2025-47 - Canonical, Red Hat, NVIDIA, GitHub 🗂️ Published on December 1, 2025

What's AdvisoryWeek?

AdvisoryWeek is a once weekly email that rounds up the latest security advisories published in the past week.

Can't find a way to get security emails from your favorite vendors? Not all vendors provide email notifications, you can use AdvisoryWeek to make sure you get important security advisories and bulletins.
Security FOMO? Don't fret, AdvisoryWeek tracks security advisories from major vendors like Microsoft, Adobe, Apple, Oracle, and many more.
Too much noise? AdvisoryWeek is one email per week, with organized links to each vendor security advisory.

Advisory Week

Week 47, 2025

National Cyber Awareness System

CISA Adds One Known Exploited Vulnerability to Catalog

CISA Releases Seven Industrial Control Systems Advisories

Spyware Allows Cyber Threat Actors to Target Users of Messaging Applications

Ubuntu Security Notices

EDK II regression: USN-7894-2

OpenVPN vulnerability: USN-7898-1

CUPS vulnerability: USN-7897-1

libxml2 vulnerabilities: USN-7896-1

libxml2 vulnerability: USN-7852-2

WebKitGTK vulnerabilities: USN-7895-1

Python vulnerabilities: USN-7886-2 / USN-7886-1

EDK II vulnerabilities: USN-7894-1

Valkey vulnerabilities: USN-7893-1

H2O vulnerability: USN-7892-1

Linux kernel vulnerabilities: USN-7889-1

Linux kernel (Raspberry Pi) vulnerabilities: USN-7887-2

MuPDF vulnerabilities: USN-7888-1

Linux kernel (Raspberry Pi Real-time) vulnerabilities: USN-7887-1

cups-filters vulnerabilities: USN-7878-2

OpenJDK 21 vulnerabilities: USN-7885-1

OpenJDK 25 vulnerabilities: USN-7884-1

runC regression: USN-7851-2

OpenJDK 17 vulnerabilities: USN-7883-1

OpenJDK 11 vulnerabilities: USN-7882-1

Red Hat Security Advisory

Red Hat OpenShift Developer Tools - Source-to-Image 1.5.2: RHSA-2025:22345

Red Hat Quay 3.9: RHSA-2025:22287

Moderate: OpenShift Container Platform 4.12.83 bug fix and security update: RHSA-2025:21829

Important: OpenShift Container Platform 4.16.53 bug fix and security update: RHSA-2025:21824

Important: OpenShift Container Platform 4.18.29 bug fix and security update: RHSA-2025:21795

Moderate: RHSA 4.8.6 security and bug fix update: RHSA-2025:22179

Important: bind security update: RHSA-2025:22205

Moderate: Red Hat JBoss Enterprise Application Platform 8.1.2 security update: RHSA-2025:22190 / RHSA-2025:22188

Moderate: golang security update: RHSA-2025:22181

Moderate: libxml2 security update: RHSA-2025:22177 / RHSA-2025:22163 / RHSA-2025:22162

Important: expat security update: RHSA-2025:22175 / RHSA-2025:22035 / RHSA-2025:22034

Important: bind9.16 security update: RHSA-2025:22168 / RHSA-2025:21939

Important: tigervnc security update: RHSA-2025:22167 / RHSA-2025:22164 / RHSA-2025:22096 / RHSA-2025:22077 / RHSA-2025:22056 / RHSA-2025:22055 / RHSA-2025:22051 / RHSA-2025:22041

Moderate: kernel-rt security update: RHSA-2025:22124 / RHSA-2025:22087 / RHSA-2025:21920

Moderate: kernel security update: RHSA-2025:22095 / RHSA-2025:22072 / RHSA-2025:22066 / RHSA-2025:22006 / RHSA-2025:21933 / RHSA-2025:21926 / RHSA-2025:21917

Moderate: Red Hat build of Keycloak 26.4.6 Security Update: RHSA-2025:22091

Moderate: Red Hat build of Keycloak 26.4.6 Images Security Update: RHSA-2025:22090

Moderate: Red Hat build of Keycloak 26.2.11 Security Update: RHSA-2025:22089

Moderate: Red Hat build of Keycloak 26.2.11 Images Security Update: RHSA-2025:22088

OpenShift File Integrity Operator bug fix and enhancement update: RHSA-2025:21913

RHTAS 1.3.1 - Tech Preview Release of Model Transparency: RHSA-2025:22068

Moderate: cups security update: RHSA-2025:22063

RHTAS 1.3.1 - Tech Preview Release Of the Policy Controller Operator: RHSA-2025:22058

Low: xorg-x11-server security update: RHSA-2025:22040

Important: podman security update: RHSA-2025:22030

Important: pam security update: RHSA-2025:22019

cert-manager Operator for Red Hat OpenShift 1.15.1: RHSA-2025:22014

Important: libsoup security update: RHSA-2025:22013

Important: buildah security update: RHSA-2025:22012 / RHSA-2025:22011

Moderate: Red Hat build of Cryostat 4.1.0: new RHEL 9 container image security update: RHSA-2025:21148

