Vulnerability-Lookup

CVE-2025-59375 (GCVE-0-2025-59375)

Vulnerability from cvelistv5 – Published: 2025-09-15 00:00 – Updated: 2026-05-12 12:08

Summary

libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:T/RC:C

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

mitre

References

9 references

URL	Tags
https://github.com/libexpat/libexpat/issues/1018
https://github.com/libexpat/libexpat/pull/1034
https://github.com/libexpat/libexpat/blob/676a4c5…
https://issues.oss-fuzz.com/issues/439133977
https://github.com/libexpat/libexpat/blob/R_2_7_2…
http://www.openwall.com/lists/oss-security/2025/09/16/2
http://www.openwall.com/lists/oss-security/2026/05/01/5
https://cert-portal.siemens.com/productcert/html/…
https://cert-portal.siemens.com/productcert/html/…

Impacted products

20 products

Vendor	Product	Version
libexpat project	libexpat	Affected: 0 , < 2.7.2 (semver)
Siemens	RUGGEDCOM RST2428P	Affected: 0 , < V3.3 (custom)
Siemens	SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family	Affected: 0 , < V3.3 (custom)
Siemens	SCALANCE XCH328	Affected: 0 , < V3.3 (custom)
Siemens	SCALANCE XCM324	Affected: 0 , < V3.3 (custom)
Siemens	SCALANCE XCM328	Affected: 0 , < V3.3 (custom)
Siemens	SCALANCE XCM332	Affected: 0 , < V3.3 (custom)
Siemens	SCALANCE XRH334 (24 V DC, 8xFO, CC)	Affected: 0 , < V3.3 (custom)
Siemens	SCALANCE XRM334 (230 V AC, 12xFO)	Affected: 0 , < V3.3 (custom)
Siemens	SCALANCE XRM334 (230 V AC, 8xFO)	Affected: 0 , < V3.3 (custom)
Siemens	SCALANCE XRM334 (230V AC, 2x10G, 24xSFP, 8xSFP+)	Affected: 0 , < V3.3 (custom)
Siemens	SCALANCE XRM334 (24 V DC, 12xFO)	Affected: 0 , < V3.3 (custom)
Siemens	SCALANCE XRM334 (24 V DC, 8xFO)	Affected: 0 , < V3.3 (custom)
Siemens	SCALANCE XRM334 (24V DC, 2x10G, 24xSFP, 8xSFP+)	Affected: 0 , < V3.3 (custom)
Siemens	SCALANCE XRM334 (2x230 V AC, 12xFO)	Affected: 0 , < V3.3 (custom)
Siemens	SCALANCE XRM334 (2x230 V AC, 8xFO)	Affected: 0 , < V3.3 (custom)
Siemens	SCALANCE XRM334 (2x230V AC, 2x10G, 24xSFP, 8xSFP+)	Affected: 0 , < V3.3 (custom)
Siemens	SIMATIC S7-1500 CPU 1518-4 PN/DP MFP	Affected: V3.1.5 , < * (custom)
Siemens	SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP	Affected: V3.1.5 , < * (custom)
Siemens	SIPLUS S7-1500 CPU 1518-4 PN/DP MFP	Affected: V3.1.5 , < * (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-59375",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-15T20:22:58.509715Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-15T20:23:08.737Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-05-01T14:25:12.055Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/09/16/2"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/01/5"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "RUGGEDCOM RST2428P",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.3",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.3",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SCALANCE XCH328",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.3",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SCALANCE XCM324",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.3",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SCALANCE XCM328",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.3",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SCALANCE XCM332",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.3",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SCALANCE XRH334 (24 V DC, 8xFO, CC)",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.3",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SCALANCE XRM334 (230 V AC, 12xFO)",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.3",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SCALANCE XRM334 (230 V AC, 8xFO)",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.3",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SCALANCE XRM334 (230V AC, 2x10G, 24xSFP, 8xSFP+)",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.3",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SCALANCE XRM334 (24 V DC, 12xFO)",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.3",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SCALANCE XRM334 (24 V DC, 8xFO)",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.3",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SCALANCE XRM334 (24V DC, 2x10G, 24xSFP, 8xSFP+)",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.3",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SCALANCE XRM334 (2x230 V AC, 12xFO)",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.3",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SCALANCE XRM334 (2x230 V AC, 8xFO)",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.3",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SCALANCE XRM334 (2x230V AC, 2x10G, 24xSFP, 8xSFP+)",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.3",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T12:08:30.282Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
