Report Name: Linux Patch Wednesday March 2026
Generated: 2026-03-30 16:18:58

Product Name	Prevalence	U	C	H	M	L	A	Comment
Angular	0.95			1	1		2	Angular is a development platform for building mobile and desktop web applications using TypeScript, JavaScript, and other languages. It provides a component-based architecture, declarative templates, dependency injection, powerful tooling, and extensive ecosystem support for creating scalable, high-performance web apps.
Django	0.9				1	1	2	Django is a high-level Python web framework that encourages rapid development and clean, pragmatic design. It provides built-in tools for database models, authentication, URL routing, templates, and security features, making it one of the most widely used frameworks for building scalable and maintainable web applications.
GNU Inetutils	0.9			2		1	3	GNU Inetutils is a collection of common network utilities for GNU/Linux systems.
Linux Kernel	0.9			1	68	24	93	The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
Rust	0.9			2	2		4	Rust is a modern, high-performance systems programming language focused on safety, concurrency, and memory management.
.NET Core	0.8			1			1	.NET Core
Binutils	0.8		1	3	1		5	The GNU Binary Utilities, or binutils, are a set of programming tools for creating and managing binary programs, object files, libraries, profile data, and assembly source code
Chromium	0.8		2	10	35		47	Chromium is a free and open-source web browser project, mainly developed and maintained by Google
GNU C Library	0.8			1	1		2	The GNU C Library, commonly known as glibc, is the GNU Project's implementation of the C standard library
Keycloak	0.8			5	4	2	11	Keycloak is an open‑source identity and access management (IAM) solution that provides single sign‑on (SSO), user federation, identity brokering, and access control for applications and services.
Mozilla Firefox	0.8			9	41	1	51	Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation
OpenSSH	0.8				2		2	OpenSSH is a suite of secure networking utilities based on the Secure Shell protocol, which provides a secure channel over an unsecured network in a client–server architecture
OpenSSL	0.8			1	2		3	A software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end
PHP	0.8			1			1	PHP is a general-purpose scripting language geared towards web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1993 and released in 1995.
Zabbix	0.8					1	1	Zabbix is an open-source software tool to monitor IT infrastructure such as networks, servers, virtual machines, and cloud services
.NET	0.7				1		1	.NET
Calibre	0.7		2	3			5	Calibre is a cross-platform free and open-source suite of e-book software
Envoy	0.7				1		1	Envoy is a cloud-native, open-source edge and service proxy
Kubernetes	0.7			4	1	1	6	Kubernetes is an open-source container orchestration system for automating software deployment, scaling, and management
QEMU	0.7			1			1	QEMU is a generic and open source machine & userspace emulator and virtualizer
SQLite	0.7				1		1	SQLite is a database engine written in the C programming language
cpp-httplib	0.7			5			5	cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library
Apache ActiveMQ	0.6				1		1	Apache ActiveMQ is an open source message broker written in Java together with a full Java Message Service (JMS) client
Canonical LXD	0.6				1		1	Canonical LXD is a system container and VM manager for Linux. LXD-UI is the web UI component of LXD that provides a browser-based interface for creating, managing and starting containers and instances.
Exim	0.6				1		1	Exim is a mail transfer agent (MTA) used on Unix-like operating systems
FreeRDP	0.6			22	1		23	FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license
ImageMagick	0.6				46	6	52	ImageMagick, invoked from the command line as magick, is a free and open-source cross-platform software suite for displaying, creating, converting, modifying, and editing raster images
Jetty	0.6				2		2	Jetty is a Java based web server and servlet engine
Libsoup	0.6		2	3	1		6	libsoup is an HTTP client/server library for GNOME. It uses GObjects and the glib main loop to integrate well with GNOME applications and also has a synchronous API for use in CLI tools.
MongoDB	0.6				2		2	MongoDB is a source-available, cross-platform, document-oriented database program
Python	0.6			1			1	Python is a high-level, general-purpose programming language
Redis	0.6					1	1	Redis is an open-source in-memory storage, used as a distributed, in-memory key–value database, cache and message broker, with optional durability
Snapd	0.6			1			1	snapd is the background service that manages Snap packages on Linux, providing installation, updates, confinement, and runtime environment for snaps.
TuneD	0.6				1		1	Tuned is a daemon that uses udev to monitor connected devices and statically and dynamically tunes system settings according to a selected profile
UDisks	0.6				1	1	2	UDisks is a system service daemon that provides interfaces to enumerate, query, and manage storage devices such as hard drives, SSDs, removable media, and loop devices. It exposes functionality over the D-Bus system bus, allowing unprivileged applications to perform safe disk operations while privileged actions are mediated by PolicyKit.
Wireshark	0.6			2	1		3	Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education
389 Directory Server	0.5			1			1	389 Directory Server is a highly usable, fully featured, reliable and secure LDAP server implementation
Admesh	0.5			2			2	Product detected by a:admesh_project:admesh (exists in CPE dict)
Alinto SOGo	0.5				3		3	SOGo is an open source groupware and webmail server developed by Alinto, providing email, calendar, and contact management through a web-based interface and standard protocols.
Apache Commons Text	0.5			1			1	The Commons Text library provides additions to the standard JDK text handling
Authlib	0.5			4			4	Authlib is a Python library for building OAuth and OpenID Connect clients and servers, providing tools for secure authentication, token management, and authorization flows.
Caddy	0.5		1	5			6	Product detected by a:caddyserver:caddy (exists in CPE dict)
Command Line Interface	0.5					1	1	Product detected by a:docker:command_line_interface (exists in CPE dict)
CommonMark	0.5				1		1	Product detected by a:thephpleague:commonmark (exists in CPE dict)
CoreDNS	0.5				1		1	Product detected by a:coredns.io:coredns (exists in CPE dict)
Cosign	0.5			1			1	Product detected by a:sigstore:cosign (exists in CPE dict)
Curl	0.5			2	1		3	Product detected by a:haxx:curl (exists in CPE dict)
DOMPurify	0.5				2		2	DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG
Dottie	0.5			1			1	Product detected by a:dottie_project:dottie (exists in CPE dict)
Filebeat	0.5				1		1	Product detected by a:elastic:filebeat (exists in CPE dict)
Flask	0.5					1	1	Flask is a lightweight WSGI web application framework
GIMP	0.5			1	4		5	GIMP is an open-source image manipulation program used for photo editing, graphic design, and digital art creation.
Libarchive	0.5				1		1	Multi-format archive and compression library
