System administrators managing Fedora 43 or 44 environments need to prioritize these urgent security patches right away. Xwayland gets critical fixes for eight separate Zero Day Initiative vulnerabilities while the PHP extension installer PIE closes dangerous privilege escalation holes and path traversal weaknesses that could compromise system integrity. Webmail operators should also upgrade RoundcubeMail to block stored XSS attacks alongside a necessary patch for Libsoup3 that stops cleartext cookie leakage during secure tunnel establishment. You can deploy all these essential updates quickly by running the standard dnf upgrade command with each advisory identifier listed in the official release notes.

Fedora 44 Update: xorg-x11-server-Xwayland-24.1.12-1.fc44
Fedora 44 Update: pie-1.4.5-1.fc44
Fedora 43 Update: pie-1.4.5-1.fc43
Fedora 43 Update: roundcubemail-1.6.16-1.fc43
Fedora 43 Update: libsoup3-3.6.6-3.fc43

[SECURITY] Fedora 44 Update: xorg-x11-server-Xwayland-24.1.12-1.fc44

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-f98eff99c4
2026-06-04 01:48:27.004529+00:00
--------------------------------------------------------------------------------

Name : xorg-x11-server-Xwayland
Product : Fedora 44
Version : 24.1.12
Release : 1.fc44
URL : http://www.x.org
Summary : Xwayland
Description :
Xwayland is an X server for running X clients under Wayland.

--------------------------------------------------------------------------------
Update Information:

Update to xwayland 24.1.12, security fixes for ZDI-CAN-30136,
ZDI-CAN-30159, ZDI-CAN-30160, ZDI-CAN-30161, ZDI-CAN-30163,
ZDI-CAN-30164, ZDI-CAN-30165, ZDI-CAN-30168
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jun 2 2026 Peter Hutterer [peter.hutterer@redhat.com] - 24.1.12-1
- Update to xwayland 24.1.12
Security fixes for: ZDI-CAN-30136, ZDI-CAN-30159, ZDI-CAN-30160,
ZDI-CAN-30161, ZDI-CAN-30163, ZDI-CAN-30164,
ZDI-CAN-30165, ZDI-CAN-30168
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-f98eff99c4' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 44 Update: pie-1.4.5-1.fc44

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-e5d5fc359d
2026-06-04 01:48:27.004460+00:00
--------------------------------------------------------------------------------

Name : pie
Product : Fedora 44
Version : 1.4.5
Release : 1.fc44
URL : https://github.com/php/pie
Summary : PHP Installer for Extensions
Description :
PIE (PHP Installer for Extensions).

PIE can install an extension to any installed PHP version.

A list of extensions that support PIE can be found on
https://packagist.org/extensions.

Documentation: /usr/share/doc/pie/docs/usage.md

--------------------------------------------------------------------------------
Update Information:

Version 1.4.5
This release contains vulnerability fixes for the following security advisories:
GHSA-h842-vjwg-pxxx - Sudo-elevated arbitrary file deletion via extra.pie-
installed-binary metadata in UninstallUsingUnlink
GHSA-pm6p-666q-hvj5 - Sudo-elevated root code execution via TOCTOU between self-
update verify and write
GHSA-f67f-c344-cqqr - PIE self-update accepts any historically-attested pie.phar
(rollback gap)
GHSA-vcv4-gmjc-mxvq - php-ext.build-path traversal escapes PIE's vendor extract
directory
GHSA-8xmh-xrvp-hwrf - WindowsInstall::copyExtraFile lacks destination
containment check (Windows-only path traversal)
GHSA-p4j8-36rr-gjfq - Self-update attestation verification is scoped to
--owner=php, not --repo=php/pie
--------------------------------------------------------------------------------
ChangeLog:

* Tue May 26 2026 Remi Collet [remi@remirepo.net] - 1.4.5-1
- update to 1.4.5
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-e5d5fc359d' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: pie-1.4.5-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-b2fe14ec86
2026-06-04 01:35:07.681084+00:00
--------------------------------------------------------------------------------

Name : pie
Product : Fedora 43
Version : 1.4.5
Release : 1.fc43
URL : https://github.com/php/pie
Summary : PHP Installer for Extensions
Description :
PIE (PHP Installer for Extensions).

PIE can install an extension to any installed PHP version.

A list of extensions that support PIE can be found on
https://packagist.org/extensions.