          },
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-089022.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "libexpat",
          "vendor": "libexpat project",
          "versions": [
            {
              "lessThan": "2.7.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2.7.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:T/RC:C",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-17T13:21:47.961Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://github.com/libexpat/libexpat/issues/1018"
        },
        {
          "url": "https://github.com/libexpat/libexpat/pull/1034"
        },
        {
          "url": "https://github.com/libexpat/libexpat/blob/676a4c531ec768732fac215da9730b5f50fbd2bf/expat/Changes#L45-L74"
        },
        {
          "url": "https://issues.oss-fuzz.com/issues/439133977"
        },
        {
          "url": "https://github.com/libexpat/libexpat/blob/R_2_7_2/expat/Changes"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-59375",
    "datePublished": "2025-09-15T00:00:00.000Z",
    "dateReserved": "2025-09-15T00:00:00.000Z",
    "dateUpdated": "2026-05-12T12:08:30.282Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-59375",
      "date": "2026-06-04",
      "epss": "0.00102",
      "percentile": "0.27521"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-59375\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2025-09-15T03:15:40.920\",\"lastModified\":\"2026-05-12T13:17:22.640\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve@mitre.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"cve@mitre.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.7.2\",\"matchCriteriaId\":\"2562E072-C9E9-432C-9545-404F89D73E00\"}]}]}],\"references\":[{\"url\":\"https://github.com/libexpat/libexpat/blob/676a4c531ec768732fac215da9730b5f50fbd2bf/expat/Changes#L45-L74\",\"source\":\"cve@mitre.org\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/libexpat/libexpat/blob/R_2_7_2/expat/Changes\",\"source\":\"cve@mitre.org\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/libexpat/libexpat/issues/1018\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Issue Tracking\"]},{\"url\":\"https://github.com/libexpat/libexpat/pull/1034\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://issues.oss-fuzz.com/issues/439133977\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Issue Tracking\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2025/09/16/2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2026/05/01/5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://cert-portal.siemens.com/productcert/html/ssa-082556.html\",\"source\":\"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e\"},{\"url\":\"https://cert-portal.siemens.com/productcert/html/ssa-089022.html\",\"source\":\"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2025/09/16/2\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2026/05/01/5\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-05-01T14:25:12.055Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-59375\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-09-15T20:22:58.509715Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-09-15T20:23:05.396Z\"}}], \"cna\": {\"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:T/RC:C\"}}], \"affected\": [{\"vendor\": \"libexpat project\", \"product\": \"libexpat\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2.7.2\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/libexpat/libexpat/issues/1018\"}, {\"url\": \"https://github.com/libexpat/libexpat/pull/1034\"}, {\"url\": \"https://github.com/libexpat/libexpat/blob/676a4c531ec768732fac215da9730b5f50fbd2bf/expat/Changes#L45-L74\"}, {\"url\": \"https://issues.oss-fuzz.com/issues/439133977\"}, {\"url\": \"https://github.com/libexpat/libexpat/blob/R_2_7_2/expat/Changes\"}], \"x_generator\": {\"engine\": \"enrichogram 0.0.1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770 Allocation of Resources Without Limits or Throttling\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"2.7.2\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2025-09-17T13:21:47.961Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-59375\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-01T14:25:12.055Z\", \"dateReserved\": \"2025-09-15T00:00:00.000Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2025-09-15T00:00:00.000Z\", \"assignerShortName\": \"mitre\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

alsa-2025:19403

Vulnerability from osv_almalinux

Published

2025-11-03 00:00

Modified

2025-11-07 12:04

Summary

Important: expat security update

Details

Expat is a C library for parsing XML documents.