Open Babel	0.5			3			3	Open Babel is an open-source chemical toolbox for converting, analyzing and working with many molecular file formats. It provides a C/C++ library and command-line tools widely used in cheminformatics and computational chemistry workflows.
PDFBox	0.5				1		1	Product detected by a:apache:pdfbox (exists in CPE dict)
Packetbeat	0.5				1		1	Product detected by a:elasticsearch:packetbeat (exists in CPE dict)
Psd-tools	0.5			1			1	Product detected by a:psd-tools_project:psd-tools (exists in CPE dict)
PyJWT	0.5			1			1	Product detected by a:pyjwt_project:pyjwt (exists in CPE dict)
Pypdf	0.5			1	6	1	8	PyPDF is a Python library for reading, manipulating, and writing PDF files, including extraction, splitting, merging, and encryption features.
QuickJS	0.5				2		2	QuickJS is a lightweight JavaScript engine that supports modern ECMAScript features and can be embedded into applications for scripting purposes.
Rebar3	0.5				1		1	Product detected by a:erlang:rebar3 (exists in CPE dict)
SPIP	0.5		1	2	8	1	12	SPIP is an open-source software content management system designed for web site publishing, oriented towards online collaborative editing
Squirrel	0.5			4			4	Product detected by a:squirrel-lang:squirrel (exists in CPE dict)
Traefik	0.5				3	1	4	Product detected by a:traefik:traefik (exists in CPE dict)
Underscore	0.5			1			1	Product detected by a:underscorejs:underscore (exists in CPE dict)
Werkzeug	0.5					1	1	Werkzeug is a comprehensive WSGI web application library
ZooKeeper	0.5				1	1	2	Product detected by a:apache:zookeeper (exists in CPE dict)
apache::session::generate::md5	0.5				1		1	Product detected by a:chorny:apachesessiongeneratemd5 (does NOT exist in CPE dict)
apache::sessionx	0.5				1		1	Product detected by a:grichter:apachesessionx (does NOT exist in CPE dict)
basic-ftp	0.5			1			1	Product detected by a:patrickjuchli:basic-ftp (does NOT exist in CPE dict)
black	0.5			1	1		2	Product detected by a:python:black (does NOT exist in CPE dict)
capnproto	0.5				1	1	2	Product detected by a:capnproto:capnproto (exists in CPE dict)
coTURN	0.5			1			1	Product detected by a:coturn_project:coturn (exists in CPE dict)
compress::raw::zlib	0.5				1		1	Product detected by a:pmqs:compressrawzlib (does NOT exist in CPE dict)
ettercap	0.5			1			1	Product detected by a:ettercap-project:ettercap (exists in CPE dict)
exiv2	0.5			1	2		3	Product detected by a:exiv2:exiv2 (exists in CPE dict)
fast-xml-parser	0.5			2	1		3	Product detected by a:naturalintelligence:fast-xml-parser (does NOT exist in CPE dict)
fast_xml_parser	0.5			1			1	Product detected by a:naturalintelligence:fast_xml_parser (exists in CPE dict)
flatted	0.5			1			1	Product detected by a:webreflection:flatted (does NOT exist in CPE dict)
gSOAP	0.5		1				1	Product detected by a:genivia:gsoap (exists in CPE dict)
gitea	0.5				1	2	3	Product detected by a:gitea:gitea (exists in CPE dict)
glances	0.5		2	1			3	Product detected by a:nicolargo:glances (does NOT exist in CPE dict)
gstreamer	0.5			2	8		10	Product detected by a:gstreamer:gstreamer (exists in CPE dict)
hdf5	0.5			1			1	Product detected by a:hdfgroup:hdf5 (exists in CPE dict)
ldap_account_manager	0.5				2		2	Product detected by a:ldap-account-manager:ldap_account_manager (exists in CPE dict)
libbiosig	0.5		1	2			3	Product detected by a:libbiosig_project:libbiosig (does NOT exist in CPE dict)
libde265	0.5			1			1	Product detected by a:struktur:libde265 (exists in CPE dict)
libexpat	0.5			1	2		3	Product detected by a:libexpat_project:libexpat (exists in CPE dict)
libssh	0.5				1		1	Product detected by a:libssh:libssh (exists in CPE dict)
libvips	0.5			8			8	Product detected by a:libvips:libvips (exists in CPE dict)
lxml_html_clean	0.5			2			2	Product detected by a:fedoralovespython:lxml_html_clean (does NOT exist in CPE dict)
markdown	0.5			1			1	Product detected by a:python-markdown:markdown (does NOT exist in CPE dict)
miniaudio	0.5			1			1	Product detected by a:mackron:miniaudio (does NOT exist in CPE dict)
minimatch	0.5			3			3	Product detected by a:minimatch_project:minimatch (exists in CPE dict)
nats-server	0.5				1		1	Product detected by a:linuxfoundation:nats-server (exists in CPE dict)
net::cidr	0.5					1	1	Product detected by a:mrsam:netcidr (does NOT exist in CPE dict)
nltk	0.5		1				1	Product detected by a:nltk:nltk (exists in CPE dict)
ocaml	0.5				1		1	Product detected by a:ocaml:ocaml (exists in CPE dict)
onnx	0.5				1		1	Product detected by a:linuxfoundation:onnx (exists in CPE dict)
openexr	0.5			1			1	Product detected by a:openexr:openexr (exists in CPE dict)
openshift_container_platform	0.5				1		1	Product detected by a:redhat:openshift_container_platform (exists in CPE dict)
ormar	0.5			1			1	Product detected by a:collerek:ormar (does NOT exist in CPE dict)
postgresql	0.5				1		1	Product detected by a:postgresql:postgresql (exists in CPE dict)
pyasn1	0.5			1			1	Product detected by a:pyasn1:pyasn1 (does NOT exist in CPE dict)
rack	0.5			2			2	Product detected by a:rack:rack (does NOT exist in CPE dict)
rollup	0.5		1				1	Product detected by a:rollupjs:rollup (does NOT exist in CPE dict)
sail	0.5			1			1	Product detected by a:sail:sail (does NOT exist in CPE dict)
simpleeval	0.5			1			1	Product detected by a:danthedeckie:simpleeval (does NOT exist in CPE dict)
tar	0.5			2			2	Product detected by a:isaacs:tar (does NOT exist in CPE dict)
tornado	0.5				1		1	Product detected by a:tornadoweb:tornado (exists in CPE dict)
undici	0.5				5		5	Product detected by a:nodejs:undici (exists in CPE dict)
utls	0.5				1		1	Product detected by a:refraction-networking:utls (does NOT exist in CPE dict)
valkey	0.5				1	1	2	Product detected by a:lfprojects:valkey (does NOT exist in CPE dict)
vim	0.5				4	2	6	Product detected by a:vim:vim (exists in CPE dict)
vitrage	0.5			1			1	Product detected by a:openstack:vitrage (does NOT exist in CPE dict)
yaml::syck	0.5				1		1	Product detected by a:toddr:yamlsyck (does NOT exist in CPE dict)
yamux	0.5			1			1	Product detected by a:protocol:yamux (does NOT exist in CPE dict)
youtube-dl	0.5		1				1	youtube-dl is a free and open source software tool for downloading video and audio from YouTube and over 1,000 other video hosting websites
zoneminder	0.5			1			1	Product detected by a:zoneminder:zoneminder (exists in CPE dict)
Erlang/OTP	0.4				1		1	Erlang/OTP is a set of libraries for the Erlang programming language
GPAC	0.4				3		3	GPAC is an Open Source multimedia framework for research and academic purposes; the project covers different aspects of multimedia, with a focus on presentation technologies (graphics, animation and interactivity)
GVfs	0.4			1	1		2	GVfs (GNOME Virtual File System) is userspace virtual filesystem software for GNOME that provides backends (including FTP) to access different remote and local file systems transparently.
JOSE	0.3			1			1	JavaScript module for JSON Object Signing and Encryption (JOSE)
Wasmtime	0.25				1		1	Standalone WebAssembly runtime written in Rust
Cairo	0.2			1			1	2D graphics library used for rendering vector graphics, including PDF via Poppler
GitHub	0.2					1	1	GitHub, Inc. is an Internet hosting service for software development and version control using Git
Unknown Product	0				19	26	45	Unknown Product

