This page collects WhisperX intelligence signals tagged #security-patch. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical security flaw in the core routing logic of Google's gRPC-Go library has been patched, exposing servers to potential authorization bypass. The vulnerability, tracked as CVE-2026-33186, stems from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was found to be overly permissiv...
A critical vulnerability in the widely-used Python cryptography library has been patched, exposing a potential path for attackers to steal portions of a user's private key. The flaw, tracked as CVE-2026-26007, was discovered in the library's handling of specific, uncommon elliptic curves. An attacker could exploit this...
A critical security flaw in the widely used `go-git` library has been patched in version 5.17.1. The vulnerability, tracked as CVE-2026-33762, resides in the index decoder for format version 4. The decoder fails to perform a crucial validation step, allowing a maliciously crafted Git index file to trigger an out-of-bou...
A critical security vulnerability in the widely-used Python cryptography library has been patched, exposing a fundamental flaw in how the software validates DNS name constraints. The issue, tracked as CVE-2026-34073, resided in versions prior to 46.0.5. The core failure was that DNS name constraints were only validated...
A critical security vulnerability in the Vite development server, tracked as CVE-2025-58751, allows files to bypass configured security restrictions. The flaw enables files starting with the same name as those in a project's public directory to be served, effectively ignoring the `server.fs` settings designed to limit ...
A critical security flaw in the widely used `go-git/v5` library has been patched, exposing countless Go-based applications and CI/CD pipelines to potential denial-of-service attacks. The vulnerability, tracked as CVE-2026-33762, resides in the library's index decoder for format version 4. The flaw allows a maliciously ...
A critical security vulnerability in the widely-used `go-jose/go-jose/v4` library has been patched, forcing a mandatory update for any project handling JSON Web Encryption (JWE). The flaw, tracked as CVE-2026-34986, causes a panic—a complete runtime crash—when decrypting a JWE object if its `alg` field specifies a key ...
A critical security vulnerability in the Vite development server allows attackers to bypass file access restrictions on Windows systems. The flaw, tracked as CVE-2025-62522, enables the retrieval of files explicitly denied by the `server.fs.deny` configuration if a malicious URL ends with a backslash (`\`). This bypass...
A critical security vulnerability in the Vite development server allows attackers to access any file ending in `.map` on the host machine, potentially exposing sensitive source code and internal project structure. The flaw, tracked as GHSA-4w7w-66w2-5vf9, is present in versions prior to Vite 8.0.5. This is not a theore...
A critical security vulnerability in the Vite development server has been patched, exposing sensitive files to remote browsers. The flaw, tracked as CVE-2026-39364, allows the contents of files explicitly blocked by the `server.fs.deny` configuration to be returned to a client. This bypass of intended access controls c...
A critical security vulnerability in the Vite development server allows attackers to bypass file access restrictions on Windows systems. The flaw, tracked as CVE-2025-62522, enables the retrieval of files explicitly denied by the `server.fs.deny` configuration if a malicious URL ends with a backslash (`\`). This bypass...
A critical security vulnerability in the Vite development server allows attackers to bypass file access restrictions on Windows systems. The flaw, tracked as CVE-2025-62522, enables the retrieval of files explicitly denied by the `server.fs.deny` configuration if a malicious URL ends with a backslash (`\`). This bypass...
The widely-used Python cryptography library has patched a critical vulnerability that could allow an attacker to steal portions of a user's private key. The flaw, tracked as CVE-2026-26007, resides in the library's handling of specific, uncommon elliptic curves known as binary curves. An attacker could exploit this by ...
A critical security vulnerability in the Vite development server allows attackers to access source map files from outside a project's directory. The flaw, tracked as CVE-2026-39365, is triggered when any file ending in `.map` is requested, potentially exposing sensitive debugging information and source code structure t...
A critical security update has been issued for the widely used `qs` library, patching a vulnerability (CVE-2025-15284) that created an inconsistency in how the library enforces array size limits. The flaw resided in the `arrayLimit` option, which failed to apply its restrictions to bracket notation array parsing (`a[]=...
A critical security flaw in the widely used `moby/spdystream` library exposes services to remote memory exhaustion attacks. The vulnerability, tracked as CVE-2026-35469, resides in the SPDY/3 frame parser, which fails to validate attacker-controlled input before allocating memory. This allows a remote peer to send a sm...
A critical security flaw in the widely-used python-dotenv library has been patched, exposing projects to arbitrary file overwrite attacks. The vulnerability, tracked as CVE-2026-28684 (GHSA-mf9w-mj56-hr94), resides in the `set_key()` and `unset_key()` functions. These functions, responsible for modifying `.env` files c...
Poetry, the widely adopted Python dependency management tool, has released version 2.3.4 to address a critical path traversal vulnerability in its tar extraction functionality. Tracked as CVE-2026-41140, the security flaw allows an attacker to write files to arbitrary locations on a system during package installation, ...
A critical SQL injection vulnerability has been identified and patched in github.com/jackc/pgx/v5, a widely adopted PostgreSQL driver for Go applications. The flaw, tracked as GHSA-j88v-2chj-qfwx, was resolved in version 5.9.2, with users advised to upgrade from the affected v5.9.0 release. The vulnerability carries si...
A critical stored cross-site scripting (XSS) vulnerability in the Prometheus monitoring system's web interface has been addressed through an emergency dependency update. The flaw, tracked as CVE-2026-40179, allows attackers to inject malicious HTML or JavaScript code via specially crafted metric names, which then execu...