Application security news, updated daily (if there is any news to share).
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.
A High-severity WebGPU out-of-bounds write in `Mesa` can occur due to untrusted allocation sizing, affecting versions before `25.3.6` and `26.0.0` before `26.0.1`.
An oss-security disclosure reports a Critical pre-auth RCE in Cockpit remote login where attacker-controlled hostname/username reaches `ssh`, impacting Cockpit versions `> 326`.
A High-severity parsing bug in `xdg-dbus-proxy` (<`0.1.7`) lets malicious Flatpak apps bypass eavesdrop restrictions and intercept session D-Bus messages.
CVE-2026-39860 reports a critical Nix sandbox escape where fixed-output derivation output registration follows symlinks, letting local untrusted builds overwrite root-writable files.
WSA-2026-0002 discloses eight WebKitGTK/WPE WebKit flaws (SOP/CSP bypass, sandbox escape, XSS, crashes) affecting versions before 2.52.1 and fixed in 2.52.1.
An oss-security disclosure details two libfuse `io_uring` transport memory-safety issues affecting `libfuse` >=3.18.0,<3.18.2, including a High-severity use-after-free with potential code execution.
Red Hat published RHSA-2026:2768, an Important security advisory updating RHEL 9.4 EUS nodejs:20 to address three Node.js vulnerabilities, including a DoS issue.