CVE-2026-1801 in libsoup
libsoup contains an HTTP request smuggling vulnerability in its chunked transfer encoding parser. The library accepts lone LF (\n) characters instead of requiring CRLF (\r\n) as mandated by RFC 9112, enabling request smuggling attacks when deployed behind RFC-compliant proxies. Reference: https://gitlab.gnome.org/GNOME/libsoup/-/issues/481
CVE-2025-51602 in VLC Media Player
As a part of our ongoing efforts in vulnerability analysis at QCRI, we discovered a new Out-of-bounds read vulnerability in the MMS component of VLC Media Player (CVE-2025-51602). The vulnerability was fixed by VideoLan in VLC v3.0.22. Security Advisory: https://images.videolan.org/security/sb-vlc3022.html
CVE-2025-6170 in libxml2
We discovered a vulnerability in gnome/libxml2 in the interactive shell of the xmllint command-line tool, used for parsing XML files. When a user inputs an overly long command, the program does not check the input size properly, which can cause it to crash. This issue might allow attackers to run harmful code in rare configurations without […]
CVE-2025-6021 in libxml2
We discovered a vulnerability in gnome/libxml2 in xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input.
CVE-2025-6491 in php-src
We discovered a vulnerability in php/php-src (the core source code for PHP programming language) if a SoapVar instance is created with a fully qualified name larger than 2G, this will cause a NULL pointer dereference resulting in a segmentation fault, leading to a denial of service.