|Vulnerability|Element|Version|Summary|CVSS V3.x|CVSS V2.0|WIP|
|---|---|---|---|---|---|---|
|[CVE-2025-47436](https://nvd.nist.gov/vuln/detail/CVE-2025-47436)|components/orc.bst|0.4.41|Heap-based Buffer Overflow vulnerability in Apache ORC. A vulnerability has been identified in the ORC C++ LZO decompression logic, where specially crafted malformed ORC files can cause the decompressor to allocate a 250-byte buffer but then attempts to copy 295 bytes into it. It causes memory corruption. This issue affects Apache ORC C++ library: through 1.8.8, from 1.9.0 through 1.9.5, from 2.0.0 through 2.0.4, from 2.1.0 through 2.1.1. Users are recommended to upgrade to version 1.8.9, 1.9.6, 2.0.5, and 2.1.2, which fix the issue.|9.8||None|
|[CVE-2020-1171](https://nvd.nist.gov/vuln/detail/CVE-2020-1171)|components/python3.bst|3.13.9|A remote code execution vulnerability exists in Visual Studio Code when the Python extension loads configuration files after opening a project, aka 'Visual Studio Code Python Extension Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-1192.|8.8|9.3|None|
|[CVE-2024-49050](https://nvd.nist.gov/vuln/detail/CVE-2024-49050)|components/python3.bst|3.13.9|Visual Studio Code Python Extension Remote Code Execution Vulnerability|8.8||None|
|[CVE-2025-58060](https://nvd.nist.gov/vuln/detail/CVE-2025-58060)|components/cups-base.bst|2.4.12|OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.12 and earlier, when the `AuthType` is set to anything but `Basic`, if the request contains an `Authorization: Basic ...` header, the password is not checked. This results in authentication bypass. Any configuration that allows an `AuthType` that is not `Basic` is affected. Version 2.4.13 fixes the issue.|8.0||None|
|[CVE-2020-1192](https://nvd.nist.gov/vuln/detail/CVE-2020-1192)|components/python3.bst|3.13.9|A remote code execution vulnerability exists in Visual Studio Code when the Python extension loads workspace settings from a notebook file, aka 'Visual Studio Code Python Extension Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-1171.|7.8|9.3|None|
|[CVE-2020-17163](https://nvd.nist.gov/vuln/detail/CVE-2020-17163)|components/python3.bst|3.13.9|Visual Studio Code Python Extension Remote Code Execution Vulnerability|7.8||None|
|[CVE-2022-47021](https://nvd.nist.gov/vuln/detail/CVE-2022-47021)|components/opusfile.bst|0.12|A null pointer dereference issue was discovered in functions op_get_data and op_open1 in opusfile.c in xiph opusfile 0.9 thru 0.12 allows attackers to cause denial of service or other unspecified impacts.|7.8||None|
|[CVE-2025-49714](https://nvd.nist.gov/vuln/detail/CVE-2025-49714)|components/python3.bst|3.13.9|Trust boundary violation in Visual Studio Code - Python extension allows an unauthorized attacker to execute code locally.|7.8||None|
|[CVE-2025-52194](https://nvd.nist.gov/vuln/detail/CVE-2025-52194)|components/sndfile.bst|1.2.2|A buffer overflow vulnerability exists in libsndfile version 1.2.2 and potentially earlier versions when processing malformed IRCAM audio files. The vulnerability occurs in the ircam_read_header function at src/ircam.c:164 during sample rate processing, leading to memory corruption and potential code execution.|7.5||None|
|[CVE-2025-2784](https://nvd.nist.gov/vuln/detail/CVE-2025-2784)|sdk/libsoup.bst|3.6.4|A flaw was found in libsoup. The package is vulnerable to a heap buffer over-read when sniffing content via the skip_insight_whitespace() function. Libsoup clients may read one byte out-of-bounds in response to a crafted HTTP response by an HTTP server.|7.0||None|
|[CVE-2025-5222](https://nvd.nist.gov/vuln/detail/CVE-2025-5222)|components/icu.bst|77.1|A stack buffer overflow was found in Internationl components for unicode (ICU ). While running the genrb binary, the 'subtag' struct overflowed at the SRBRoot::addTag function. This issue may lead to memory corruption and local arbitrary code execution.|7.0||None|
|[CVE-2022-26691](https://nvd.nist.gov/vuln/detail/CVE-2022-26691)|components/cups-base.bst|2.4.12|A logic issue was addressed with improved state management. This issue is fixed in Security Update 2022-003 Catalina, macOS Monterey 12.3, macOS Big Sur 11.6.5. An application may be able to gain elevated privileges.|6.7|7.2|None|
