From totaam at xpra.org Fri Jul 3 18:38:08 2026 From: totaam at xpra.org (Antoine Martin) Date: Sat, 4 Jul 2026 00:38:08 +0700 Subject: [winswitch] [SECURITY ADVISORY] multiple serious vulnerabilities Message-ID: Hi, All xpra versions prior to today's releases are vulnerable to at least one full remote command execution bug. The most serious bug requires little user intervention to gain full access to the system. Removing xpra's URL handler association may not be sufficient to protect from this bug. The other vulnerabilities are only slightly less serious, and can still lead to a client system being compromised. They can be mitigated by turning off the `file-transfer` and `printing` options. Please update all your clients as soon as possible. The fixed versions available today are v6.5.1: https://github.com/Xpra-org/xpra/releases/tag/v6.5.1 And v5.1.6 LTS: https://github.com/Xpra-org/xpra/releases/tag/v5.1.6 Cheers, Antoine