Vulnerability Type	Criticality	U	C	H	M	L	A
Remote Code Execution	1.0		10	21	18		49
Authentication Bypass	0.98		1	15	7		23
Code Injection	0.97			4	3		7
Command Injection	0.97		1	1	2		4
Security Feature Bypass	0.9			19	18		37
Server-Side Request Forgery	0.87			1	2		3
Elevation of Privilege	0.85			2	3		5
Information Disclosure	0.83		2	5	7		14
Cross Site Scripting	0.8			4	12		16
Open Redirect	0.75				2		2
Denial of Service	0.7		1	28	56	2	87
Path Traversal	0.7		1	5	4	2	12
Incorrect Calculation	0.5			6	14	1	21
Memory Corruption	0.5			42	126	8	176
Spoofing	0.4				5		5
Tampering	0.3			4			4
Unknown Vulnerability Type	0				43	67	110

Source	U	C	H	M	L	A
almalinux			9	41	2	52
altlinux		1	40	143	15	199
debian		16	143	251	45	455
oraclelinux		1	9	53	5	68
redhat			9	42	1	52
redos			6	6	4	16
ubuntu			21	34	25	80

Urgent (0)

Critical (16)

1. Remote Code Execution - Chromium (CVE-2026-3909) - Critical [740]

Description: Out of bounds write in Skia in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

debian: CVE-2026-3909 was patched at 2026-03-16, 2026-03-18

2. Remote Code Execution - Chromium (CVE-2026-3910) - Critical [728]

Description: Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

debian: CVE-2026-3910 was patched at 2026-03-16, 2026-03-18

3. Remote Code Execution - nltk (CVE-2025-14009) - Critical [666]

Description: A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions. The _unzip_iter function in nltk/downloader.py uses zipfile.extractall() without performing path validation or security checks. This allows attackers to craft malicious zip packages that, when downloaded and extracted by NLTK, can execute arbitrary code. The vulnerability arises because NLTK assumes all downloaded packages are trusted and extracts them without validation. If a malicious package contains Python files, such as __init__.py, these files are executed automatically upon import, leading to remote code execution. This issue can result in full system compromise, including file system access, network access, and potential persistence mechanisms.

debian: CVE-2025-14009 was patched at 2026-03-18

4. Remote Code Execution - Binutils (CVE-2025-69650) - Critical [645]

Description: GNU Binutils thru 2.46 readelf contains a double free vulnerability when processing a crafted ELF binary with malformed relocation data. During GOT relocation handling, dump_relocations may return early without initializing the all_relocations array. As a result, process_got_section_contents() may pass an uninitialized r_symbol pointer to free(), leading to a double free and terminating the program with SIGABRT. No evidence of exploitable memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.

debian: CVE-2025-69650 was patched at 2026-03-18

5. Remote Code Execution - rollup (CVE-2026-27606) - Critical [642]

Description: Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker to control output filenames (e.g., via CLI named inputs, manual chunk aliases, or malicious plugins) and use traversal sequences (`../`) to overwrite files anywhere on the host filesystem that the build process has permissions for. This can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files. Versions 2.80.0, 3.30.0, and 4.59.0 contain a patch for the issue.

debian: CVE-2026-27606 was patched at 2026-03-18

oraclelinux: CVE-2026-27606 was patched at 2026-03-13

6. Information Disclosure - glances (CVE-2026-30928) - Critical [636]

Description: Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config REST API endpoint returns the entire parsed Glances configuration file (glances.conf) via self.config.as_dict() with no filtering of sensitive values. The configuration file contains credentials for all configured backend services including database passwords, API tokens, JWT signing keys, and SSL key passwords. This vulnerability is fixed in 4.5.1.

debian: CVE-2026-30928 was patched at 2026-03-18

7. Information Disclosure - glances (CVE-2026-32596) - Critical [636]

Description: Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with `glances -w`, exposing REST API with sensitive system information including process command-lines containing credentials (passwords, API keys, tokens) to any network client. Version 4.5.2 fixes the issue.

debian: CVE-2026-32596 was patched at 2026-03-18

8. Authentication Bypass - Libsoup (CVE-2026-3099) - Critical [632]

Description: A flaw was found in Libsoup. The server-side digest authentication implementation in the SoupAuthDomainDigest class does not properly track issued nonces or enforce the required incrementing nonce-count (nc) attribute. This vulnerability allows a remote attacker to capture a single valid authentication header and replay it repeatedly. Consequently, the attacker can bypass authentication and gain unauthorized access to protected resources, impersonating the legitimate user.

debian: CVE-2026-3099 was patched at 2026-03-18

9. Remote Code Execution - Caddy (CVE-2026-27590) - Critical [630]

Description: Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect `SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` to execute a different on-disk file than intended (path confusion). In setups where an attacker can control file contents (e.g., upload features), this can lead to unintended PHP execution of non-.php files (potential RCE depending on deployment). Version 2.11.1 fixes the issue.

altlinux: CVE-2026-27590 was patched at 2026-03-04, 2026-03-05

debian: CVE-2026-27590 was patched at 2026-03-18

10. Remote Code Execution - Calibre (CVE-2026-26064) - Critical [628]

Description: calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below contain a Path Traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows, this leads to Remote Code Execution by writing a payload to the Startup folder, which executes on next login. Function extract_pictures only checks startswith('Pictures'), and does not sanitize '..' sequences. calibre's own ZipFile.extractall() in utils/zipfile.py does sanitize '..' via _get_targetpath(), but extract_pictures() bypasses this by using manual zf.read() + open(). This issue has been fixed in version 9.3.0.

debian: CVE-2026-26064 was patched at 2026-03-18

11. Remote Code Execution - libbiosig (CVE-2026-22891) - Critical [619]

Description: A heap-based buffer overflow vulnerability exists in the Intan CLP parsing functionality of The Biosig Project libbiosig 3.9.2 and Master Branch (db9a9a63). A specially crafted Intan CLP file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

debian: CVE-2026-22891 was patched at 2026-03-18

12. Denial of Service - Libsoup (CVE-2026-4271) - Critical [617]

Description: A flaw was found in libsoup, a library for handling HTTP requests. This vulnerability, known as a Use-After-Free, occurs in the HTTP/2 server implementation. A remote attacker can exploit this by sending specially crafted HTTP/2 requests that cause authentication failures. This can lead to the application attempting to access memory that has already been freed, potentially causing application instability or crashes, resulting in a Denial of Service (DoS).

debian: CVE-2026-4271 was patched at 2026-03-18

13. Remote Code Execution - Calibre (CVE-2026-26065) - Critical [616]

Description: calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below are vulnerable to Path Traversal through PDB readers (both 132-byte and 202-byte header variants) that allow arbitrary file writes with arbitrary extension and arbitrary content anywhere the user has write permissions. Files are written in 'wb' mode, silently overwriting existing files. This can lead to potential code execution and Denial of Service through file corruption. This issue has been fixed in version 9.3.0.

debian: CVE-2026-26065 was patched at 2026-03-18

14. Command Injection - youtube-dl (CVE-2026-26331) - Critical [613]

Description: yt-dlp is a command-line audio/video downloader. Starting in version 2023.06.21 and prior to version 2026.02.21, when yt-dlp's `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter) is used, an attacker could achieve arbitrary command injection on the user's system with a maliciously crafted URL. yt-dlp maintainers assume the impact of this vulnerability to be high for anyone who uses `--netrc-cmd` in their command/configuration or `netrc_cmd` in their Python scripts. Even though the maliciously crafted URL itself will look very suspicious to many users, it would be trivial for a maliciously crafted webpage with an inconspicuous URL to covertly exploit this vulnerability via HTTP redirect. Users without `--netrc-cmd` in their arguments or `netrc_cmd` in their scripts are unaffected. No evidence has been found of this exploit being used in the wild. yt-dlp version 2026.02.21 fixes this issue by validating all netrc "machine" values and raising an error upon unexpected input. As a workaround, users who are unable to upgrade should avoid using the `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter), or they should at least not pass a placeholder (`{}`) in their `--netrc-cmd` argument.

