VYPR
AI Brief2026-07-01· generated Jul 1, 2026

What you need to know today.

Multiple vulnerabilities disclosed across Apache Tomcat, Debian packages, and other software components including GPAC and RubyGems.

A series of vulnerabilities in Apache Tomcat could allow for unexpected rule processing, cross-site scripting, replay attacks, and improper handling of errors and security logs. CVE-2026-53404, a control flow issue in the rewrite valve, permits unintended rule execution. CVE-2026-50229, a cross-site scripting flaw in the number guess example, exposes users to malicious scripts. CVE-2026-55955, an authentication bypass via improper handling in the EncryptionInterceptor, enables replay attacks. Additionally, CVE-2026-53434 and CVE-2026-55276 relate to error handling and logging, respectively. CVE-2026-55957, a missing critical step in authentication within the JNDIRealm, allows authentication bypass when using GSSAPI. CVE-2026-55956, an improper authorization flaw, causes the default servlet to ignore configured security constraints. These issues collectively impact the security and integrity of applications deployed on Tomcat.

Several Debian-packaged software components have disclosed vulnerabilities. LinuxCNC's rtapi_app in linuxcnc-uspace (before 2.9.9) contains a privilege escalation flaw due to improper validation of user-supplied module names loaded via dlopen() (CVE-2026-58302). Yelp's XSL stylesheets have an overly permissive Content Security Policy, allowing malicious Flatpak applications to execute arbitrary CSS via crafted help content (CVE-2026-13601). Spice-vdagent is affected by a path traversal vulnerability enabling a malicious SPICE host to write arbitrary files on the guest OS (CVE-2026-57966), and an integer overflow leading to a heap buffer overflow (CVE-2026-57965). Libtiff has a vulnerability in its PixarLog codec decoding that could be exploited by specially crafted TIFF images (CVE-2026-12912). Libzypp (before 17.38.10) has a relative path traversal bug in repository metadata processing, potentially leading to file overwrites and privilege escalation (CVE-2026-25707). CryptX (before 0.088_001) compares AEAD authentication tags in non-constant time, creating a side-channel vulnerability (CVE-2026-13758). Finally, libblkid in util-linux has a flaw in nested partition probing that can lead to a use-after-free vulnerability (CVE-2026-13595).

Vulnerabilities have been identified in GPAC and RubyGems packages. GPAC versions up to 26.02.0 contain a weakness in the ISOBMFF Parser component, specifically in src/utils/base_encoding.c, which could lead to highly compressed data when manipulated (CVE-2026-13523). For RubyGems, JavaScript::Minifier::XS versions prior to 0.16 for Perl exhibit memory leaks on every minify() call, allowing for unbounded memory growth due to improper cleanup of per-token contents (CVE-2026-56018). Additionally, these same versions crash with a NULL pointer dereference when the input's first meaningful token is a slash, stemming from issues in the JsTokenizeString function (CVE-2026-56017).

Synthesized by Vypr AI
Apache Tomcat and Debian Packages Hit By Multiple Flaws · VYPR