What's Changed
- CVE-2026-2391 qs's arrayLimit bypass in comma parsing allows denial of service by @dependabot[bot] in #960
- CVE-2026-32141 CVE-2026-33228 flatted vulnerable to unbounded recursion DoS in parse() + Prototype Pollution via parse() in NodeJS flatted by @dependabot[bot] in #966
- CVE-2026-33439 Pre-Authentication Remote Code Execution via jato.clientSession Deserialization in OpenAM by @maximthomas thanks @iamnoooob @hacktronai-research
- Can't set the SameSite cookie attribute in XUI by @maximthomas thanks @IvanAndrukh #965
- Update opendj.version to 5.0.4 by @vharseko in #964
Full Changelog: 16.0.5...16.0.6
Contributors
vharseko, maximthomas, and 4 other contributors