debian: CVE-2026-26331 was patched at 2026-03-18

15. Remote Code Execution - SPIP (CVE-2026-27475) - Critical [607]

Description: SPIP before 4.4.9 allows Insecure Deserialization in the public area through the table_valeur filter and the DATA iterator, which accept serialized data. An attacker who can place malicious serialized content (a pre-condition requiring prior access or another vulnerability) can trigger arbitrary object instantiation and potentially achieve code execution. The use of serialized data in these components has been deprecated and will be removed in SPIP 5. This vulnerability is not mitigated by the SPIP security screen.

debian: CVE-2026-27475 was patched at 2026-03-03, 2026-03-18

16. Path Traversal - gSOAP (CVE-2019-25355) - Critical [601]

Description: gSOAP 2.8 contains a directory traversal vulnerability that allows unauthenticated attackers to access system files by manipulating HTTP path traversal techniques. Attackers can retrieve sensitive files like /etc/passwd by sending crafted GET requests with multiple '../' directory traversal sequences.

debian: CVE-2019-25355 was patched at 2026-03-18

High (157)

17. Elevation of Privilege - GNU Inetutils (CVE-2026-28372) - High [599]

Description: telnetd in GNU inetutils through 2.7 allows privilege escalation that can be exploited by abusing systemd service credentials support added to the login(1) implementation of util-linux in release 2.40. This is related to client control over the CREDENTIALS_DIRECTORY environment variable, and requires an unprivileged local user to create a login.noauth file.

debian: CVE-2026-28372 was patched at 2026-02-19, 2026-03-18

18. Remote Code Execution - Binutils (CVE-2025-69649) - High [597]

Description: GNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability when processing a crafted ELF binary with malformed header fields. During relocation processing, an invalid or null section pointer may be passed into display_relocations(), resulting in a segmentation fault (SIGSEGV) and abrupt termination. No evidence of memory corruption beyond the null pointer dereference, nor any possibility of code execution, was observed.

debian: CVE-2025-69649 was patched at 2026-03-18

19. Denial of Service - Rust (CVE-2026-32314) - High [596]

Description: Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. Prior to 0.13.10, the Rust implementation of Yamux can panic when processing a crafted inbound Data frame that sets SYN and uses a body length greater than DEFAULT_CREDIT (e.g. 262145). On the first packet of a new inbound stream, stream state is created and a receiver is queued before oversized-body validation completes. When validation fails, the temporary stream is dropped and cleanup may call remove(...).expect("stream not found"), triggering a panic in the connection state machine. This is remotely reachable over a normal Yamux session and does not require authentication. This vulnerability is fixed in 0.13.10.

debian: CVE-2026-32314 was patched at 2026-03-18

20. Remote Code Execution - libbiosig (CVE-2026-20777) - High [595]

Description: A heap-based buffer overflow vulnerability exists in the Nicolet WFT parsing functionality of The Biosig Project libbiosig 3.9.2 and Master Branch (db9a9a63). A specially crafted .wft file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

debian: CVE-2026-20777 was patched at 2026-03-18

21. Security Feature Bypass - FreeRDP (CVE-2026-25941) - High [594]

Description: FreeRDP is a free implementation of the Remote Desktop Protocol. Versions on the 2.x branch prior to to 2.11.8 and on the 3.x branch prior to 3.23.0 have an out-of-bounds read vulnerability in the FreeRDP client's RDPGFX channel that allows a malicious RDP server to read uninitialized heap memory by sending a crafted WIRE_TO_SURFACE_2 PDU with a `bitmapDataLength` value larger than the actual data in the packet. This can lead to information disclosure or client crashes when a user connects to a malicious server. Versions 2.11.8 and 3.23.0 fix the issue.

altlinux: CVE-2026-25941 was patched at 2026-02-27

debian: CVE-2026-25941 was patched at 2026-03-18

ubuntu: CVE-2026-25941 was patched at 2026-03-18

22. Security Feature Bypass - Keycloak (CVE-2026-1529) - High [591]

Description: A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token (JWT) payload. This lack of cryptographic signature verification allows the attacker to successfully self-register into an unauthorized organization, leading to unauthorized access.

altlinux: CVE-2026-1529 was patched at 2026-03-10, 2026-03-23

23. Information Disclosure - markdown (CVE-2025-69534) - High [588]

Description: Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged by the vendor and fixed in version 3.8.1. This issue causes a remote Denial of Service in any application parsing untrusted Markdown, and can lead to Information Disclosure through uncaught exceptions.

debian: CVE-2025-69534 was patched at 2026-03-18

24. Security Feature Bypass - cpp-httplib (CVE-2026-32627) - High [586]

Description: cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.2, when a cpp-httplib client is configured with a proxy and set_follow_location(true), any HTTPS redirect it follows will have TLS certificate and hostname verification silently disabled on the new connection. The client will accept any certificate presented by the redirect target — expired, self-signed, or forged — without raising an error or notifying the application. A network attacker in a position to return a redirect response can fully intercept the follow-up HTTPS connection, including any credentials or session tokens in flight. This vulnerability is fixed in 0.37.2.

debian: CVE-2026-32627 was patched at 2026-03-18

25. Remote Code Execution - Binutils (CVE-2025-69652) - High [585]

Description: GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. Due to incomplete state cleanup in process_debug_info(), an invalid debug_info_p state may propagate into DWARF attribute parsing routines. When certain malformed attributes result in an unexpected data length of zero, byte_get_little_endian() triggers a fatal abort. No evidence of memory corruption or code execution was observed; the impact is limited to denial of service.

debian: CVE-2025-69652 was patched at 2026-03-18

26. Remote Code Execution - GNU C Library (CVE-2025-69651) - High [585]

Description: GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relocation or symbol data. If dump_relocations returns early due to parsing errors, the internal all_relocations array may remain partially uninitialized. Later, process_got_section_contents() may attempt to free an invalid r_symbol pointer, triggering memory corruption checks in glibc and causing the program to terminate with SIGABRT. No evidence of further memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.

debian: CVE-2025-69651 was patched at 2026-03-18

27. Remote Code Execution - vitrage (CVE-2026-28370) - High [583]

Description: In the query parser in OpenStack Vitrage before 12.0.1, 13.0.0, 14.0.0, and 15.0.0, a user allowed to access the Vitrage API may trigger code execution on the Vitrage service host as the user the Vitrage service runs under. This may result in unauthorized access to the host and further compromise of the Vitrage service. All deployments exposing the Vitrage API are affected. This occurs in _create_query_function in vitrage/graph/query.py.

debian: CVE-2026-28370 was patched at 2026-03-18

28. Security Feature Bypass - Authlib (CVE-2026-27962) - High [577]

Description: Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic key embedded in the attacker-controlled JWT jwk header field. An attacker can sign a token with their own private key, embed the matching public key in the header, and have the server accept the forged token as cryptographically valid — bypassing authentication and authorization entirely. This issue has been patched in version 1.6.9.

debian: CVE-2026-27962 was patched at 2026-03-18

29. Security Feature Bypass - Authlib (CVE-2026-28802) - High [577]

Description: Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was expected.. This issue has been patched in version 1.6.7.

debian: CVE-2026-28802 was patched at 2026-03-18

30. Memory Corruption - GNU Inetutils (CVE-2026-32746) - High [572]

Description: telnetd in GNU inetutils through 2.7 allows an out-of-bounds write in the LINEMODE SLC (Set Local Characters) suboption handler because add_slc does not check whether the buffer is full.

debian: CVE-2026-32746 was patched at 2026-03-18

31. Remote Code Execution - hdf5 (CVE-2026-26200) - High [571]

Description: HDF5 is software for managing data. Prior to version 1.14.4-2, an attacker who can control an `h5` file parsed by HDF5 can trigger a write-based heap buffer overflow condition. This can lead to a denial-of-service condition, and potentially further issues such as remote code execution depending on the practical exploitability of the heap overflow against modern operating systems. Real-world exploitability of this issue in terms of remote-code execution is currently unknown. Version 1.14.4-2 fixes the issue.