Security Fix(es):

expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing (CVE-2025-59375)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2025:19403	ADVISORY
	https://access.redhat.com/security/cve/CVE-2025-59375	REPORT
	https://bugzilla.redhat.com/2395108	REPORT
	https://errata.almalinux.org/10/ALSA-2025-19403.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "expat"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.7.1-1.el10_0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "expat-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.7.1-1.el10_0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Expat is a C library for parsing XML documents.  \n\nSecurity Fix(es):  \n\n  * expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing (CVE-2025-59375)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2025:19403",
  "modified": "2025-11-07T12:04:59Z",
  "published": "2025-11-03T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2025:19403"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-59375"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2395108"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/10/ALSA-2025-19403.html"
    }
  ],
  "related": [
    "CVE-2025-59375"
  ],
  "summary": "Important: expat security update"
}

alsa-2025:21030

Vulnerability from osv_almalinux

Published

2025-11-11 00:00

Modified

2025-11-24 08:57

Summary

Important: expat security update

Details

Expat is a C library for parsing XML documents.

Security Fix(es):

expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing (CVE-2025-59375)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2025:21030	ADVISORY
	https://access.redhat.com/security/cve/CVE-2025-59375	REPORT
	https://bugzilla.redhat.com/2395108	REPORT
	https://errata.almalinux.org/10/ALSA-2025-21030.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "expat"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.7.1-1.el10_1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "expat-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.7.1-1.el10_1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Expat is a C library for parsing XML documents.  \n\nSecurity Fix(es):  \n\n  * expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing (CVE-2025-59375)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2025:21030",
  "modified": "2025-11-24T08:57:33Z",
  "published": "2025-11-11T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2025:21030"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-59375"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2395108"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/10/ALSA-2025-21030.html"
    }
  ],
  "related": [
    "CVE-2025-59375"
  ],
  "summary": "Important: expat security update"
}

alsa-2025:21776

Vulnerability from osv_almalinux

Published

2025-11-19 00:00

Modified

2025-11-20 09:03

Summary

Important: expat security update

Details

Expat is a C library for parsing XML documents.

Security Fix(es):

expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing (CVE-2025-59375)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2025:21776	ADVISORY
	https://access.redhat.com/security/cve/CVE-2025-59375	REPORT
	https://bugzilla.redhat.com/2395108	REPORT
	https://errata.almalinux.org/8/ALSA-2025-21776.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "expat"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.0-1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "expat-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.0-1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Expat is a C library for parsing XML documents.  \n\nSecurity Fix(es):  \n\n  * expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing (CVE-2025-59375)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2025:21776",
  "modified": "2025-11-20T09:03:52Z",
  "published": "2025-11-19T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2025:21776"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-59375"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2395108"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2025-21776.html"
    }
  ],
  "related": [
    "CVE-2025-59375"
  ],
  "summary": "Important: expat security update"
}

alsa-2025:21974

Vulnerability from osv_almalinux

Published

2025-11-24 00:00

Modified

2025-12-01 07:55

Summary

Important: mingw-expat security update

Details

Expat is a C library for parsing XML documents. The mingw-expat packages provide a port of the Expat library for MinGW.

Security Fix(es):

expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing (CVE-2025-59375)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2025:21974	ADVISORY
	https://access.redhat.com/security/cve/CVE-2025-59375	REPORT
	https://bugzilla.redhat.com/2395108	REPORT
	https://errata.almalinux.org/8/ALSA-2025-21974.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "mingw32-expat"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.0-1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "mingw64-expat"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.0-1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Expat is a C library for parsing XML documents. The mingw-expat packages provide a port of the Expat library for MinGW.   \n\nSecurity Fix(es):  \n\n  * expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing (CVE-2025-59375)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2025:21974",
  "modified": "2025-12-01T07:55:50Z",
  "published": "2025-11-24T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2025:21974"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-59375"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2395108"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2025-21974.html"
    }
  ],
  "related": [
    "CVE-2025-59375"
  ],
  "summary": "Important: mingw-expat security update"
}

alsa-2025:22175

Vulnerability from osv_almalinux

Published

2025-11-26 00:00

Modified

2025-12-03 12:07

Summary

Important: expat security update

Details

Expat is a C library for parsing XML documents.

