tuned 2.10.0 creates its PID file with insecure permissions which allows local users to kill arbitrary processes.

WebKit in Google Chrome before Blink M11 and M12 does not properly handle counter nodes, which allows remote attackers to cause a denial of service (memory corruption).

The AX.25 daemon (ax25d) in ax25-tools before 0.0.8-13 does not check the return value of a setuid call. The setuid call is responsible for dropping privileges but if the call fails the daemon would continue to run with root privileges which can allow possible privilege escalation.

mom creates world-writable pid files in /var/run

simplesamlphp before 1.6.3 (squeeze) and before 1.8.2 (sid) incorrectly handles XML encryption which could allow remote attackers to decrypt or forge messages.

MediaWiki before 1.18.5, and 1.19.x before 1.19.2 saves passwords in the local database, (1) which could make it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack or, (2) when an authentication plugin returns a false in the strict function, could allow remote attackers to use old passwords for non-existing accounts in an external authentication system via unspecified vectors.

Use after free vulnerability exists in WebKit in Google Chrome before Blink M12 in RenderLayerwhen removing elements with reflections.

NULL pointer dereference vulnerability in ZNC before 0.092 caused by traffic stats when there are unauthenticated connections.

Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers with read access and HTTP access to Jenkins master to insert data and execute arbitrary code.

Google Chrome before 3.0 does not properly handle XML documents, which allows remote attackers to obtain sensitive information via a crafted web site.