This page collects WhisperX intelligence signals tagged #patch. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical security flaw in the popular Fastify web framework allows attackers to spoof protocol and host information, even when restrictive proxy trust settings are in place. The vulnerability, tracked as CVE-2026-3635, stems from a logic error where the `request.protocol` and `request.host` getters incorrectly read `...
A critical vulnerability in a core cryptographic library has been patched, exposing a flaw in how a widely-used elliptic curve processes specific inputs. The bug, tracked as CVE-2026-1229, resided in the `CombinedMult` function of Cloudflare's CIRCL library within its P-384 (secp384r1) curve implementation. This functi...
A critical security vulnerability in the widely used Node.js `tar` package has been patched, addressing a flaw that could allow attackers to overwrite files anywhere on a Windows system. The vulnerability, tracked as CVE-2026-31802, stems from improper handling of drive-relative symlink targets during archive extractio...
A critical security patch has been deployed to address a cross-site scripting (XSS) vulnerability in the Ruby on Rails framework, identified as CVE-2022-22577. The fix, tracked internally as YETI-1135, closes a potential attack vector within the Action Pack component, a core part of Rails that handles web requests and ...
A critical security vulnerability has been disclosed in the Trix editor, the default rich-text component for Ruby on Rails' Action Text framework. The flaw, identified as a stored cross-site scripting (XSS) vulnerability, allows attackers to inject malicious scripts through serialized HTML attributes. These scripts are...
A critical security vulnerability in the popular JavaScript testing library Happy-DOM has been patched, addressing a flaw that could have exposed user session data. The issue, tracked as GHSA-w4gp-fjgq-3q4g, involved the library incorrectly forwarding cookies from the current origin to the target origin during fetch re...
A critical security vulnerability has been patched in the widely-used Drizzle ORM library. Version 0.45.2 fixes a SQL injection flaw (CWE-89) within the `sql.identifier()` and `sql.as()` functions, where passed values were not being properly escaped. This type of vulnerability could allow attackers to execute arbitrary...
A critical security vulnerability has been patched in the widely-used Drizzle ORM library. The patch, released in version 0.45.2, addresses a flaw in the `sql.identifier()` and `sql.as()` functions where values were not properly escaped, creating a potential SQL Injection (CWE-89) attack vector. This type of vulnerabil...
A critical security update has been applied to a GitHub repository, patching multiple high-severity vulnerabilities in widely used Python libraries. The patch addresses a trio of CVEs, including a Time-of-Check-Time-of-Use (TOCTOU) symlink flaw, a decompression bomb risk, and a cryptographic calculation error, which co...
A critical security vulnerability in the @backstage/plugin-techdocs-node package, exposing systems to arbitrary code execution via MkDocs hooks, has been patched in the release-1.9 branch. The flaw, which could allow attackers to run malicious code, was fixed upstream by the Backstage project. Red Hat's internal securi...
GitHub has urgently patched a series of HTML filter bypasses in its Markdown preview feature, a vulnerability that could have allowed attackers to execute arbitrary scripts. The flaw, a reflected script injection for normal users and a stored one for staff, was exploitable through a technique known as DOM clobbering. A...
A critical security vulnerability in the yajl-ruby library, a widely used JSON parser for Ruby, has been patched. The update to version 1.4.3 addresses a buffer overflow flaw that could lead to a denial-of-service (DoS) infinite loop, a risk that persisted even after the previous 1.4.2 patch. The security advisory warn...
A critical security flaw in a discovery pairing mechanism allowed an attacker on the same local network to hijack pending requests and redirect sensitive shared secrets to a malicious endpoint. The vulnerability, classified as a P1-level issue, resided in the `createPairRequest()` function, which deduplicated pending r...
A critical security vulnerability in the widely-used Go-JOSE library forces an immediate patch to version 4.1.4. The flaw, tracked as CVE-2026-34986, causes a runtime panic when the library attempts to decrypt a JSON Web Encryption (JWE) object that uses a key wrapping algorithm (identified by an `alg` field ending in ...
A critical security flaw in the widely-used `github.com/go-jose/go-jose/v4` library has been patched, addressing a vulnerability that could cause applications to crash when processing malformed encrypted data. The issue, tracked as CVE-2026-34986, triggers a panic during the decryption of specific JSON Web Encryption (...
A targeted security patch, version 1.22.1, has been deployed with the explicit purpose of remediating multiple critical vulnerabilities. The release contains no new user-facing features, focusing solely on vulnerability fixes and essential release metadata. This narrow scope underscores the urgency and severity of the ...
A critical open redirect vulnerability has been patched in a patient portal's messaging system. The flaw, located in the `portal/messaging/handle_note.php` script, allowed an attacker to redirect authenticated patients to malicious phishing pages after they performed a messaging action. The vulnerability stemmed from t...
A critical security vulnerability in Vite's development server has been disclosed, allowing unauthorized file system access. The flaw, tracked as GHSA-p9ff-h696-f583, bypasses the `server.fs` strict file access controls within the WebSocket-exposed `fetchModule` method. This creates a direct path for potential data exf...
A critical security vulnerability in the Vite development server allows attackers to bypass file access restrictions and retrieve sensitive data. The flaw, tracked as GHSA-v2wj-q39q-566r, specifically undermines the `server.fs.deny` configuration, a core security feature designed to block access to specified files. Whe...
A critical security vulnerability in Vite's development server has been patched in version 6.4.2. The flaw, tracked as CVE-2026-39363, stems from a failure to enforce the `server.fs` strict file system access check within the `fetchModule` method exposed via the dev server's WebSocket. This oversight creates a potentia...