Security Fix(es):

expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing (CVE-2025-59375)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2025:22175	ADVISORY
	https://access.redhat.com/security/cve/CVE-2025-59375	REPORT
	https://bugzilla.redhat.com/2395108	REPORT
	https://errata.almalinux.org/9/ALSA-2025-22175.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "expat"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.0-5.el9_7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "expat-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.0-5.el9_7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Expat is a C library for parsing XML documents.  \n\nSecurity Fix(es):  \n\n  * expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing (CVE-2025-59375)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2025:22175",
  "modified": "2025-12-03T12:07:34Z",
  "published": "2025-11-26T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2025:22175"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-59375"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2395108"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2025-22175.html"
    }
  ],
  "related": [
    "CVE-2025-59375"
  ],
  "summary": "Important: expat security update"
}

alsa-2026:10950

Vulnerability from osv_almalinux

Published

2026-04-27 00:00

Modified

2026-04-28 13:40

Summary

Important: python3.12 security update

Details

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.

Security Fix(es):

expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing (CVE-2025-59375)
python: Quadratic complexity in os.path.expandvars() with user-controlled template (CVE-2025-6075)
cpython: Out-of-memory when loading Plist (CVE-2025-13837)
cpython: Header injection via newlines in data URL mediatype in Python (CVE-2025-15282)
cpython: Header injection in http.cookies.Morsel in Python (CVE-2026-0672)
cpython: CPython: Logging Bypass in Legacy .pyc File Handling (CVE-2026-2297)
cpython: Incomplete control character validation in http.cookies (CVE-2026-3644)
cpython: Stack overflow parsing XML with deeply nested DTD content models (CVE-2026-4224)
python: Python: HTTP header injection via CR/LF in proxy tunnel headers (CVE-2026-1502)
python: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules (CVE-2026-6100)
python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API (CVE-2026-4786)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2026:10950	ADVISORY
	https://access.redhat.com/security/cve/CVE-2025-13837	REPORT
	https://access.redhat.com/security/cve/CVE-2025-15282	REPORT
	https://access.redhat.com/security/cve/CVE-2025-59375	REPORT
	https://access.redhat.com/security/cve/CVE-2025-6075	REPORT
	https://access.redhat.com/security/cve/CVE-2026-0672	REPORT
	https://access.redhat.com/security/cve/CVE-2026-1502	REPORT
	https://access.redhat.com/security/cve/CVE-2026-2297	REPORT
	https://access.redhat.com/security/cve/CVE-2026-3644	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4224	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4786	REPORT
	https://access.redhat.com/security/cve/CVE-2026-6100	REPORT
	https://bugzilla.redhat.com/2395108	REPORT
	https://bugzilla.redhat.com/2408891	REPORT
	https://bugzilla.redhat.com/2418084	REPORT
	https://bugzilla.redhat.com/2431366	REPORT
	https://bugzilla.redhat.com/2431374	REPORT
	https://bugzilla.redhat.com/2444691	REPORT
	https://bugzilla.redhat.com/2448168	REPORT
	https://bugzilla.redhat.com/2448181	REPORT
	https://bugzilla.redhat.com/2457409	REPORT
	https://bugzilla.redhat.com/2457932	REPORT
	https://bugzilla.redhat.com/2458049	REPORT