debian: CVE-2026-26200 was patched at 2026-03-18

32. Code Injection - zoneminder (CVE-2026-27470) - High [566]

Description: ZoneMinder is a free, open source closed-circuit television software application. In versions 1.36.37 and below and 1.37.61 through 1.38.0, there is a second-order SQL Injection vulnerability in the web/ajax/status.php file within the getNearEvents() function. Event field values (specifically Name and Cause) are stored safely via parameterized queries but are later retrieved and concatenated directly into SQL WHERE clauses without escaping. An authenticated user with Events edit and view permissions can exploit this to execute arbitrary SQL queries.

altlinux: CVE-2026-27470 was patched at 2026-03-03

debian: CVE-2026-27470 was patched at 2026-03-18

33. Path Traversal - basic-ftp (CVE-2026-27699) - High [565]

Description: The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue.

debian: CVE-2026-27699 was patched at 2026-03-18

34. Security Feature Bypass - Caddy (CVE-2026-27585) - High [565]

Description: Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations. Version 2.11.1 fixes the issue.

altlinux: CVE-2026-27585 was patched at 2026-03-04, 2026-03-05

debian: CVE-2026-27585 was patched at 2026-03-18

35. Security Feature Bypass - Caddy (CVE-2026-27587) - High [565]

Description: Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path. Version 2.11.1 contains a fix for the issue.

debian: CVE-2026-27587 was patched at 2026-03-18

36. Security Feature Bypass - Caddy (CVE-2026-27588) - High [565]

Description: Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `host` request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls attached to that route by changing the casing of the `Host` header. Version 2.11.1 contains a fix for the issue.

debian: CVE-2026-27588 was patched at 2026-03-18

37. Server-Side Request Forgery - Libsoup (CVE-2026-3632) - High [564]

Description: A flaw was found in libsoup, a library used by applications to send network requests. This vulnerability occurs because libsoup does not properly validate hostnames, allowing special characters to be injected into HTTP headers. A remote attacker could exploit this to perform HTTP smuggling, where they can send hidden, malicious requests alongside legitimate ones. In certain situations, this could lead to Server-Side Request Forgery (SSRF), enabling an attacker to force the server to make unauthorized requests to other internal or external systems. The impact is low, as SoupServer is not actually used in internet infrastructure.

debian: CVE-2026-3632 was patched at 2026-03-18

38. Denial of Service - cpp-httplib (CVE-2026-28435) - High [563]

Description: cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.35.0, cpp-httplib (httplib.h) does not enforce Server::set_payload_max_length() on the decompressed request body when using HandlerWithContentReader (streaming ContentReader) with Content-Encoding: gzip (or other supported encodings). A small compressed payload can expand beyond the configured payload limit and be processed by the application, enabling a payload size limit bypass and potential denial of service (CPU/memory exhaustion). This vulnerability is fixed in 0.35.0.

debian: CVE-2026-28435 was patched at 2026-03-18

39. Denial of Service - cpp-httplib (CVE-2026-31870) - High [563]

Description: cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.1, when a cpp-httplib client uses the streaming API (httplib::stream::Get, httplib::stream::Post, etc.), the library calls std::stoull() directly on the Content-Length header value received from the server with no input validation and no exception handling. std::stoull throws std::invalid_argument for non-numeric strings and std::out_of_range for values exceeding ULLONG_MAX. Since nothing catches these exceptions, the C++ runtime calls std::terminate(), which kills the process with SIGABRT. Any server the client connects to — including servers reached via HTTP redirects, third-party APIs, or man-in-the-middle positions can crash the client application with a single HTTP response. No authentication is required. No interaction from the end user is required. The crash is deterministic and immediate. This vulnerability is fixed in 0.37.1.

debian: CVE-2026-31870 was patched at 2026-03-18

40. Authentication Bypass - coTURN (CVE-2026-27624) - High [555]

Description: Coturn is a free open source implementation of TURN and STUN Server. Coturn is commonly configured to block loopback and internal ranges using "denied-peer-ip" and/or default loopback restrictions. CVE-2020-26262 addressed bypasses involving "0.0.0.0", "[::1]" and "[::]", but IPv4-mapped IPv6 is not covered. When sending a "CreatePermission" or "ChannelBind" request with the "XOR-PEER-ADDRESS" value of "::ffff:127.0.0.1", a successful response is received, even though "127.0.0.0/8" is blocked via "denied-peer-ip". The root cause is that, prior to the updated fix implemented in version 4.9.0, three functions in "src/client/ns_turn_ioaddr.c" do not check "IN6_IS_ADDR_V4MAPPED". "ioa_addr_is_loopback()" checks "127.x.x.x" (AF_INET) and "::1" (AF_INET6), but not "::ffff:127.0.0.1." "ioa_addr_is_zero()" checks "0.0.0.0" and "::", but not "::ffff:0.0.0.0." "addr_less_eq()" used by "ioa_addr_in_range()" for "denied-peer-ip" matching: when the range is AF_INET and the peer is AF_INET6, the comparison returns 0 without extracting the embedded IPv4. Version 4.9.0 contains an updated fix to address the bypass of the fix for CVE-2020-26262.

debian: CVE-2026-27624 was patched at 2026-03-18

41. Code Injection - ormar (CVE-2026-26198) - High [554]

Description: Ormar is a async mini ORM for Python. In versions 0.9.9 through 0.22.0, when performing aggregate queries, Ormar ORM constructs SQL expressions by passing user-supplied column names directly into `sqlalchemy.text()` without any validation or sanitization. The `min()` and `max()` methods in the `QuerySet` class accept arbitrary string input as the column parameter. While `sum()` and `avg()` are partially protected by an `is_numeric` type check that rejects non-existent fields, `min()` and `max()` skip this validation entirely. As a result, an attacker-controlled string is embedded as raw SQL inside the aggregate function call. Any unauthorized user can exploit this vulnerability to read the entire database contents, including tables unrelated to the queried model, by injecting a subquery as the column parameter. Version 0.23.0 contains a patch.

debian: CVE-2026-26198 was patched at 2026-03-18

42. Authentication Bypass - Calibre (CVE-2026-27824) - High [553]

Description: calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, the calibre Content Server's brute-force protection mechanism uses a ban key derived from both `remote_addr` and the `X-Forwarded-For` header. Since the `X-Forwarded-For` header is read directly from the HTTP request without any validation or trusted-proxy configuration, an attacker can bypass IP-based bans by simply changing or adding this header, rendering the brute-force protection completely ineffective. This is particularly dangerous for calibre servers exposed to the internet, where brute-force protection is the primary defense against credential stuffing and password guessing attacks. Version 9.4.0 contains a fix for the issue.

debian: CVE-2026-27824 was patched at 2026-03-18

43. Information Disclosure - cpp-httplib (CVE-2026-28434) - High [550]

Description: cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.35.0, when a request handler throws a C++ exception and the application has not registered a custom exception handler via set_exception_handler(), the library catches the exception and writes its message directly into the HTTP response as a header named EXCEPTION_WHAT. This header is sent to whoever made the request, with no authentication check and no special configuration required to trigger it. The behavior is on by default. A developer who does not know to opt in to set_exception_handler() will ship a server that leaks internal exception messages to any client. This vulnerability is fixed in 0.35.0.

debian: CVE-2026-28434 was patched at 2026-03-18

44. Elevation of Privilege - Snapd (CVE-2026-3888) - High [549]

Description: Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS.

