Fedora 43 and 44 just rolled out a batch of critical security patches covering five major software packages. The updates address severe vulnerabilities in .NET, SDL3_image, Nextcloud, rclone, and PHP that could allow attackers to execute arbitrary code or steal sensitive data. System administrators should prioritize installing these fixes immediately since several flaws involve remote exploitation vectors like scripting attacks and privilege escalation. You can apply the patches quickly by running the standard dnf upgrade command with the specific advisory identifiers provided in each notification.

Fedora 43 Update: dotnet10.0-10.0.107-1.fc43
Fedora 43 Update: SDL3_image-3.4.4-1.fc43
Fedora 43 Update: nextcloud-33.0.3-1.fc43
Fedora 43 Update: rclone-1.74.0-2.fc43
Fedora 44 Update: php-8.5.6-1.fc44

[SECURITY] Fedora 43 Update: dotnet10.0-10.0.107-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-018d6721a0
2026-05-11 01:00:46.370174+00:00
--------------------------------------------------------------------------------

Name : dotnet10.0
Product : Fedora 43
Version : 10.0.107
Release : 1.fc43
URL : https://github.com/dotnet/
Summary : .NET 10.0 Runtime and SDK
Description :
.NET is a fast, lightweight and modular platform for creating
cross platform applications that work on Linux, macOS and Windows.

It particularly focuses on creating console applications, web
applications and micro-services.

.NET contains a runtime conforming to .NET Standards a set of
framework libraries, an SDK containing compilers and a 'dotnet'
application to drive everything.

--------------------------------------------------------------------------------
Update Information:

Update to .NET SDK 10.0.107 and Runtime 10.0.7
Fixes: CVE-2026-40372
Release Notes:
SDK: https://github.com/dotnet/core/blob/main/release-
notes/10.0/10.0.7/10.0.107.md
Runtime: https://github.com/dotnet/core/blob/main/release-
notes/10.0/10.0.7/10.0.7.md
--------------------------------------------------------------------------------
ChangeLog:

* Fri May 1 2026 Omair Majid [omajid@redhat.com] - 10.0.107-1
- Update to .NET SDK 10.0.107 and Runtime 10.0.7
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-018d6721a0' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: SDL3_image-3.4.4-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-0f01e844c3
2026-05-11 01:00:46.370226+00:00
--------------------------------------------------------------------------------

Name : SDL3_image
Product : Fedora 43
Version : 3.4.4
Release : 1.fc43
URL : https://github.com/libsdl-org/SDL_image
Summary : Image loading library for SDL
Description :
Simple DirectMedia Layer (SDL) is a cross-platform multimedia library designed
to provide fast access to the graphics frame buffer and audio device.

This is a simple library to load images of various formats as SDL surfaces.
It can load BMP, GIF, JPEG, LBM, PCX, PNG, PNM (PPM/PGM/PBM), QOI, TGA, XCF,
XPM, and simple SVG format images. It can also load AVIF, JPEG-XL, TIFF, and
WebP images.

--------------------------------------------------------------------------------
Update Information:

Update to 3.4.4.
--------------------------------------------------------------------------------
ChangeLog:

* Sat May 2 2026 Simone Caronni [negativo17@gmail.com] - 3.4.4-1
- Update to 3.4.4
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2455135 - SDL3_image-3.4.4 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2455135
[ 2 ] Bug #2455890 - CVE-2026-35444 SDL3_image: SDL_image: Information disclosure via crafted XCF files [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2455890
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-0f01e844c3' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: nextcloud-33.0.3-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-6599e30e04
2026-05-11 01:00:46.370221+00:00
--------------------------------------------------------------------------------

Name : nextcloud
Product : Fedora 43
Version : 33.0.3
Release : 1.fc43
URL : http://nextcloud.com
Summary : Private file sync and share server
Description :
NextCloud gives you universal access to your files through a web interface or
WebDAV. It also provides a platform to easily view & sync your contacts,
calendars and bookmarks across all your devices and enables basic editing right
on the web. NextCloud is extendable via a simple but powerful API for
applications and plugins.

