This page collects WhisperX intelligence signals tagged #security patch. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
The Ruby JSON library has released a critical security patch for a format string injection vulnerability, designated CVE-2026-33210. The flaw, fixed in version 2.19.2, specifically affects the `JSON.parse` method when used with the `allow_duplicate_key: false` option. This type of vulnerability can potentially allow an...
A critical security vulnerability in the core routing logic of gRPC-Go has been patched, exposing servers to potential authorization bypass. The flaw, tracked as CVE-2026-33186, stems from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server's routing was found to be excessively permissive,...
The Istio service mesh has released a critical security patch for version 1.21.6, addressing a severe vulnerability in the underlying gRPC-Go library. The flaw, tracked as CVE-2026-33186, allows for a complete authorization bypass. The exploit hinges on a missing leading slash in the HTTP/2 `:path` pseudo-header, which...
A critical security vulnerability in the widely-used Python cryptography library has been patched, exposing a flaw in how X.509 certificates are validated. The bug, tracked as CVE-2026-34073, could allow an attacker to bypass critical name constraints during certificate verification if the leaf certificate contains a w...
The widely-used Python cryptography library has patched a significant security vulnerability in its certificate verification logic. The flaw, tracked as CVE-2026-34073, could allow an attacker to bypass critical name constraints when a leaf certificate contains a wildcard DNS SAN, potentially enabling impersonation att...
A critical security update for the widely-used `node-forge` cryptography library patches a high-severity Denial of Service (DoS) vulnerability. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function inherited from the bundled `jsbn` library. When called with a zero value as input, the fu...
The widely-used Python cryptography library has patched a critical security vulnerability in its X.509 certificate validation logic. The flaw, tracked as CVE-2026-34073, could allow an attacker to bypass critical name constraints when a leaf certificate contains a wildcard DNS SAN. This bypass occurs during peer name v...
A critical security update for the widely-used `node-forge` cryptography library patches a high-severity Denial of Service (DoS) vulnerability. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function. When this function is called with a zero value as input, it triggers an infinite loop in...
A critical security vulnerability has been patched in the widely-used Drizzle ORM library. The patch, released in version 0.45.2, addresses a SQL Injection flaw (CWE-89) within the `sql.identifier()` and `sql.as()` functions. The vulnerability stemmed from improper escaping of values passed to these functions, creating...
A critical security update for the widely-used `node-forge` cryptography library patches a high-severity Denial of Service (DoS) vulnerability. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function, which is inherited from the bundled `jsbn` library. When this function is called with a ...
A critical Denial-of-Service (DoS) vulnerability has been patched in self-hosted Next.js applications, exposing a memory exhaustion attack vector through the framework's image optimization endpoint. The flaw, tracked as CVE-2025-59471, resides in the Image Optimizer component for applications configured with `remotePat...
A critical security update has been issued for the widely-used `go-jose/v4` library, patching a high-severity denial-of-service vulnerability. The flaw, tracked as CVE-2026-34986 with a CVSS score of 7.5, could cause applications to crash when processing malformed encrypted data, posing a significant risk to service st...
A critical security vulnerability in the Electron framework, tracked as CVE-2026-34764, has been patched in the latest release. The flaw, a use-after-free memory corruption bug, resides in the offscreen rendering feature when GPU shared textures are used. Under specific conditions, the `release()` callback provided on ...
A critical security update has been released for the widely-used Go-JOSE library, addressing a vulnerability that can cause a panic and crash during the decryption of certain JSON Web Encryption (JWE) objects. The flaw, tracked as CVE-2026-34986, is triggered when a JWE object uses a key wrapping algorithm (those endin...
A critical security vulnerability in Keycloak, the widely-used open-source identity and access management solution, has been disclosed. The flaw, tracked as CVE-2026-4282, resides in the SingleUseObjectProvider—a global key-value store that lacks proper type and namespace isolation. This architectural weakness creates ...
A critical SQL injection vulnerability has been eliminated from the Frappe Assistant Core project by removing a dormant but dangerous piece of code. The vulnerability resided in the `create_visualization.py` tool, which had been intentionally disabled but remained physically present on the system. This dead code posed ...
A critical security vulnerability in the Vite development server allows unauthorized access to `.map` files from anywhere on the host system, posing a significant data exposure risk. The flaw, tracked as GHSA-4w7w-66w2-5vf9, is present in versions prior to 8.0.5 and enables potential source code and internal file leaka...
A critical security overhaul of the AIRI Gateway's WebSocket interface has been implemented, shifting the system to a 'Secure by Default' posture to neutralize severe attack vectors. The patch enforces strict zero-trust authentication and connection traceability, directly addressing an open architecture that previously...
A critical security flaw in the Angular framework has been patched, exposing applications using internationalization (i18n) features to potential cross-site scripting (XSS) attacks. The vulnerability, tracked as CVE-2026-32635 and GHSA-g93w-mfhg-p222, resides within the Angular runtime's handling of i18n attribute bind...
A critical security flaw in the Angular framework has been patched, exposing applications using internationalization (i18n) to cross-site scripting (XSS) attacks. The vulnerability, tracked as CVE-2026-32635 (GHSA-g93w-mfhg-p222), resides within the `@angular/compiler` package. It specifically affects how Angular handl...