|[CVE-2023-4969](https://nvd.nist.gov/vuln/detail/CVE-2023-4969)|components/opencl.bst|2.3.4|A GPU kernel can read sensitive data from another GPU kernel (even from another user or app) through an optimized GPU memory region called _local memory_ on various architectures.|6.5||None|
|[CVE-2024-45993](https://nvd.nist.gov/vuln/detail/CVE-2024-45993)|components/giflib.bst|5.2.2|Giflib Project v5.2.2 is vulnerable to a heap buffer overflow via gif2rgb.|6.5||None|
|[CVE-2024-50613](https://nvd.nist.gov/vuln/detail/CVE-2024-50613)|components/sndfile.bst|1.2.2|libsndfile through 1.2.2 has a reachable assertion, that may lead to application exit, in mpeg_l3_encode.c mpeg_l3_encoder_close.|6.5||None|
|[CVE-2025-58364](https://nvd.nist.gov/vuln/detail/CVE-2025-58364)|components/cups-base.bst|2.4.12|OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.12 and earlier, an unsafe deserialization and validation of printer attributes causes null dereference in the libcups library. This is a remote DoS vulnerability available in local subnet in default configurations. It can cause the cups & cups-browsed to crash, on all the machines in local network who are listening for printers (so by default for all regular linux machines). On systems where the vulnerability CVE-2024-47176 (cups-filters 1.x/cups-browsed 2.x vulnerability) was not fixed, and the firewall on the machine does not reject incoming communication to IPP port, and the machine is set to be available to public internet, attack vector "Network" is possible. The current versions of CUPS and cups-browsed projects have the attack vector "Adjacent" in their default configurations. Version 2.4.13 contains a patch for CVE-2025-58364.|6.5||None|
|[CVE-2024-50612](https://nvd.nist.gov/vuln/detail/CVE-2024-50612)|components/sndfile.bst|1.2.2|libsndfile through 1.2.2 has an ogg_vorbis.c vorbis_analysis_wrote out-of-bounds read.|5.5||None|
|[CVE-2025-7545](https://nvd.nist.gov/vuln/detail/CVE-2025-7545)|bootstrap/binutils.bst|2.45|A vulnerability classified as problematic was found in GNU Binutils 2.45. Affected by this vulnerability is the function copy_section of the file binutils/objcopy.c. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is named 08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944. It is recommended to apply a patch to fix this issue.|5.3|4.3|None|
|[CVE-2025-7546](https://nvd.nist.gov/vuln/detail/CVE-2025-7546)|bootstrap/binutils.bst|2.45|A vulnerability, which was classified as problematic, has been found in GNU Binutils 2.45. Affected by this issue is the function bfd_elf_set_group_contents of the file bfd/elf.c. The manipulation leads to out-of-bounds write. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The name of the patch is 41461010eb7c79fee7a9d5f6209accdaac66cc6b. It is recommended to apply a patch to fix this issue.|5.3|4.3|None|
|[CVE-2025-8176](https://nvd.nist.gov/vuln/detail/CVE-2025-8176)|components/libtiff.bst|4.7.0|A vulnerability was found in LibTIFF up to 4.7.0. It has been declared as critical. This vulnerability affects the function get_histogram of the file tools/tiffmedian.c. The manipulation leads to use after free. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The patch is identified as fe10872e53efba9cc36c66ac4ab3b41a839d5172. It is recommended to apply a patch to fix this issue.|5.3|4.3|None|
|[CVE-2025-8177](https://nvd.nist.gov/vuln/detail/CVE-2025-8177)|components/libtiff.bst|4.7.0|A vulnerability was found in LibTIFF up to 4.7.0. It has been rated as critical. This issue affects the function setrow of the file tools/thumbnail.c. The manipulation leads to buffer overflow. An attack has to be approached locally. The patch is named e8c9d6c616b19438695fd829e58ae4fde5bfbc22. It is recommended to apply a patch to fix this issue. This vulnerability only affects products that are no longer supported by the maintainer.|5.3|4.3|None|
|[CVE-2025-11082](https://nvd.nist.gov/vuln/detail/CVE-2025-11082)|bootstrap/binutils.bst|2.45|A flaw has been found in GNU Binutils 2.45. Impacted is the function _bfd_elf_parse_eh_frame of the file bfd/elf-eh-frame.c of the component Linker. Executing manipulation can lead to heap-based buffer overflow. The attack is restricted to local execution. The exploit has been published and may be used. This patch is called ea1a0737c7692737a644af0486b71e4a392cbca8. A patch should be applied to remediate this issue. The code maintainer replied with "[f]ixed for 2.46".|5.3|4.3|None|
