What you need to know today.
A wave of vulnerabilities impacts various software, including arbitrary file writes in decompress and Cri-O, DoS flaws in .NET and soupsieve, and critical issues in Roundcube Webmail.

The decompress npm package is vulnerable to arbitrary file read/write via crafted archive extraction. Versions prior to 7.0.0 are affected. This flaw could allow an attacker to overwrite critical system files or read sensitive information. Users should update to version 7.0.0 or later. CVE-2026-53486.
Cri-O, a container runtime interface, has a bypass for a previous vulnerability that allowed for arbitrary file writes via the HOME environment variable. Versions prior to 1.28.3 are affected. This could lead to privilege escalation or system compromise. Update to 1.28.3 or later. CVE-2026-15809.
A denial-of-service vulnerability exists in Dotnet's SocketsHttpHandler for HTTP/2 connections. An attacker can cause an Out-of-Memory (OOM) condition by sending a flood of HTTP/2 SETTINGS or PING frames. This impacts .NET versions prior to 6.0.30, 3.1.28, and 7.0.7. Users should update to the patched versions. CVE-2026-50651.
The Python package soupsieve is vulnerable to a denial-of-service attack. A specially crafted CSS selector string can cause the application to consume excessive resources, leading to a DoS. This affects versions prior to 2.0.2. Update to 2.0.2 or later to mitigate. CVE-2026-49476.
In the Starlette Python framework, the MultipartParser component is susceptible to an excessive memory usage vulnerability. An unauthenticated remote attacker can specify an arbitrary number of form fields or files, leading to a denial-of-service condition. This impacts versions before 0.25.0. Users should upgrade to version 0.25.0 or later. CVE-2023-30798.
Netflix Lemur versions prior to 1.3.2 generated insufficiently random default credentials, potentially allowing attackers to guess and gain unauthorized access to resources. Users should update to version 1.3.2 or later. CVE-2023-30797.
Roundcube Webmail versions prior to 1.6.17 and 1.7.x before 1.7.2 contain several vulnerabilities. An infinite loop in the TNEF decoder can lead to a denial of service when opening emails with TNEF attachments (CVE-2026-62642). A crafted compressed-RTF size in the TNEF decoder also presents a DoS risk (CVE-2026-62641). Additionally, insufficient CSS sanitization may lead to Server-Side Request Forgery (SSRF) or information disclosure (CVE-2026-62643). A username spoofing vulnerability in the password plugin could also lead to account takeover (CVE-2026-62644). Users should update to the latest versions.
SQLite versions prior to check-in e807d4e3798efd53 are affected by a NULL pointer dereference in the Session Extension, which can cause a denial of service when processing a malformed changeset blob. Another issue in SQLite before Fossil check-in 869a51ae84df allows a local attacker to obtain sensitive information via the Session Extension's changeset concat/changegroup merge path. Users should update to patched versions. CVE-2026-50812, CVE-2026-50813.
The mtr utility has an out-of-bounds read vulnerability in the ipinfo_lookup() function. An attacker who can influence DNS TXT responses for AS lookups can trigger this by providing a response larger than 512 bytes. This could lead to a crash or potential information disclosure. Users should update to a patched version. CVE-2026-14461.
Publicly available exploit code exists for two vulnerabilities in Firefox, although no active exploitation in the wild is currently known. These flaws were fixed in Firefox version 152.0.6. CVE-2026-15718, CVE-2026-15719.