CVE-2026-23738
XSS vulnerability in the /httpstatus page. Cookie names/values and GET
parameter names/values are rendered without HTML-escaping, allowing
reflected cross-site scripting attacks. The status page is now also
disabled by default.
CVE-2026-23739
XXE injection vulnerability in xml.c. The XML parsing functions allow
external entity processing which can be exploited for XML External Entity
injection attacks via network-based entity resolution.
CVE-2026-23740
Privilege escalation via ast_coredumper gdbinit file permissions. The
script creates temporary files with default umask permissions, potentially
allowing local users to read or tamper with sensitive debugging data.
CVE-2026-23741
Privilege escalation via ast_coredumper sourcing configuration files
without ownership or permission checks. When running as root, a non-root
user could place a malicious config file that gets sourced with root
privileges.
Get the latest Linux and open source security news straight to your inbox.