debian: CVE-2026-3888 was patched at 2026-03-18, 2026-03-19

ubuntu: CVE-2026-3888 was patched at 2026-03-17

45. Memory Corruption - FreeRDP (CVE-2026-25952) - High [546]

Description: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_SetWindowMinMaxInfo` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` in `xf_rail_server_min_max_info` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue.

altlinux: CVE-2026-25952 was patched at 2026-02-27

debian: CVE-2026-25952 was patched at 2026-03-18

ubuntu: CVE-2026-25952 was patched at 2026-03-18

46. Memory Corruption - FreeRDP (CVE-2026-25953) - High [546]

Description: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reads from a freed `xfAppWindow` because the RDPGFX DVC thread obtains a bare pointer via `xf_rail_get_window` without any lifetime protection, while the main thread can concurrently delete the window through a fastpath window-delete order. Version 3.23.0 fixes the issue.

altlinux: CVE-2026-25953 was patched at 2026-02-27

debian: CVE-2026-25953 was patched at 2026-03-18

ubuntu: CVE-2026-25953 was patched at 2026-03-18

47. Memory Corruption - FreeRDP (CVE-2026-25959) - High [546]

Description: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_cliprdr_provide_data_` passes freed `pDstData` to `XChangeProperty` because the cliprdr channel thread calls `xf_cliprdr_server_format_data_response` which converts and uses the clipboard data without holding any lock, while the X11 event thread concurrently calls `xf_cliprdr_clear_cached_data` → `HashTable_Clear` which frees the same data via `xf_cached_data_free`, triggering a heap use after free. Version 3.23.0 fixes the issue.

altlinux: CVE-2026-25959 was patched at 2026-02-27

debian: CVE-2026-25959 was patched at 2026-03-18

ubuntu: CVE-2026-25959 was patched at 2026-03-18

48. Memory Corruption - FreeRDP (CVE-2026-25997) - High [546]

Description: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_clipboard_format_equal` reads freed `lastSentFormats` memory because `xf_clipboard_formats_free` (called from the cliprdr channel thread during auto-reconnect) frees the array while the X11 event thread concurrently iterates it in `xf_clipboard_changed`, triggering a heap use after free. Version 3.23.0 fixes the issue.

altlinux: CVE-2026-25997 was patched at 2026-02-27

debian: CVE-2026-25997 was patched at 2026-03-18

ubuntu: CVE-2026-25997 was patched at 2026-03-18

49. Denial of Service - Binutils (CVE-2026-3442) - High [544]

Description: A flaw was found in GNU Binutils. This vulnerability, a heap-based buffer overflow, specifically an out-of-bounds read, exists in the bfd linker component. An attacker could exploit this by convincing a user to process a specially crafted malicious XCOFF object file. Successful exploitation may lead to the disclosure of sensitive information or cause the application to crash, resulting in an application level denial of service.

debian: CVE-2026-3442 was patched at 2026-03-18

50. Command Injection - glances (CVE-2026-32608) - High [542]

Description: Glances is an open-source system cross-platform monitoring tool. The Glances action system allows administrators to configure shell commands that execute when monitoring thresholds are exceeded. These commands support Mustache template variables (e.g., `{{name}}`, `{{key}}`) that are populated with runtime monitoring data. The `secure_popen()` function, which executes these commands, implements its own pipe, redirect, and chain operator handling by splitting the command string before passing each segment to `subprocess.Popen(shell=False)`. Prior to 4.5.2, when a Mustache-rendered value (such as a process name, filesystem mount point, or container name) contains pipe, redirect, or chain metacharacters, the rendered command is split in unintended ways, allowing an attacker who controls a process name or container name to inject arbitrary commands. Version 4.5.2 fixes the issue.

debian: CVE-2026-32608 was patched at 2026-03-18

51. Security Feature Bypass - Authlib (CVE-2026-28498) - High [541]

Description: Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect (OIDC) ID Tokens. Specifically, the internal hash verification logic (_verify_hash) responsible for validating the at_hash (Access Token Hash) and c_hash (Authorization Code Hash) claims exhibits a fail-open behavior when encountering an unsupported or unknown cryptographic algorithm. This flaw allows an attacker to bypass mandatory integrity protections by supplying a forged ID Token with a deliberately unrecognized alg header parameter. The library intercepts the unsupported state and silently returns True (validation passed), inherently violating fundamental cryptographic design principles and direct OIDC specifications. This issue has been patched in version 1.6.9.

debian: CVE-2026-28498 was patched at 2026-03-18

52. Security Feature Bypass - PyJWT (CVE-2026-32597) - High [541]

Description: PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.

debian: CVE-2026-32597 was patched at 2026-03-18

53. Path Traversal - Calibre (CVE-2026-30853) - High [539]

Description: calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to 9.5.0, a path traversal vulnerability in the RocketBook (.rb) input plugin (src/calibre/ebooks/rb/reader.py) allows an attacker to write arbitrary files to any path writable by the calibre process when a user opens or converts a crafted .rb file. This is the same bug class fixed in CVE-2026-26065 for the PDB readers, but the fix was never applied to the RB reader. This vulnerability is fixed in 9.5.0.

debian: CVE-2026-30853 was patched at 2026-03-18

54. Cross Site Scripting - fast-xml-parser (CVE-2026-25896) - High [535]

Description: fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (<, >, &, ", ') with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered. This vulnerability is fixed in 5.3.5.

debian: CVE-2026-25896 was patched at 2026-03-18

55. Denial of Service - FreeRDP (CVE-2026-31884) - High [534]

Description: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, division by zero in MS-ADPCM and IMA-ADPCM decoders when nBlockAlign is 0, leading to a crash. In libfreerdp/codec/dsp.c, both ADPCM decoders use size % block_size where block_size = context->common.format.nBlockAlign. The nBlockAlign value comes from the Server Audio Formats PDU on the RDPSND channel. The value 0 is not validated anywhere before reaching the decoder. When nBlockAlign = 0, the modulo operation causes a SIGFPE (floating point exception) crash. This vulnerability is fixed in 3.24.0.

debian: CVE-2026-31884 was patched at 2026-03-18

56. Denial of Service - Wireshark (CVE-2026-3201) - High [534]

Description: USB HID protocol dissector memory exhaustion in Wireshark 4.6.0 to 4.6.3 and 4.4.0 to 4.4.13 allows denial of service

altlinux: CVE-2026-3201 was patched at 2026-02-27

debian: CVE-2026-3201 was patched at 2026-03-18

57. Denial of Service - Wireshark (CVE-2026-3203) - High [534]

Description: RF4CE Profile protocol dissector crash in Wireshark 4.6.0 to 4.6.3 and 4.4.0 to 4.4.13 allows denial of service

altlinux: CVE-2026-3203 was patched at 2026-02-27

debian: CVE-2026-3203 was patched at 2026-03-18

58. Memory Corruption - FreeRDP (CVE-2026-25955) - High [534]

Description: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reuses a cached `XImage` whose `data` pointer references a freed RDPGFX surface buffer, because `gdi_DeleteSurface` frees `surface->data` without invalidating the `appWindow->image` that aliases it. Version 3.23.0 fixes the issue.

altlinux: CVE-2026-25955 was patched at 2026-02-27

debian: CVE-2026-25955 was patched at 2026-03-18

ubuntu: CVE-2026-25955 was patched at 2026-03-18

59. Code Injection - lxml_html_clean (CVE-2026-28350) - High [530]

Description: lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.4, the <base> tag passes through the default Cleaner configuration. While page_structure=True removes html, head, and title tags, there is no specific handling for <base>, allowing an attacker to inject it and hijack relative links on the page. This issue has been patched in version 0.4.4.