Documentation: /usr/share/doc/pie/docs/usage.md

--------------------------------------------------------------------------------
Update Information:

Version 1.4.5
This release contains vulnerability fixes for the following security advisories:
GHSA-h842-vjwg-pxxx - Sudo-elevated arbitrary file deletion via extra.pie-
installed-binary metadata in UninstallUsingUnlink
GHSA-pm6p-666q-hvj5 - Sudo-elevated root code execution via TOCTOU between self-
update verify and write
GHSA-f67f-c344-cqqr - PIE self-update accepts any historically-attested pie.phar
(rollback gap)
GHSA-vcv4-gmjc-mxvq - php-ext.build-path traversal escapes PIE's vendor extract
directory
GHSA-8xmh-xrvp-hwrf - WindowsInstall::copyExtraFile lacks destination
containment check (Windows-only path traversal)
GHSA-p4j8-36rr-gjfq - Self-update attestation verification is scoped to
--owner=php, not --repo=php/pie
--------------------------------------------------------------------------------
ChangeLog:

* Tue May 26 2026 Remi Collet [remi@remirepo.net] - 1.4.5-1
- update to 1.4.5
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-b2fe14ec86' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: roundcubemail-1.6.16-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-07ee097ffe
2026-06-04 01:35:07.681051+00:00
--------------------------------------------------------------------------------

Name : roundcubemail
Product : Fedora 43
Version : 1.6.16
Release : 1.fc43
URL : http://www.roundcube.net
Summary : Round Cube Webmail is a browser-based multilingual IMAP client
Description :
RoundCube Webmail is a browser-based multilingual IMAP client
with an application-like user interface. It provides full
functionality you expect from an e-mail client, including MIME
support, address book, folder manipulation, message searching
and spell checking. RoundCube Webmail is written in PHP and
requires a database: MySQL, PostgreSQL and SQLite are known to
work. The user interface is fully skinnable using XHTML and
CSS 2.

--------------------------------------------------------------------------------
Update Information:

Release 1.6.16
Fix potential too long value in IMAP ID command (#10136)
Security: Fix stored XSS/HTML/CSS injection in subject field of the draft
restore dialog
Security: Fix CSS injection bypass in HTML sanitizer via SVG
Security: Fix pre-auth SQL injection in virtuser_query plugin via preg_replace
backslash escape bypass
Security: Fix SSRF bypass via specific local address URLs
Security: Fix bypass of remote image blocking via CSS var()
Security: Fix local/private URL fetch bypass when remote resources were not
allowed
Security: Fix pre-auth arbitrary file delete via redis/memcache session
poisoning bypass
Security: Fix code injection vulnerability - remove support for code evaluation
in LDAP autovalues option
--------------------------------------------------------------------------------
ChangeLog:

* Mon May 25 2026 Remi Collet [remi@remirepo.net] - 1.6.16-1
- update to 1.6.16
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2481615 - CVE-2026-48842 roundcubemail: pre-auth SQL injection in the virtuser_query plugin via a preg_replace() backslash escape bypass [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2481615
[ 2 ] Bug #2481617 - CVE-2026-48844 roundcubemail: code injection via insecure LDAP autovalues option [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2481617
[ 3 ] Bug #2481619 - CVE-2026-48843 roundcubemail: information disclosure and Server-Side Request Forgery via insufficient CSS sanitization [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2481619
[ 4 ] Bug #2481622 - CVE-2026-48845 roundcubemail: privilege escalation via remote image blocking bypass [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2481622
[ 5 ] Bug #2481624 - CVE-2026-48848 roundcubemail: CSS injection via an SVG document that has an animate element with the attributeName attribute [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2481624
[ 6 ] Bug #2481626 - CVE-2026-48847 roundcubemail: arbitrary file deletion via redis/memcache session poisoning bypass [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2481626
[ 7 ] Bug #2481628 - CVE-2026-48846 roundcubemail: remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail message [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2481628
[ 8 ] Bug #2481629 - CVE-2026-48849 roundcubemail: XSS via unsanitized subject field in the draft restored value [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2481629
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-07ee097ffe' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[SECURITY] Fedora 43 Update: libsoup3-3.6.6-3.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-37298d3095
2026-06-04 01:35:07.681028+00:00
--------------------------------------------------------------------------------

Name : libsoup3
Product : Fedora 43
Version : 3.6.6
Release : 3.fc43
URL : https://wiki.gnome.org/Projects/libsoup
Summary : Soup, an HTTP library implementation
Description :
Libsoup is an HTTP library implementation in C. It was originally part
of a SOAP (Simple Object Access Protocol) implementation called Soup, but
the SOAP and non-SOAP parts have now been split into separate packages.

libsoup uses the Glib main loop and is designed to work well with GTK
applications. This enables GNOME applications to access HTTP servers
on the network in a completely asynchronous fashion, very similar to
the Gtk+ programming model (a synchronous operation mode is also
supported for those who want it), but the SOAP parts were removed
long ago.

--------------------------------------------------------------------------------
Update Information:

Patch for CVE-2026-5119
--------------------------------------------------------------------------------
ChangeLog:

* Tue May 19 2026 Luigi Pavan [lpavan@redhat.com] - 3.6.6-3
- Fix CVE-2026-5119: cookies sent in cleartext to HTTP proxy for HTTPS
requests
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2452935 - CVE-2026-5119 libsoup3: libsoup: Information disclosure via cleartext transmission of cookies during HTTPS tunnel establishment [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2452935
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-37298d3095' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new