dotnet 2026
dotnet/aspire v13.4.6: Patch for polyglot codegen, isolated mode port collision, MongoDB driver
Patch release for Aspire 13.4 fixing polyglot AppHost code generation binding when CLI and SDK versions diverge, resource service
DotVVM Adds Required Cryptographic Token for File Uploads
DotVVM now requires a cryptographic token for file upload requests and adds the `DotvvmConfiguration.
CoreWCF.Primitives: Unauthenticated Signature Bypass via Crafted SOAP Header
A security vulnerability in CoreWCF.
CoreWCF.Kafka: Null-value record causes processing halt
A null-value record on a Kafka topic causes CoreWCF to stop processing new records from that topic.
CoreWCF.UnixDomainSocket: Missing stream upgrade for PosixIdentity client credential type
A CoreWCF service hosted on Unix Domain Sockets with PosixIdentity client credential type does not require the client to perform t
CoreWCF.NetNamedPipe vulnerability: local interception of NetNamedPipe traffic fixed in v1.8.1 and v1.9.1
CoreWCF NetNamedPipe transport had a vulnerability allowing local interception of NetNamedPipe traffic by attaching to a pre-exist
CoreWCF.UnixDomainSocket: Race condition in peer identity resolution
Race condition in POSIX peer identity resolution may attribute one connection’s identity to another (getpwuid/getgrgid non-reentra
CoreWCF.Primitives Token Replay Detection Bypass
A security advisory was published for CoreWCF.
CoreWCF.Primitives: WS-Security 1.0 DigestMethod validation added
CoreWCF's WS-Security 1.0 receive pipeline now validates the DigestMethod of each ds:Reference against the configured SecurityAlgo
DotVVM ReDoS vulnerability mitigated with route regex timeout
DotVVM versions 4.3.15, 4.2.11 and 5.0.0-preview09 apply a 1 second timeout to route regex operations. When timeout is triggered,
DotVVM AuthorizeActionFilter broken, allows unauthorized access
The AuthorizeActionFilter class is broken and does nothing, allowing unauthorized access.
CoreWCF.NetFramingBase: Unauthenticated Remote CPU Exhaustion via Thread Pin
An unauthenticated remote attacker can pin one server thread-pool worker at 100% CPU per connection, potentially exhausting CPU us
CoreWCF.Primitives SAML Token Signature Verification Bypass
When a service validates SAML tokens using a non-X.
CoreWCF.Primitives SAML 1.1 token validation bypass
Security advisory: SAML 1.1 token validation bypass in CoreWCF.Primitives. Two exploit shapes: holder-of-key downgrade (attacker c
CoreWCF.Primitives SAML Impersonation Vulnerability
A security vulnerability in CoreWCF.
CoreWCF.Primitives replay attack vulnerability in transport-security bindings
A security vulnerability in CoreWCF.
CoreWCF.Primitives Security Vulnerability: Impersonation via TransportWithMessageCredential and WS-SecureConversation
A security vulnerability in CoreWCF.
NCalc.Core Denial-of-Service Vulnerability Fixed in Factorial Operator
A denial-of-service vulnerability in the factorial operator of NCalc was fixed by adding bounds validation for factorial operands
.NET Blog: Microsoft Binlog MCP Server announced – 15 tools for MSBuild binary log analysis
Announced the Microsoft Binlog MCP Server, a set of 15 specialized tools for AI-assisted investigation of MSBuild binary logs.
Microsoft.NETCore.App.Runtime.linux-x64 Symlink Traversal in TarFile.ExtractToDirectory
A tampering vulnerability in System.
dotnet/aspire v13.4.5: Patch for StreamJsonRpc/MessagePack CVE, SemVer validation, telemetry update
Patch release v13.4.5 bumps StreamJsonRpc to 2.25.29 to clear transitive MessagePack GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 a
Microsoft.AspNetCore.App.Runtime.linux-x64 Denial of Service via MessagePack Hub Protocol
A denial of service vulnerability in the MessagePack hub protocol used by SignalR and Blazor Server.
dotnet/aspire v13.4.4-release: DCP reconnection and ExcludeFromMcp() fixes
Patch release for Aspire 13.4 with two fixes: improved DCP connection reliability during request execution (reconnection is now at
MessagePack for .NET: LZ4 decompression out-of-bounds read vulnerability
A vulnerability in the LZ4 decompression path of MessagePack for .
Polly 8.7.0 Released
Release of Polly version 8.7.0, a .NET resilience and transient-fault-handling library.
.NET Blog Announces .NET Day of Agentic Modernization Livestream
Announced .NET Day of Agentic Modernization Livestream event.
.NET 11 Preview 5 Released with New Features
.NET 11 Preview 5 is out, bringing updates to the runtime, SDK, libraries, ASP.NET Core, .NET MAUI, C#, Entity Framework Core, and
dotnet/runtime v8.0.28: WebSocket fix, JIT fix, CRL cache, QUIC update
Release v8.0.28 of dotnet/runtime includes multiple fixes and dependency updates: WebSocket Server now denies unmasked frame recei
dotnet/runtime v9.0.17: WebSocket fix, JIT bug fix, MsQuic update, CRL cache
Release v9.0.17 of dotnet/runtime includes multiple fixes and dependency updates: WebSocket server now denies unmasked frame recei
dotnet/runtime v10.0.9: Bug fixes, optimizations, and dependency updates
Release v10.0.9 includes fixes for docker compose, MetaDataGetDispenser linking in singlefilehost, IJW OverflowException with 17+
dotnet/aspire v13.4.1 patch fixes four bugs
Patch release v13.4.1 fixes four bugs: explicit-start resource lifecycle callbacks triggered too early; Redis persistent container
dotnet/aspire 13.4.2 fixes Redis TLS deadlock in persistent containers
Patch release 13.4.2 fixes a deadlock in Redis persistent containers when using TLS, caused by using public host ports instead of
.NET Blog: Microsoft Build 2026 .NET Sessions Recap
Microsoft Build 2026 included .NET sessions on .NET 11, union types in C#, AI building blocks, the agentic web, .NET MAUI, and mor
dotnet/aspire v13.4.3: persistent container endpoint allocation regression fix
Patch release fixing persistent container endpoint allocation regression: persistent containers now default to proxied endpoint be
Nerdbank.MessagePack deserializers vulnerable to memory amplification via collection preallocation
Nerdbank.MessagePack deserializers for collection-shaped types allocate storage based on attacker-controlled element counts from M
Nerdbank.MessagePack: Denial of Service via ExpandoObject Converter
A security advisory was published for Nerdbank.
dotnet/aspire v13.4.0: TypeScript AppHost GA, aspire ps breaking change, Foundry API update
TypeScript AppHost is now GA; experimental markers removed.
TinyMCE 6.8.x-7.0.x XSS via SVG namespace handling
TinyMCE 6.8.x-7.0.x contains an XSS vulnerability due to improper SVG namespace scope handling in the sanitizer, allowing arbitrar
TinyMCE Stored XSS via data-mce-* attributes
Stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style).
TinyMCE Stored XSS via forged mce:protected comments
Stored XSS vulnerability via forged mce:protected comments allows attackers to bypass sanitization and inject scripts when content
TinyMCE Media Plugin Stored XSS Vulnerability
Stored XSS vulnerability in the media plugin allows attackers to inject malicious scripts via crafted data-mce-* attributes.