[winswitch] [SECURITY ADVISORY] multiple serious vulnerabilities
Antoine Martin
totaam at xpra.org
Fri Jul 3 18:38:08 BST 2026
Hi,
All xpra versions prior to today's releases are vulnerable to at least
one full remote command execution bug.
The most serious bug requires little user intervention to gain full
access to the system.
Removing xpra's URL handler association may not be sufficient to protect
from this bug.
The other vulnerabilities are only slightly less serious, and can still
lead to a client system being compromised.
They can be mitigated by turning off the `file-transfer` and `printing`
options.
Please update all your clients as soon as possible.
The fixed versions available today are v6.5.1:
https://github.com/Xpra-org/xpra/releases/tag/v6.5.1
And v5.1.6 LTS:
https://github.com/Xpra-org/xpra/releases/tag/v5.1.6
Cheers,
Antoine
More information about the shifter-users
mailing list