--------------------------------------------------------------------------------
Update Information:

33.0.3 Release
--------------------------------------------------------------------------------
ChangeLog:

* Sat May 2 2026 Andrew Bauer [zonexpertconsulting@outlook.com] - 33.0.3-1
- 33.0.3 Release RHBZ#2454311
* Sat Apr 18 2026 Andrew Bauer [zonexpertconsulting@outlook.com] - 33.0.1-2
- fix cli upgrade advice
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2452582 - CVE-2026-33916 nextcloud: Handlebars: Cross-Site Scripting (XSS) via prototype pollution in partial resolution [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452582
[ 2 ] Bug #2452588 - CVE-2026-33937 nextcloud: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile() [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452588
[ 3 ] Bug #2452590 - CVE-2026-33938 nextcloud: Handlebars: Arbitrary code execution via @partial-block overwrite [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452590
[ 4 ] Bug #2452593 - CVE-2026-33939 nextcloud: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452593
[ 5 ] Bug #2452596 - CVE-2026-33940 nextcloud: Handlebars.js: Arbitrary code execution via crafted template context [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452596
[ 6 ] Bug #2452597 - CVE-2026-33941 nextcloud: Handlebars: Arbitrary code execution via CLI precompiler input sanitization flaw [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452597
[ 7 ] Bug #2452622 - CVE-2026-33937 nextcloud: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile() [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452622
[ 8 ] Bug #2452631 - CVE-2026-33938 nextcloud: Handlebars: Arbitrary code execution via @partial-block overwrite [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452631
[ 9 ] Bug #2452635 - CVE-2026-33940 nextcloud: Handlebars.js: Arbitrary code execution via crafted template context [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452635
[ 10 ] Bug #2452645 - CVE-2026-33941 nextcloud: Handlebars: Arbitrary code execution via CLI precompiler input sanitization flaw [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452645
[ 11 ] Bug #2452647 - CVE-2026-33939 nextcloud: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452647
[ 12 ] Bug #2453984 - CVE-2026-4800 nextcloud: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2453984
[ 13 ] Bug #2454038 - CVE-2026-4800 nextcloud: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2454038
[ 14 ] Bug #2454311 - nextcloud-33.0.2 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2454311
[ 15 ] Bug #2456569 - CVE-2026-39865 nextcloud: Axios: Denial of Service via HTTP/2 session cleanup logic state corruption [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2456569
[ 16 ] Bug #2456575 - CVE-2026-39865 nextcloud: Axios: Denial of Service via HTTP/2 session cleanup logic state corruption [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2456575
[ 17 ] Bug #2457496 - CVE-2025-62718 nextcloud: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2457496
[ 18 ] Bug #2457502 - CVE-2025-62718 nextcloud: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2457502
[ 19 ] Bug #2457809 - CVE-2026-40194 nextcloud: phpseclib: Information disclosure via timing attack in SSH HMAC comparison [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2457809
[ 20 ] Bug #2457810 - CVE-2026-40194 nextcloud: phpseclib: Information disclosure via timing attack in SSH HMAC comparison [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2457810
[ 21 ] Bug #2457869 - CVE-2026-40175 nextcloud: Axios: Remote Code Execution via Prototype Pollution escalation [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2457869
[ 22 ] Bug #2457875 - CVE-2026-40175 nextcloud: Axios: Remote Code Execution via Prototype Pollution escalation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2457875
[ 23 ] Bug #2463440 - CVE-2026-42035 nextcloud: Axios: Arbitrary HTTP header injection via prototype pollution [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2463440
[ 24 ] Bug #2463443 - CVE-2026-42035 nextcloud: Axios: Arbitrary HTTP header injection via prototype pollution [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2463443
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-6599e30e04' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: rclone-1.74.0-2.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-2bb2aee489
2026-05-11 01:00:46.370217+00:00
--------------------------------------------------------------------------------

Name : rclone
Product : Fedora 43
Version : 1.74.0
Release : 2.fc43
URL : https://github.com/rclone/rclone
Summary : Rsync for cloud storage
Description :
"rsync for cloud storage" - Google Drive, S3, Dropbox, Backblaze B2, One Drive,
Swift, Hubic, Wasabi, Google Cloud Storage, Azure Blob, Azure Files, Yandex
Files.