	https://errata.almalinux.org/8/ALSA-2026-10950.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "python3.12"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.12.13-2.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "python3.12-debug"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.12.13-2.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "python3.12-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.12.13-2.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "python3.12-idle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.12.13-2.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "python3.12-libs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.12.13-2.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "python3.12-rpm-macros"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.12.13-2.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "python3.12-test"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.12.13-2.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "python3.12-tkinter"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.12.13-2.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.  \n\nSecurity Fix(es):  \n\n  * expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing (CVE-2025-59375)\n  * python: Quadratic complexity in os.path.expandvars() with user-controlled template (CVE-2025-6075)\n  * cpython: Out-of-memory when loading Plist (CVE-2025-13837)\n  * cpython: Header injection via newlines in data URL mediatype in Python (CVE-2025-15282)\n  * cpython: Header injection in http.cookies.Morsel in Python (CVE-2026-0672)\n  * cpython: CPython: Logging Bypass in Legacy .pyc File Handling (CVE-2026-2297)\n  * cpython: Incomplete control character validation in http.cookies (CVE-2026-3644)\n  * cpython: Stack overflow parsing XML with deeply nested DTD content models (CVE-2026-4224)\n  * python: Python: HTTP header injection via CR/LF in proxy tunnel headers (CVE-2026-1502)\n  * python: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules (CVE-2026-6100)\n  * python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API (CVE-2026-4786)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:10950",
  "modified": "2026-04-28T13:40:19Z",
  "published": "2026-04-27T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:10950"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-13837"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-15282"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-59375"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-6075"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-0672"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-1502"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-2297"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-3644"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4224"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4786"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-6100"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2395108"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2408891"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2418084"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431366"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431374"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2444691"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2448168"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2448181"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2457409"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2457932"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2458049"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2026-10950.html"
    }
  ],
  "related": [
    "CVE-2025-59375",
    "CVE-2025-6075",
    "CVE-2025-13837",
    "CVE-2025-15282",
    "CVE-2026-0672",
    "CVE-2026-2297",
    "CVE-2026-3644",
    "CVE-2026-4224",
    "CVE-2026-1502",
    "CVE-2026-6100",
    "CVE-2026-4786"
  ],
  "summary": "Important: python3.12 security update"
}