debian: CVE-2026-28350 was patched at 2026-03-18

60. Denial of Service - pyasn1 (CVE-2026-30922) - High [529]

Description: pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the `pyasn1` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing thousands of nested `SEQUENCE` (`0x30`) or `SET` (`0x31`) tags with "Indefinite Length" (`0x80`) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a `RecursionError` or consumes all available memory (OOM), crashing the host application. This is a distinct vulnerability from CVE-2026-23490 (which addressed integer overflows in OID decoding). The fix for CVE-2026-23490 (`MAX_OID_ARC_CONTINUATION_OCTETS`) does not mitigate this recursion issue. Version 0.6.3 fixes this specific issue.

altlinux: CVE-2026-30922 was patched at 2026-03-20

debian: CVE-2026-30922 was patched at 2026-03-18

61. Path Traversal - rack (CVE-2026-22860) - High [529]

Description: Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.

debian: CVE-2026-22860 was patched at 2026-03-18, 2026-03-23

ubuntu: CVE-2026-22860 was patched at 2026-02-26

62. Security Feature Bypass - Caddy (CVE-2026-27589) - High [529]

Description: Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enforcement is not enabled (`enforce_origin` not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. This can change the admin listener settings and alter HTTP server behavior without user intent. Version 2.11.1 contains a fix for the issue.

altlinux: CVE-2026-27589 was patched at 2026-03-04, 2026-03-05

debian: CVE-2026-27589 was patched at 2026-03-18

63. Denial of Service - Kubernetes (CVE-2026-24514) - High [527]

Description: A security issue was discovered in ingress-nginx where the validating admission controller feature is subject to a denial of service condition. By sending large requests to the validating admission controller, an attacker can cause memory consumption, which may result in the ingress-nginx controller pod being killed or the node running out of memory.

redos: CVE-2026-24514 was patched at 2026-03-11

64. Denial of Service - FreeRDP (CVE-2026-27015) - High [522]

Description: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a missing bounds check in `smartcard_unpack_read_size_align()` (`libfreerdp/utils/smartcard_pack.c:1703`) allows a malicious RDP server to crash the FreeRDP client via a reachable `WINPR_ASSERT` → `abort()`. The crash occurs in upstream builds where `WITH_VERBOSE_WINPR_ASSERT=ON` (default in FreeRDP 3.22.0 / current WinPR CMake defaults). Smartcard redirection must be explicitly enabled by the user (e.g., `xfreerdp /smartcard`; `/smartcard-logon` implies `/smartcard`). Version 3.23.0 fixes the issue.

altlinux: CVE-2026-27015 was patched at 2026-02-27

debian: CVE-2026-27015 was patched at 2026-03-18

ubuntu: CVE-2026-27015 was patched at 2026-03-18

65. Memory Corruption - FreeRDP (CVE-2026-26955) - High [522]

Description: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a malicious RDP server can trigger a heap buffer overflow in FreeRDP clients using the GDI surface pipeline (e.g., `xfreerdp`) by sending an RDPGFX ClearCodec surface command with an out-of-bounds destination rectangle. The `gdi_SurfaceCommand_ClearCodec()` handler does not call `is_within_surface()` to validate the command rectangle against the destination surface dimensions, allowing attacker-controlled `cmd->left`/`cmd->top` (and subcodec rectangle offsets) to reach image copy routines that write into `surface->data` without bounds enforcement. The OOB write corrupts an adjacent `gdiGfxSurface` struct's `codecs*` pointer with attacker-controlled pixel data, and corruption of `codecs*` is sufficient to reach an indirect function pointer call (`NSC_CONTEXT.decode` at `nsc.c:500`) on a subsequent codec command — full instruction pointer (RIP) control demonstrated in exploitability harness. Users should upgrade to version 3.23.0 to receive a patch.

altlinux: CVE-2026-26955 was patched at 2026-02-27

debian: CVE-2026-26955 was patched at 2026-03-18

ubuntu: CVE-2026-26955 was patched at 2026-03-18

66. Memory Corruption - FreeRDP (CVE-2026-26965) - High [522]

Description: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, in the RLE planar decode path, `planar_decompress_plane_rle()` writes into `pDstData` at `((nYDst+y) * nDstStep) + (4*nXDst) + nChannel` without verifying that `(nYDst+nSrcHeight)` fits in the destination height or that `(nXDst+nSrcWidth)` fits in the destination stride. When `TempFormat != DstFormat`, `pDstData` becomes `planar->pTempData` (sized for the desktop), while `nYDst` is only validated against the **surface** by `is_within_surface()`. A malicious RDP server can exploit this to perform a heap out-of-bounds write with attacker-controlled offset and pixel data on any connecting FreeRDP client. The OOB write reaches up to 132,096 bytes past the temp buffer end, and on the brk heap (desktop ≤ 128×128), an adjacent `NSC_CONTEXT` struct's `decode` function pointer is overwritten with attacker-controlled pixel data — control-flow–relevant corruption (function pointer overwritten) demonstrated under deterministic heap layout (`nsc->decode = 0xFF414141FF414141`). Version 3.23.0 fixes the vulnerability.

altlinux: CVE-2026-26965 was patched at 2026-02-27

debian: CVE-2026-26965 was patched at 2026-03-18

ubuntu: CVE-2026-26965 was patched at 2026-03-18

67. Memory Corruption - FreeRDP (CVE-2026-31806) - High [522]

Description: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, the gdi_surface_bits() function processes SURFACE_BITS_COMMAND messages sent by the RDP server. When the command is handled using NSCodec, the bmp.width and bmp.height values provided by the server are not properly validated against the actual desktop dimensions. A malicious RDP server can supply crafted bmp.width and bmp.height values that exceed the expected surface size. Because these values are used during bitmap decoding and memory operations without proper bounds checking, this can lead to a heap buffer overflow. Since the attacker can also control the associated pixel data transmitted by the server, the overflow may be exploitable to overwrite adjacent heap memory. This vulnerability is fixed in 3.24.0.

debian: CVE-2026-31806 was patched at 2026-03-18

68. Memory Corruption - FreeRDP (CVE-2026-31883) - High [522]

Description: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a size_t underflow in the IMA-ADPCM and MS-ADPCM audio decoders leads to heap-buffer-overflow write via the RDPSND audio channel. In libfreerdp/codec/dsp.c, the IMA-ADPCM and MS-ADPCM decoders subtract block header sizes from a size_t variable without checking for underflow. When nBlockAlign (received from the server) is set such that size % block_size == 0 triggers the header parsing at a point where size is smaller than the header (4 or 8 bytes), the subtraction wraps size to ~SIZE_MAX. The while (size > 0) loop then continues for an astronomical number of iterations. This vulnerability is fixed in 3.24.0.

debian: CVE-2026-31883 was patched at 2026-03-18

69. Authentication Bypass - Curl (CVE-2026-3783) - High [520]

Description: When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would pass on the bearer token set for the first host also to the second one.

altlinux: CVE-2026-3783 was patched at 2026-03-16

debian: CVE-2026-3783 was patched at 2026-03-18

ubuntu: CVE-2026-3783 was patched at 2026-03-11, 2026-03-16

70. Remote Code Execution - GVfs (CVE-2026-28296) - High [519]

Description: A flaw was found in the FTP GVfs backend. A remote attacker could exploit this input validation vulnerability by supplying specially crafted file paths containing carriage return and line feed (CRLF) sequences. These unsanitized sequences allow the attacker to terminate intended FTP commands and inject arbitrary FTP commands, potentially leading to arbitrary code execution or other severe impacts.