Moderate: go-rpm-macros security update: RHSA-2025:22005 / RHSA-2025:22004

A Subscription Management tool for finding and reporting Red Hat product usage: RHSA-2025:21994

RHTAS 1.3.1 - Red Hat Trusted Artifact Signer Release: RHSA-2025:21988 / RHSA-2025:21984 / RHSA-2025:21981 / RHSA-2025:21976

Moderate: libssh security update: RHSA-2025:21977

Important: mingw-expat security update: RHSA-2025:21974

Important: gimp security update: RHSA-2025:21968

Moderate: buildah security update: RHSA-2025:21964

Important: valkey security update: RHSA-2025:21936 / RHSA-2025:21916

Moderate: RHSA 4.9.1 security and bug fix update: RHSA-2025:21929

NVIDIA Security Bulletins

Security Bulletin: NVIDIA NeMo Framework - November 2025

Security Bulletin: NVIDIA NeMo Agent Toolkit - November 2025

Security Bulletin: NVIDIA DGX Spark - November 2025

Github Security Advisories

[GHSA-58c5-g7wp-6w37] Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP Client

[GHSA-wmjr-v86c-m9jj] Better Auth's multi-session sign-out hook allows forged cookies to revoke arbitrary sessions

[GHSA-j9wj-m24m-7jj6] willitmerge has a Command Injection vulnerability

[GHSA-554w-wpv2-vw27] node-forge has ASN.1 Unbounded Recursion

[GHSA-65ch-62r8-g69g] node-forge is vulnerable to ASN.1 OID Integer Truncation

[GHSA-5gfm-wpxj-wjgq] node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization

[GHSA-q279-jhrf-cc6v] Ray is vulnerable to Critical RCE via Safari & Firefox Browsers through DNS Rebinding Attack

[GHSA-vqpr-j7v3-hqw9] Valibot has a ReDoS vulnerability in `EMOJI_REGEX`

[GHSA-m449-vh5f-574g] OneUptime Unauthorized User Creation via API

[GHSA-x6vr-q3vf-vqgq] REDAXO CMS is vulnerable to Reflected XSS in Mediapool Info Banner via args[types]

[GHSA-675q-66gf-gqg8] OneUptime is Vulnerable to Privilege Escalation via Login Response Manipulation

[GHSA-g9gq-3pfx-2gw2] OWASP Java HTML Sanitizer is vulnerable to XSS via noscript tag and improper style tag sanitization

[GHSA-4vcf-q4xf-f48m] Better Auth Passkey Plugin allows passkey deletion through IDOR

[GHSA-68q5-78xp-cwwc] Contao is vulnerable to cross-site scripting in templates

[GHSA-98vj-mm79-v77r] Contao is vulnerable to remote code execution in template closures

[GHSA-8frv-q972-9rq5] cggmp24 and cggmp21 are vulnerable to signature forgery through altered presignatures

[GHSA-m95p-425x-x889] cggmp21 has a missing check in the ZK proof used in CGGMP21

[GHSA-66jq-2c23-2xh5] VictoriaMetrics' Snappy Decoder DoS Vulnerability is Causing OOM

[GHSA-xv5p-fjw5-vrj6] Fugue is Vulnerable to Remote Code Execution by Pickle Deserialization via FlaskRPCServer

[GHSA-fjf5-xgmq-5525] GeoServer is vulnerable to Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature

[GHSA-w66h-j855-qr72] GeoServer has a Reflected Cross-Site Scripting (XSS) vulnerability in its WMS GetFeatureInfo HTML format

[GHSA-wqch-xfxh-vrr4] body-parser is vulnerable to denial of service when url encoding is used

[GHSA-6gxw-85q2-q646] Grype has a credential disclosure vulnerability in its JSON output

[GHSA-j4gv-6x9v-v23g] OMERO.web uses jquery-form library, which may be vulnerable to XSS attack

[GHSA-xq4h-wqm2-668w] Babylon's BIP322 signature implementation is not fully compliant to the spec

[GHSA-2fcv-qww3-9v6h] Babylon's malformed vote extensions are not rejected

[GHSA-rj4j-2jph-gg43] LF Edge eKuiper is vulnerable to Arbitrary File Read/Write via unsanitized names and zip extraction

[GHSA-m449-cwjh-6pw7] pypdf's LZWDecode streams be manipulated to exhaust RAM

[GHSA-7j46-f57w-76pj] Formwork CMS has Stored Cross-Site Scripting Vulnerebility in Blog Tags

[GHSA-6465-jgvq-jhgp] Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true`

[GHSA-7ff4-jw48-3436] OpenBao is Vulnerable to Privileged Operator Identity Group Root Escalation

[GHSA-9f46-w24h-69w4] new-api is vulnerable to SSRF Bypass

CISA Known Exploited Vulnerabilities

OpenPLC ScadaBR Cross-site Scripting Vulnerability CVE-2021-26829

The known exploited vulnerabilities list contains vulnerabilities that are known to be actively exploited. They may not be new or recently discovered. Vulnerabilities listed here were added to this list in the past week.

Switch to Daily Mode

We're thrilled to announce the launch of AdvisoryDaily, a once a day version of this newsletter.

Get AdvisoryDaily