|[CVE-2025-11083](https://nvd.nist.gov/vuln/detail/CVE-2025-11083)|bootstrap/binutils.bst|2.45|A vulnerability has been found in GNU Binutils 2.45. The affected element is the function elf_swap_shdr in the library bfd/elfcode.h of the component Linker. The manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 9ca499644a21ceb3f946d1c179c38a83be084490. To fix this issue, it is recommended to deploy a patch. The code maintainer replied with "[f]ixed for 2.46".|5.3|4.3|None|
|[CVE-2025-8961](https://nvd.nist.gov/vuln/detail/CVE-2025-8961)|components/libtiff.bst|4.7.0|A weakness has been identified in LibTIFF 4.7.0. This affects the function main of the file tiffcrop.c of the component tiffcrop. Executing manipulation can lead to memory corruption. The attack can only be executed locally. The exploit has been made available to the public and could be exploited.|3.3|1.7|None|
|[CVE-2025-11081](https://nvd.nist.gov/vuln/detail/CVE-2025-11081)|bootstrap/binutils.bst|2.45|A vulnerability was detected in GNU Binutils 2.45. This issue affects the function dump_dwarf_section of the file binutils/objdump.c. Performing manipulation results in out-of-bounds read. The attack is only possible with local access. The exploit is now public and may be used. The patch is named f87a66db645caf8cc0e6fc87b0c28c78a38af59b. It is suggested to install a patch to address this issue.|3.3|1.7|None|
|[CVE-2025-11412](https://nvd.nist.gov/vuln/detail/CVE-2025-11412)|bootstrap/binutils.bst|2.45|A vulnerability has been found in GNU Binutils 2.45. This impacts the function bfd_elf_gc_record_vtentry of the file bfd/elflink.c of the component Linker. The manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 047435dd988a3975d40c6626a8f739a0b2e154bc. To fix this issue, it is recommended to deploy a patch.|3.3|1.7|None|
|[CVE-2025-11413](https://nvd.nist.gov/vuln/detail/CVE-2025-11413)|bootstrap/binutils.bst|2.45|A vulnerability was found in GNU Binutils 2.45. Affected is the function elf_link_add_object_symbols of the file bfd/elflink.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. Upgrading to version 2.46 is able to address this issue. The patch is identified as 72efdf166aa0ed72ecc69fc2349af6591a7a19c0. Upgrading the affected component is advised.|3.3|1.7|None|
|[CVE-2025-11414](https://nvd.nist.gov/vuln/detail/CVE-2025-11414)|bootstrap/binutils.bst|2.45|A vulnerability was determined in GNU Binutils 2.45. Affected by this vulnerability is the function get_link_hash_entry of the file bfd/elflink.c of the component Linker. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.46 addresses this issue. Patch name: aeaaa9af6359c8e394ce9cf24911fec4f4d23703. It is advisable to upgrade the affected component.|3.3|1.7|None|
|[CVE-2025-11494](https://nvd.nist.gov/vuln/detail/CVE-2025-11494)|bootstrap/binutils.bst|2.45|A vulnerability was found in GNU Binutils 2.45. Impacted is the function _bfd_x86_elf_late_size_sections of the file bfd/elfxx-x86.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is identified as b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a. A patch should be applied to remediate this issue.|3.3|1.7|None|
|[CVE-2025-11495](https://nvd.nist.gov/vuln/detail/CVE-2025-11495)|bootstrap/binutils.bst|2.45|A vulnerability was determined in GNU Binutils 2.45. The affected element is the function elf_x86_64_relocate_section of the file elf64-x86-64.c of the component Linker. This manipulation causes heap-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Patch name: 6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0. To fix this issue, it is recommended to deploy a patch.|3.3|1.7|None|
|[CVE-2025-11839](https://nvd.nist.gov/vuln/detail/CVE-2025-11839)|bootstrap/binutils.bst|2.45|A security flaw has been discovered in GNU Binutils 2.45. Impacted is the function tg_tag_type of the file prdbg.c. Performing manipulation results in unchecked return value. The attack needs to be approached locally. The exploit has been released to the public and may be exploited.|3.3|1.7|None|