debian: CVE-2026-28296 was patched at 2026-03-18

71. Denial of Service - Pypdf (CVE-2026-27888) - High [517]

Description: pypdf is a free and open-source pure-python PDF library. Prior to 6.7.3, an attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing the `xfa` property of a reader or writer and the corresponding stream being compressed using `/FlateDecode`. This has been fixed in pypdf 6.7.3. As a workaround, apply the patch manually.

debian: CVE-2026-27888 was patched at 2026-03-18

72. Denial of Service - fast-xml-parser (CVE-2026-26278) - High [517]

Description: fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by `processEntities: false` option.

debian: CVE-2026-26278 was patched at 2026-03-18

73. Incorrect Calculation - Caddy (CVE-2026-27586) - High [517]

Description: Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallowed errors in `ClientAuthentication.provision()` cause mTLS client certificate authentication to silently fail open when a CA certificate file is missing, unreadable, or malformed. The server starts without error but accepts any client certificate signed by any system-trusted CA, completely bypassing the intended private CA trust boundary. Any deployment using `trusted_ca_cert_file` or `trusted_ca_certs_pem_files` for mTLS will silently degrade to accepting any system-trusted client certificate if the CA file becomes unavailable. This can happen due to a typo in the path, file rotation, corruption, or permission changes. The server gives no indication that mTLS is misconfigured. Version 2.11.1 fixes the vulnerability.

altlinux: CVE-2026-27586 was patched at 2026-03-04, 2026-03-05

debian: CVE-2026-27586 was patched at 2026-03-18

74. Information Disclosure - Authlib (CVE-2026-28490) - High [517]

Description: Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption (JWE) RSA1_5 key management algorithm. Authlib registers RSA1_5 in its default algorithm registry without requiring explicit opt-in, and actively destroys the constant-time Bleichenbacher mitigation that the underlying cryptography library implements correctly. This issue has been patched in version 1.6.9.

debian: CVE-2026-28490 was patched at 2026-03-18

75. Memory Corruption - Admesh (CVE-2022-38072) - High [517]

Description: An improper array index validation vulnerability exists in the stl_fix_normal_directions functionality of ADMesh Master Commit 767a105 and v0.98.4. A specially-crafted stl file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

debian: CVE-2022-38072 was patched at 2026-03-18

76. Memory Corruption - sail (CVE-2026-27168) - High [517]

Description: SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. All versions are vulnerable to Heap-based Buffer Overflow through the XWD parser's use of the bytes_per_line value. The value os read directly from the file as the read size in io->strict_read(), and is never compared to the actual size of the destination buffer. An attacker can provide an XWD file with an arbitrarily large bytes_per_line, causing a massive write operation beyond the buffer heap allocated for the image pixels. The issue did not have a fix at the time of publication.

debian: CVE-2026-27168 was patched at 2026-03-18

77. Cross Site Scripting - lxml_html_clean (CVE-2026-28348) - High [511]

Description: lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.4, the _has_sneaky_javascript() method strips backslashes before checking for dangerous CSS keywords. This causes CSS Unicode escape sequences to bypass the @import and expression() filters, allowing external CSS loading or XSS in older browsers. This issue has been patched in version 0.4.4.

debian: CVE-2026-28348 was patched at 2026-03-18

78. Incorrect Calculation - FreeRDP (CVE-2026-27951) - High [510]

Description: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the function `Stream_EnsureCapacity` can create an endless blocking loop. This may affect all client and server implementations using `FreeRDP`. For practical exploitation this will only work on 32bit systems where the available physical memory is `>= SIZE_MAX`. Version 3.23.0 contains a patch. No known workarounds are available.

altlinux: CVE-2026-27951 was patched at 2026-02-27

debian: CVE-2026-27951 was patched at 2026-03-18

ubuntu: CVE-2026-27951 was patched at 2026-03-18

79. Memory Corruption - FreeRDP (CVE-2026-25942) - High [510]

Description: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_execute_result` indexes the global `error_code_names[]` array (7 elements, indices 0–6) with an unchecked `execResult->execResult` value received from the server, allowing an out-of-bounds read when the server sends an `execResult` value of 7 or greater. Version 3.23.0 fixes the issue.

altlinux: CVE-2026-25942 was patched at 2026-02-27

debian: CVE-2026-25942 was patched at 2026-03-18

ubuntu: CVE-2026-25942 was patched at 2026-03-18

80. Memory Corruption - FreeRDP (CVE-2026-25954) - High [510]

Description: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_local_move_size` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue.

altlinux: CVE-2026-25954 was patched at 2026-02-27

debian: CVE-2026-25954 was patched at 2026-03-18

ubuntu: CVE-2026-25954 was patched at 2026-03-18

81. Memory Corruption - FreeRDP (CVE-2026-26986) - High [510]

Description: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `rail_window_free` dereferences a freed `xfAppWindow` pointer during `HashTable_Free` cleanup because `xf_rail_window_common` calls `free(appWindow)` on title allocation failure without first removing the entry from the `railWindows` hash table, leaving a dangling pointer that is freed again on disconnect. Version 3.23.0 fixes the vulnerability.

altlinux: CVE-2026-26986 was patched at 2026-02-27

debian: CVE-2026-26986 was patched at 2026-03-18

ubuntu: CVE-2026-26986 was patched at 2026-03-18

82. Memory Corruption - FreeRDP (CVE-2026-29774) - High [510]

Description: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap buffer overflow occurs in the FreeRDP client's AVC420/AVC444 YUV-to-RGB conversion path due to missing horizontal bounds validation of H.264 metablock regionRects coordinates. In yuv.c, the clamp() function (line 347) only validates top/bottom against the surface/YUV height, but never checks left/right against the surface width. When avc420_yuv_to_rgb (line 67) computes destination and source pointers using rect->left, it performs unchecked pointer arithmetic that can reach far beyond the allocated surface buffer. A malicious server sends a WIRE_TO_SURFACE_PDU_1 with AVC420 codec containing a regionRects entry where left greatly exceeds the surface width (e.g., left=60000 on a 128px surface). The H.264 bitstream decodes successfully, then yuv420_process_work_callback calls avc420_yuv_to_rgb which computes pDstPoint = pDstData + rect->top * nDstStep + rect->left * 4, writing 16-byte SSE vectors 1888+ bytes past the allocated heap region. This vulnerability is fixed in 3.24.0.

debian: CVE-2026-29774 was patched at 2026-03-18

83. Memory Corruption - FreeRDP (CVE-2026-29775) - High [510]

Description: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap out-of-bounds read/write occurs in FreeRDP's bitmap cache subsystem due to an off-by-one boundary check in bitmap_cache_put. A malicious server can send a CACHE_BITMAP_ORDER (Rev1) with cacheId equal to maxCells, bypassing the guard and accessing cells[] one element past the allocated array. This vulnerability is fixed in 3.24.0.

debian: CVE-2026-29775 was patched at 2026-03-18

84. Memory Corruption - FreeRDP (CVE-2026-31885) - High [510]

Description: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, there is an out-of-bounds read in MS-ADPCM and IMA-ADPCM decoders due to unchecked predictor and step_index values from input data. This vulnerability is fixed in 3.24.0.

debian: CVE-2026-31885 was patched at 2026-03-18

85. Memory Corruption - FreeRDP (CVE-2026-31897) - High [510]

Description: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, there is an out-of-bounds read in freerdp_bitmap_decompress_planar when SrcSize is 0. The function dereferences *srcp (which points to pSrcData) without first verifying that SrcSize >= 1. When SrcSize is 0 and pSrcData is non-NULL, this reads one byte past the end of the source buffer. This vulnerability is fixed in 3.24.0.

debian: CVE-2026-31897 was patched at 2026-03-18