CVE-2026-1801 in libsoup
libsoup contains an HTTP request smuggling vulnerability in its chunked transfer encoding parser. The library accepts lone LF (\n) characters instead of requiring CRLF (\r\n) as mandated by RFC 9112, enabling request smuggling attacks when deployed behind RFC-compliant proxies. Reference: https://gitlab.gnome.org/GNOME/libsoup/-/issues/481
CVE-2025-51602 in VLC Media Player
As a part of our ongoing efforts in vulnerability analysis at QCRI, we discovered a new Out-of-bounds read vulnerability in the MMS component of VLC Media Player (CVE-2025-51602). The vulnerability was fixed by VideoLan in VLC v3.0.22. Security Advisory: https://images.videolan.org/security/sb-vlc3022.html
When Native Dependencies Betray: An Integer Overflow in libxml2 with Cross-Language Impact on PHP and Swift
Author: Ahmed Lekssays Executive Summary During security research at the Qatar Computing Research Institute, we discovered a critical integer overflow vulnerability in libxml2’s xmlBuildQName() function (CVE-2025-6021) that cascaded into multiple high-profile projects including PHP’s SOAP extension (CVE-2025-6491) and Swift’s FoundationXML library. This research demonstrates how a single flaw in a widely-used native library can create […]
From VEX to Critical Bug
A subtle normalization mismatch inside an SBOM tool can break dependency relationships even when all packages are detected correctly. When edges between components silently disappear, downstream processes like vulnerability scanning and VEX reasoning become unreliable. This post walks through how such an issue surfaced in Syft, why it happened, and why small normalization inconsistencies pose […]
Paper accepted to ACM Multimedia Asia 2025
[Dec. 2025] Paper accepted to ACM Multimedia Asia 2025 and awarded the Best Multimodal Award: Dynamic Routing between Multimodal Capsules for Deepfake Image Editing Detection.