6

Description:

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')...

CVE-2026-49298: Apache Airflow: JWT Token Exposure in KubernetesExecutor Command-Line Arguments Rahul Vats (May 31)
Severity: Moderate

Affected versions:

- Apache Airflow (apache-airflow) before 3.2.2

Description:

A bug in Apache Airflow's KubernetesExecutor caused JWT tokens used by worker pods to authenticate against the
Execution API to be passed to the worker container as command-line arguments visible in the pod spec. An authenticated
UI/API user with Kubernetes read-only access to the cluster (e.g. `pods/get` in the Airflow namespace) could...

CVE-2026-48726: Apache Airflow: revoke_token() unreachable in FabAuthManager / KeycloakAuthManager logout path Rahul Vats (May 31)
Severity: Moderate

Affected versions:

- Apache Airflow (apache-airflow) before 3.2.2

Description:

A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked
logout in the UI: the logout flow for `FabAuthManager` and `KeycloakAuthManager` did not actually reach the underlying
`revoke_token()` call, so the JWT remained accepted by the API server until its natural expiry. An...

CVE-2026-46764: Apache Airflow: Event Log detail endpoint bypasses DAG-scoped event log permission filter Rahul Vats (May 31)
Severity: low

Affected versions:

- Apache Airflow (apache-airflow) before 3.2.2

Description:

The Event Log detail endpoint `GET /api/v2/eventLogs/{event_log_id}` in Apache Airflow fetched audit-log rows directly
by numeric ID after only the generic Audit Log permission check, while the collection endpoint `GET /api/v2/eventLogs`
applied per-Dag scoping. An authenticated UI/API user with audit-log read permission for one Dag could retrieve...

CVE-2026-45426: Apache Airflow: Log server JWT authorization bypass via Python lstrip() character stripping allows cross-Dag log access Rahul Vats (May 31)
Severity: low

Affected versions:

- Apache Airflow (apache-airflow) 3.0.0 before 3.2.2

Description:

Exploitation requires the attacker to already be an authenticated Airflow worker holding a valid Log-server JWT issued
for at least one Dag. Apache Airflow's Log server authorized JWT tokens against Dag IDs by applying Python's
`str.lstrip()` to the requested path segment when verifying the JWT's `sub` claim. `str.lstrip()`...

CVE-2026-45360: Apache Airflow: Arbitrary import in custom deadline-reference deserialization Rahul Vats (May 31)
Severity: high

Affected versions:

- Apache Airflow (apache-airflow) before 3.2.2

Description:

Apache Airflow's scheduler-side deadline-reference decoder (`SerializedCustomReference.deserialize_reference`) imported
and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or
plugin-registry gate. A DAG author whose code reaches the scheduler — the default on single-host deployments...

More Lists

Dozens of other network security lists are archived at SecLists.Org.