|[CVE-2025-11840](https://nvd.nist.gov/vuln/detail/CVE-2025-11840)|bootstrap/binutils.bst|2.45|A weakness has been identified in GNU Binutils 2.45. The affected element is the function vfinfo of the file ldmisc.c. Executing manipulation can lead to out-of-bounds read. The attack can only be executed locally. The exploit has been made available to the public and could be exploited. This patch is called 16357. It is best practice to apply a patch to resolve this issue.|3.3|1.7|None|
|[CVE-2024-13978](https://nvd.nist.gov/vuln/detail/CVE-2024-13978)|components/libtiff.bst|4.7.0|A vulnerability was found in LibTIFF up to 4.7.0. It has been declared as problematic. Affected by this vulnerability is the function t2p_read_tiff_init of the file tools/tiff2pdf.c of the component fax2ps. The manipulation leads to null pointer dereference. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation appears to be difficult. The patch is named 2ebfffb0e8836bfb1cd7d85c059cd285c59761a4. It is recommended to apply a patch to fix this issue.|2.5|1.0|None|
|[CVE-2025-9165](https://nvd.nist.gov/vuln/detail/CVE-2025-9165)|components/libtiff.bst|4.7.0|A flaw has been found in LibTIFF 4.7.0. This affects the function _TIFFmallocExt/_TIFFCheckRealloc/TIFFHashSetNew/InitCCITTFax3 of the file tools/tiffcmp.c of the component tiffcmp. Executing manipulation can lead to memory leak. The attack is restricted to local execution. This attack is characterized by high complexity. It is indicated that the exploitability is difficult. The exploit has been published and may be used. There is ongoing doubt regarding the real existence of this vulnerability. This patch is called ed141286a37f6e5ddafb5069347ff5d587e7a4e0. It is best practice to apply a patch to resolve this issue. A researcher disputes the security impact of this issue, because "this is a memory leak on a command line tool that is about to exit anyway". In the reply the project maintainer declares this issue as "a simple 'bug' when leaving the command line tool and (...) not a security issue at all".|2.5|1.0|None|
|[CVE-2008-3844](https://nvd.nist.gov/vuln/detail/CVE-2008-3844)|components/openssh.bst|10.2|Certain Red Hat Enterprise Linux (RHEL) 4 and 5 packages for OpenSSH, as signed in August 2008 using a legitimate Red Hat GPG key, contain an externally introduced modification (Trojan Horse) that allows the package authors to have an unknown impact. NOTE: since the malicious packages were not distributed from any official Red Hat sources, the scope of this issue is restricted to users who may have obtained these packages through unofficial distribution points. As of 20080827, no unofficial distributions of this software are known.||9.3|None|
|[CVE-2008-0731](https://nvd.nist.gov/vuln/detail/CVE-2008-0731)|components/apparmor-base.bst|4.1.2|The Linux kernel before 2.6.18.8-0.8 in SUSE openSUSE 10.2 does not properly handle failure of an AppArmor change_hat system call, which might allow attackers to trigger the unconfining of an apparmored task.||7.5|None|
|[CVE-2009-0032](https://nvd.nist.gov/vuln/detail/CVE-2009-0032)|components/cups-base.bst|2.4.12|CUPS on Mandriva Linux 2008.0, 2008.1, 2009.0, Corporate Server (CS) 3.0 and 4.0, and Multi Network Firewall (MNF) 2.0 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/pdf.log temporary file.||6.9|None|
|[CVE-2008-1033](https://nvd.nist.gov/vuln/detail/CVE-2008-1033)|components/cups-base.bst|2.4.12|The scheduler in CUPS in Apple Mac OS X 10.5 before 10.5.3, when debug logging is enabled and a printer requires a password, allows attackers to obtain sensitive information (credentials) by reading the log data, related to "authentication environment variables."||2.1|None|
|Elements missing version data|Data|
|---|---|
|components/tex-gyre-fonts.bst|https://mirrors.ctan.org/fonts/tex-gyre.zip
|sdk/sysprof-minimal.bst|https://gitlab.gnome.org/GNOME/sysprof.git 49.alpha-85-gce3bd6ff4ccb67ac40150999d473f3744956a7df
|components/ca-certificates.bst|https://src.fedoraproject.org/rpms/ca-certificates.git 91af9300e9ca630b72f466b317bc489446838db8
|components/google-crosextra-caladea.bst|https://github.com/huertatipografica/Caladea.git 336a529cfad3d103d6527752686f8331d13e820a
|components/google-crosextra-carlito.bst|https://github.com/googlefonts/carlito.git 3a810cab78ebd6e2e4eed42af9e8453c4f9b850a
|components/polkit-base.bst|https://github.com/polkit-org/polkit.git 126-0-gd627b0d1e1108563658dabe3fb8d2a065e64df10