Overview
- Anthropic has announced a number of major open source software vulnerabilities in the course of its ProjectGlasswing effort.
Affected Products
- the affected products are NGINX Open Source, NGINX Plus, jq, MapServer, Temporal Server, wolfSSL, HashiCorp Nomad / Nomad Enterprise, libyang, Craft CMS, Mastodon, gix / gitoxide, junrar, FreeRDP, Ghost, ImageMagick, MinIO.
- the disclosed vulnerabilities include heap buffer overflow, arbitrary file write, access control error, encryption failure, signature bypass, integer overflow, certificate verification error, path traversal, use-after-free, privilege escalation, server-side request forgery (SSRF), remote control code execution, and SQL injection.
- related CVEs and GHSA items include CVE-2026-27654, CVE-2026-32316, CVE-2026-33721, CVE-2026-5199, CVE-2026-5446, CVE-2026-5447, CVE-2026-5448, CVE-2026-5466, CVE-2026-5477, CVE-2026-5479, CVE-2026-5500, CVE-2026-5501, CVE-2026-5503, CVE-2026-7474, GHSA-9f49-8×56-jmjc, GHSA-cc7p-2j3x-x7xf, GHSA-chgx-jx3p-rf73, GHSA-crr4-7rm4-8gpw, GHSA-f26g-jm89-4g65, GHSA-j273-m5qq-6825, GHSA-mpxh-8fq3-x8mh, GHSA-w52v-v783-gw97, GHSA-x9h5-r9v2-vcww, GHSA-xh8f-g2qw-gcm7.
Vulnerability Patch
- patches have been made available in the latest updates, and each product should be updated to the latest version of the patch or higher as indicated.
- for example, NGINX Open Source requires 1.28.3 or later or 1.29.7 or later, and NGINX Plus requires R36 or later.
- in addition, MapServer requires 8.6.1 or later, Temporal Server requires 1.29.5 or later or 1.30.3 or later, wolfSSL requires 5.9.1 or later, HashiCorp Nomad / Nomad Enterprise requires 2.0.1 or later or their respective quarterly bases, libyang requires 5.2.6 or later, Craft CMS requires 4.17.6 or later or 5.9.12 or later, Mastodon is 0.83.0 or later, gix/gitoxide is 0.83.0 or later, junrar is 7.5.8 or later, FreeRDP is 3.26.0 or later, Ghost is 6.19.1 or later, ImageMagick is 7.1.2-19 or later or 6.9.13-44 or later, MinIO is RELEASE.2026-04-14T21-32-45Z or later.