alsa-2026:19064

Vulnerability from osv_almalinux

Published

2026-05-19 00:00

Modified

2026-05-26 12:31

Summary

Important: python3.12 security update

Details

Security Fix(es):

expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing (CVE-2025-59375)
python: Quadratic complexity in os.path.expandvars() with user-controlled template (CVE-2025-6075)
cpython: Out-of-memory when loading Plist (CVE-2025-13837)
cpython: Header injection via newlines in data URL mediatype in Python (CVE-2025-15282)
cpython: Header injection in http.cookies.Morsel in Python (CVE-2026-0672)
cpython: CPython: Logging Bypass in Legacy .pyc File Handling (CVE-2026-2297)
cpython: Incomplete control character validation in http.cookies (CVE-2026-3644)
cpython: Stack overflow parsing XML with deeply nested DTD content models (CVE-2026-4224)
python: Python: Command-line option injection in webbrowser.open() via crafted URLs (CVE-2026-4519)
python: Python: HTTP header injection via CR/LF in proxy tunnel headers (CVE-2026-1502)
python: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules (CVE-2026-6100)
python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API (CVE-2026-4786)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2026:19064	ADVISORY
	https://access.redhat.com/security/cve/CVE-2025-13837	REPORT
	https://access.redhat.com/security/cve/CVE-2025-15282	REPORT
	https://access.redhat.com/security/cve/CVE-2025-59375	REPORT
	https://access.redhat.com/security/cve/CVE-2025-6075	REPORT
	https://access.redhat.com/security/cve/CVE-2026-0672	REPORT
	https://access.redhat.com/security/cve/CVE-2026-1502	REPORT
	https://access.redhat.com/security/cve/CVE-2026-2297	REPORT
	https://access.redhat.com/security/cve/CVE-2026-3644	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4224	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4519	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4786	REPORT
	https://access.redhat.com/security/cve/CVE-2026-6100	REPORT
	https://bugzilla.redhat.com/2395108	REPORT
	https://bugzilla.redhat.com/2408891	REPORT
	https://bugzilla.redhat.com/2418084	REPORT
	https://bugzilla.redhat.com/2431366	REPORT
	https://bugzilla.redhat.com/2431374	REPORT
	https://bugzilla.redhat.com/2444691	REPORT
	https://bugzilla.redhat.com/2448168	REPORT
	https://bugzilla.redhat.com/2448181	REPORT
	https://bugzilla.redhat.com/2449649	REPORT
	https://bugzilla.redhat.com/2457409	REPORT
	https://bugzilla.redhat.com/2457932	REPORT
	https://bugzilla.redhat.com/2458049	REPORT
	https://errata.almalinux.org/10/ALSA-2026-19064.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "python-unversioned-command"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.12.13-2.el10_2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "python3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.12.13-2.el10_2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "python3-debug"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.12.13-2.el10_2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "python3-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.12.13-2.el10_2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "python3-idle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.12.13-2.el10_2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "python3-libs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.12.13-2.el10_2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "python3-test"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.12.13-2.el10_2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "python3-tkinter"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.12.13-2.el10_2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.  \n\nSecurity Fix(es):  \n\n  * expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing (CVE-2025-59375)\n  * python: Quadratic complexity in os.path.expandvars() with user-controlled template (CVE-2025-6075)\n  * cpython: Out-of-memory when loading Plist (CVE-2025-13837)\n  * cpython: Header injection via newlines in data URL mediatype in Python (CVE-2025-15282)\n  * cpython: Header injection in http.cookies.Morsel in Python (CVE-2026-0672)\n  * cpython: CPython: Logging Bypass in Legacy .pyc File Handling (CVE-2026-2297)\n  * cpython: Incomplete control character validation in http.cookies (CVE-2026-3644)\n  * cpython: Stack overflow parsing XML with deeply nested DTD content models (CVE-2026-4224)\n  * python: Python: Command-line option injection in webbrowser.open() via crafted URLs (CVE-2026-4519)\n  * python: Python: HTTP header injection via CR/LF in proxy tunnel headers (CVE-2026-1502)\n  * python: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules (CVE-2026-6100)\n  * python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API (CVE-2026-4786)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:19064",
  "modified": "2026-05-26T12:31:45Z",
  "published": "2026-05-19T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:19064"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-13837"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-15282"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-59375"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-6075"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-0672"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-1502"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-2297"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-3644"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4224"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4519"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4786"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-6100"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2395108"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2408891"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2418084"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431366"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431374"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2444691"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2448168"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2448181"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2449649"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2457409"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2457932"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2458049"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/10/ALSA-2026-19064.html"
    }
  ],
  "related": [
    "CVE-2025-59375",
    "CVE-2025-6075",
    "CVE-2025-13837",
    "CVE-2025-15282",
    "CVE-2026-0672",
    "CVE-2026-2297",
    "CVE-2026-3644",
    "CVE-2026-4224",
    "CVE-2026-4519",
    "CVE-2026-1502",
    "CVE-2026-6100",
    "CVE-2026-4786"
  ],
  "summary": "Important: python3.12 security update"
}

alsa-2026:19177

Vulnerability from osv_almalinux

Published

2026-05-19 00:00

Modified

2026-05-26 12:32

Summary

Important: python3.12 security update

Details

Security Fix(es):

expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing (CVE-2025-59375)
python: Quadratic complexity in os.path.expandvars() with user-controlled template (CVE-2025-6075)
cpython: Out-of-memory when loading Plist (CVE-2025-13837)
cpython: Header injection via newlines in data URL mediatype in Python (CVE-2025-15282)
cpython: Header injection in http.cookies.Morsel in Python (CVE-2026-0672)
cpython: CPython: Logging Bypass in Legacy .pyc File Handling (CVE-2026-2297)
cpython: Incomplete control character validation in http.cookies (CVE-2026-3644)
cpython: Stack overflow parsing XML with deeply nested DTD content models (CVE-2026-4224)
python: Python: Command-line option injection in webbrowser.open() via crafted URLs (CVE-2026-4519)
python: Python: HTTP header injection via CR/LF in proxy tunnel headers (CVE-2026-1502)
python: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules (CVE-2026-6100)
python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API (CVE-2026-4786)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2026:19177	ADVISORY
	https://access.redhat.com/security/cve/CVE-2025-13837	REPORT
	https://access.redhat.com/security/cve/CVE-2025-15282	REPORT
	https://access.redhat.com/security/cve/CVE-2025-59375	REPORT
	https://access.redhat.com/security/cve/CVE-2025-6075	REPORT
	https://access.redhat.com/security/cve/CVE-2026-0672	REPORT
	https://access.redhat.com/security/cve/CVE-2026-1502	REPORT
	https://access.redhat.com/security/cve/CVE-2026-2297	REPORT
	https://access.redhat.com/security/cve/CVE-2026-3644	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4224	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4519	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4786	REPORT
	https://access.redhat.com/security/cve/CVE-2026-6100	REPORT
	https://bugzilla.redhat.com/2395108	REPORT
	https://bugzilla.redhat.com/2408891	REPORT
	https://bugzilla.redhat.com/2418084	REPORT
	https://bugzilla.redhat.com/2431366	REPORT
	https://bugzilla.redhat.com/2431374	REPORT
	https://bugzilla.redhat.com/2444691	REPORT
	https://bugzilla.redhat.com/2448168	REPORT
	https://bugzilla.redhat.com/2448181	REPORT
	https://bugzilla.redhat.com/2449649	REPORT
	https://bugzilla.redhat.com/2457409	REPORT
	https://bugzilla.redhat.com/2457932	REPORT
	https://bugzilla.redhat.com/2458049	REPORT
	https://errata.almalinux.org/9/ALSA-2026-19177.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "python3.12"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.12.13-2.el9_8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "python3.12-debug"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.12.13-2.el9_8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "python3.12-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.12.13-2.el9_8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "python3.12-idle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.12.13-2.el9_8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "python3.12-libs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.12.13-2.el9_8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "python3.12-test"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.12.13-2.el9_8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "python3.12-tkinter"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.12.13-2.el9_8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.  \n\nSecurity Fix(es):  \n\n  * expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing (CVE-2025-59375)\n  * python: Quadratic complexity in os.path.expandvars() with user-controlled template (CVE-2025-6075)\n  * cpython: Out-of-memory when loading Plist (CVE-2025-13837)\n  * cpython: Header injection via newlines in data URL mediatype in Python (CVE-2025-15282)\n  * cpython: Header injection in http.cookies.Morsel in Python (CVE-2026-0672)\n  * cpython: CPython: Logging Bypass in Legacy .pyc File Handling (CVE-2026-2297)\n  * cpython: Incomplete control character validation in http.cookies (CVE-2026-3644)\n  * cpython: Stack overflow parsing XML with deeply nested DTD content models (CVE-2026-4224)\n  * python: Python: Command-line option injection in webbrowser.open() via crafted URLs (CVE-2026-4519)\n  * python: Python: HTTP header injection via CR/LF in proxy tunnel headers (CVE-2026-1502)\n  * python: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules (CVE-2026-6100)\n  * python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API (CVE-2026-4786)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:19177",
  "modified": "2026-05-26T12:32:35Z",
  "published": "2026-05-19T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:19177"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-13837"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-15282"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-59375"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-6075"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-0672"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-1502"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-2297"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-3644"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4224"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4519"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4786"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-6100"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2395108"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2408891"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2418084"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431366"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431374"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2444691"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2448168"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2448181"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2449649"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2457409"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2457932"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2458049"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2026-19177.html"
    }
  ],
  "related": [
    "CVE-2025-59375",
    "CVE-2025-6075",
    "CVE-2025-13837",
    "CVE-2025-15282",
    "CVE-2026-0672",
    "CVE-2026-2297",
    "CVE-2026-3644",
    "CVE-2026-4224",
    "CVE-2026-4519",
    "CVE-2026-1502",
    "CVE-2026-6100",
    "CVE-2026-4786"
  ],
  "summary": "Important: python3.12 security update"
}

alsa-2026:3407

Vulnerability from osv_almalinux

Published

2026-02-26 00:00

Modified

2026-03-02 15:16

Summary

Important: mingw-fontconfig security update

Details

MinGW Windows Fontconfig library.

