In systemd 260 before 261, a local unprivileged user can trigger an assert via an IPC API call with an array or map that has a null element. More information : https://github.com/systemd/systemd/security/advisories/GHSA-848h-497j-8vjq

In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file. More information : https://github.com/systemd/systemd/security/advisories/GHSA-9mj4-rrc3-gjcx

In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output. More information : https://github.com/systemd/systemd/security/advisories/GHSA-vpfq-8p5f-jcqx

In systemd 259 before 260, there is local privilege escalation in systemd-machined because varlink can be used to reach the root namespace. More information : https://github.com/systemd/systemd/security/advisories/GHSA-6pwp-j5vg-5j6m

In systemd 258 before 260, a local unprivileged user can trigger an assert when a Delegate=yes and User= unit exists and is running. More information : https://github.com/systemd/systemd/security/advisories/GHSA-x4h8-rrrg-q78f

Apache Log4cxx’s XMLLayout https://logging.apache.org/log4cxx/1.7.0/classlog4cxx_1_1xml_1_1XMLLayout.html , in versions before 1.7.0, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets in log messages, NDC, and MDC property keys and values, producing invalid XML output....

Apache Log4net’s XmlLayout https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list and XmlLayoutSchemaLog4J https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list , in versions before 3.3.0, fail to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets in MDC property keys and values, as well as the identity...

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja’s link share authentication (GetLinkShareFromClaims in pkg/models/link_sharing.go) constructs authorization objects entirely from JWT claims without any server-side database validation. When a project owner...

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. When a local...

Apache Log4j’s JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This...

Apache Log4j Core’s XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whenever a log message or MDC...

The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters...

Apache Log4j Core’s Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes. Two distinct issues affect users of stream-based...

The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property, but not when configured through the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName attribute of the element. Although the...