CVEs

A stolen session did not die when the password changed. In listmonk, previously issued authenticated sessions remained valid after both password reset and password change, turning credential recovery into incomplete recovery.

Malformed DER with truncated length fields was accepted instead of rejected, and that let untrusted input reach an internal exception path during key parsing.

A profiling tool turned command-line metadata into executable HTML because one attacker-controlled field crossed into a browser sink without escaping.