Security Fix(es):

expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing (CVE-2025-59375)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2026:3407	ADVISORY
	https://access.redhat.com/security/cve/CVE-2025-59375	REPORT
	https://bugzilla.redhat.com/2395108	REPORT
	https://errata.almalinux.org/8/ALSA-2026-3407.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "mingw32-fontconfig"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.12.6-4.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "mingw64-fontconfig"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.12.6-4.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "MinGW Windows Fontconfig library.  \n\nSecurity Fix(es):  \n\n  * expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing (CVE-2025-59375)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:3407",
  "modified": "2026-03-02T15:16:03Z",
  "published": "2026-02-26T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:3407"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-59375"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2395108"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2026-3407.html"
    }
  ],
  "related": [
    "CVE-2025-59375"
  ],
  "summary": "Important: mingw-fontconfig security update"
}

BDU:2025-12925

Vulnerability from fstec - Published: 14.09.2025

Title

Уязвимость библиотеки для анализа XML-файлов libexpat, связанная с неограниченным распределением ресурсов, позволяющая нарушителю вызвать отказ в обслуживании

Description

Уязвимость библиотеки для анализа XML-файлов libexpat связана с неограниченным распределением ресурсов. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, вызвать отказ в обслуживании

Severity


                    
                      AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vendor

ООО «Ред Софт», Сообщество свободного программного обеспечения

Software Name

РЕД ОС (запись в едином реестре российских программ №3751), libexpat

Software Version

7.3 (РЕД ОС), до 2.7.2 (libexpat)

Possible Mitigations

Использование рекомендаций: https://issues.oss-fuzz.com/issues/439133977 https://github.com/libexpat/libexpat/issues/1018 Для РедОС: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/

Reference

https://issues.oss-fuzz.com/issues/439133977 https://github.com/libexpat/libexpat/blob/676a4c531ec768732fac215da9730b5f50fbd2bf/expat/Changes#L45-L74 https://github.com/libexpat/libexpat/blob/R_2_7_2/expat/Changes https://github.com/libexpat/libexpat/issues/1018 https://github.com/libexpat/libexpat/pull/1034 http://repo.red-soft.ru/redos/7.3c/x86_64/updates/

CWE

CWE-770

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
  "CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "7.3 (\u0420\u0415\u0414 \u041e\u0421), \u0434\u043e 2.7.2 (libexpat)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\nhttps://issues.oss-fuzz.com/issues/439133977\nhttps://github.com/libexpat/libexpat/issues/1018\n\n\u0414\u043b\u044f \u0420\u0435\u0434\u041e\u0421:\nhttp://repo.red-soft.ru/redos/7.3c/x86_64/updates/",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "14.09.2025",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "22.10.2025",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "15.10.2025",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2025-12925",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2025-59375",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "\u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), libexpat",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 \u0434\u043b\u044f \u0430\u043d\u0430\u043b\u0438\u0437\u0430 XML-\u0444\u0430\u0439\u043b\u043e\u0432 libexpat, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043d\u0435\u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u043d\u044b\u043c \u0440\u0430\u0441\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u0438\u0435\u043c \u0440\u0435\u0441\u0443\u0440\u0441\u043e\u0432, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u043d\u043e\u0435 \u0440\u0430\u0441\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u043e\u0432 \u0438\u043b\u0438 \u0434\u0440\u043e\u0441\u0441\u0435\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 (CWE-770)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 \u0434\u043b\u044f \u0430\u043d\u0430\u043b\u0438\u0437\u0430 XML-\u0444\u0430\u0439\u043b\u043e\u0432 libexpat \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u043d\u044b\u043c \u0440\u0430\u0441\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u0438\u0435\u043c \u0440\u0435\u0441\u0443\u0440\u0441\u043e\u0432. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u0418\u0441\u0447\u0435\u0440\u043f\u0430\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u043e\u0432",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://issues.oss-fuzz.com/issues/439133977\nhttps://github.com/libexpat/libexpat/blob/676a4c531ec768732fac215da9730b5f50fbd2bf/expat/Changes#L45-L74\nhttps://github.com/libexpat/libexpat/blob/R_2_7_2/expat/Changes\nhttps://github.com/libexpat/libexpat/issues/1018\nhttps://github.com/libexpat/libexpat/pull/1034\nhttp://repo.red-soft.ru/redos/7.3c/x86_64/updates/",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-770",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,8)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.1 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,5)"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-59375 (GCVE-0-2025-59375)

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Tags

Sightings

Nomenclature