GHSA-95m2-chm4-mq7m: PHP-Textile has persistent XSS vulnerability in image link handling

GHSA-2r2v-9pf8-6342: WireGuard Portal v2 Vulnerable to OAuth Insecure Redirect URI / Account Takeover

GHSA-r5vf-wf4h-82gg: matrix-sdk-crypto missing facility to signal rotation of a verified cryptographic identity

GHSA-f27p-cmv8-xhm6: fetch: Authorization headers not dropped when redirecting cross-origin

GHSA-2p95-8xvm-2pjx: REDAXO CMS Cross-site Scripting vulnerability

### Impact

Nonce generation does not use sufficient entropy nor a cryptographically secure pseudorandom source (https://github.com/guzzle/oauth-subscriber/blob/0.8.0/src/Oauth1.php#L192). This can leave servers vulnerable to replay attacks when TLS is not used.

### Patches

Upgrade to version 0.8.1 or higher.

### Workarounds

No.

### References

Issue is similar to https://nvd.nist.gov/vuln/detail/CVE-2025-22376.


**Guzzle OAuth Subscriber has insufficient nonce entropy**

Low severity GitHub Reviewed Published Jan 6, 2025 in guzzle/oauth-subscriber • Updated Jan 6, 2025

Headline

GHSA-237r-r8m4-4q88: Guzzle OAuth Subscriber has insufficient nonce entropy

Impact

Patches

Workarounds

References

ghsa: Latest News