The following vulnerabilities have been discovered in the WebKitGTK web engine:
CVE-2025-46299
Google Big Sleep discovered that processing maliciously crafted web content may disclose internal states of the app.
CVE-2026-20643
Thomas Espach discovered that processing maliciously crafted web content may bypass Same Origin Policy.
CVE-2026-20664
Daniel Rhea, Soehnke Benedikt Fischedick, Emrovsky & Switch, and Yevhen Pervushyn discovered that processing maliciously crafted web content may lead to an unexpected process crash
CVE-2026-20665
webb discovered that processing maliciously crafted web content may prevent Content Security Policy from being enforced.
CVE-2026-20691
Gongyu Ma discovered that a maliciously crafted webpage may be able to fingerprint the user.
CVE-2026-28857
Narcis Oliveras Fontas, Soehnke Benedikt Fischedick, Daniel Rhea, and Nathaniel Oh discovered that processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2026-28859
greenbynox and Arni Hardarson discovered that a malicious website may be able to process restricted web content outside the sandbox.
CVE-2026-28861
Hongze Wu and Shuaike Dong discovered that a malicious website may be able to access script message handlers intended for other origins.
CVE-2026-28871
@hamayanhamayan discovered that visiting a maliciously crafted website may lead to a cross- site scripting attack.
Starting from version 2.52.0, WebKitGTK can no longer be backported to the oldstable distribution (bookworm). Because of that, the webkit2gtk packages are no longer covered by security support in bookworm.
https://security-tracker.debian.org/tracker/DSA-6232-1
Continue reading...
CVE-2025-46299
Google Big Sleep discovered that processing maliciously crafted web content may disclose internal states of the app.
CVE-2026-20643
Thomas Espach discovered that processing maliciously crafted web content may bypass Same Origin Policy.
CVE-2026-20664
Daniel Rhea, Soehnke Benedikt Fischedick, Emrovsky & Switch, and Yevhen Pervushyn discovered that processing maliciously crafted web content may lead to an unexpected process crash
CVE-2026-20665
webb discovered that processing maliciously crafted web content may prevent Content Security Policy from being enforced.
CVE-2026-20691
Gongyu Ma discovered that a maliciously crafted webpage may be able to fingerprint the user.
CVE-2026-28857
Narcis Oliveras Fontas, Soehnke Benedikt Fischedick, Daniel Rhea, and Nathaniel Oh discovered that processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2026-28859
greenbynox and Arni Hardarson discovered that a malicious website may be able to process restricted web content outside the sandbox.
CVE-2026-28861
Hongze Wu and Shuaike Dong discovered that a malicious website may be able to access script message handlers intended for other origins.
CVE-2026-28871
@hamayanhamayan discovered that visiting a maliciously crafted website may lead to a cross- site scripting attack.
Starting from version 2.52.0, WebKitGTK can no longer be backported to the oldstable distribution (bookworm). Because of that, the webkit2gtk packages are no longer covered by security support in bookworm.
https://security-tracker.debian.org/tracker/DSA-6232-1
Continue reading...