--------------------------------------------------------------------------------
Update Information:

Update to 1.74.0
--------------------------------------------------------------------------------
ChangeLog:

* Sat May 2 2026 Mikel Olasagasti Uranga [mikel@olasagasti.info] - 1.74.0-2
- Fix tests failing with Go 1.25
* Fri May 1 2026 Mikel Olasagasti Uranga [mikel@olasagasti.info] - 1.74.0-1
- Update to 1.74.0 - Closes rhbz#2459511
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2441180 - CVE-2025-69725 rclone: Go-chi/chi: Open Redirect vulnerability allows redirection to malicious websites [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2441180
[ 2 ] Bug #2456042 - CVE-2026-33817 rclone: go.etcd.io/bbolt: Denial of Service via index out-of-range error [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2456042
[ 3 ] Bug #2461128 - CVE-2026-41176 rclone: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint. [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2461128
[ 4 ] Bug #2463186 - CVE-2026-3006 rclone: winfsp: Local privilege escalation via race condition and kernel heap overflow [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2463186
[ 5 ] Bug #2464137 - CVE-2026-41179 rclone: Rclone: Unauthenticated local command execution via exposed RC endpoint [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2464137
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-2bb2aee489' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 44 Update: php-8.5.6-1.fc44

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-c66eaae759
2026-05-11 00:51:04.698782+00:00
--------------------------------------------------------------------------------

Name : php
Product : Fedora 44
Version : 8.5.6
Release : 1.fc44
URL : http://www.php.net/
Summary : PHP scripting language for creating dynamic web sites
Description :
PHP is an HTML-embedded scripting language. PHP attempts to make it
easy for developers to write dynamically generated web pages. PHP also
offers built-in database integration for several commercial and
non-commercial database management systems, so writing a
database-enabled webpage with PHP is fairly simple. The most common
use of PHP coding is probably as a replacement for CGI scripts.

--------------------------------------------------------------------------------
Update Information:

PHP version 8.5.6 (07 May 2026)
Core:
Fixed bug GH-19983 (GC assertion failure with fibers, generators and
destructors). (iliaal)
Fixed ZEND_API mismatch on zend_ce_closure forward decl for Windows+Clang.
(henderkes)
Fixed bug GH-21504 (Incorrect RC-handling for ZEND_EXT_STMT op1). (ilutov)
Fixed bug GH-21478 (Forward property operations to real instance for initialized
lazy proxies). (iliaal)
Fixed bug GH-21605 (Missing addref for Countable::count()). (ilutov)
Fixed bug GH-21699 (Assertion failure in shutdown_executor when resolving
self::/parent::/static:: callables if the error handler throws). (macoaure)
Fixed bug GH-21603 (Missing addref for __unset). (ilutov)
Fixed bug GH-21760 (Trait with class constant name conflict against enum case
causes SEGV). (Pratik Bhujel)
CLI:
Fixed bug GH-21754 (--rf command line option with a method triggers
ext/reflection deprecation warnings). (DanielEScherzer)
Curl:
Add support for brotli and zstd on Windows. (Shivam Mathur)
DOM:
Fixed GHSA-4jhr-8w89-j733 and GH-21566 (Dom\XMLDocument::C14N() emits duplicate
xmlns declarations after setAttributeNS()). (CVE-2026-7263) (David Carlier)
FPM:
Fixed GHSA-7qg2-v9fj-4mwv (XSS within status endpoint). (CVE-2026-6735) (Jakub
Zelenka)
Iconv:
Fixed bug GH-17399 (iconv memory leak on bailout). (iliaal)
Lexbor:
Upgrade to lexbor v2.7.0. (CVE-2026-29078, CVE-2026-29079) (ndossche, ilutov)
MBString:
Fixed GHSA-wm6j-2649-pv75 (Null pointer dereference in php_mb_check_encoding()
via mb_ereg_search_init()). (CVE-2026-7259) (vi3tL0u1s)
Fixed GHSA-74r9-qxhc-fx53 (Out-of-bounds access in mbfl_name2encoding_ex()).
(CVE-2026-6104) (ilutov)
Opcache:
Fixed bug GH-21158 (JIT: Assertion jit->ra[var].flags & (1