[winswitch] [SECURITY ADVISORY] multiple serious vulnerabilities

Antoine Martin totaam at xpra.org
Fri Jul 3 18:38:08 BST 2026


Hi,

All xpra versions prior to today's releases are vulnerable to at least 
one full remote command execution bug.

The most serious bug requires little user intervention to gain full 
access to the system.
Removing xpra's URL handler association may not be sufficient to protect 
from this bug.

The other vulnerabilities are only slightly less serious, and can still 
lead to a client system being compromised.
They can be mitigated by turning off the `file-transfer` and `printing` 
options.

Please update all your clients as soon as possible.
The fixed versions available today are v6.5.1:
https://github.com/Xpra-org/xpra/releases/tag/v6.5.1
And v5.1.6 LTS:
https://github.com/Xpra-org/xpra/releases/tag/v5.1.6

Cheers,
Antoine


More information about the shifter-users mailing list