High
resolved
resolved
Unauthenticated file deletion via deleteFileMessage DDP method allows permanent destruction of any uploaded file
Bug reported by eldudarino was disclosed at June 16, 2026, 9:47 am | Improper Authentication - Generic
Low
resolved
resolved
Malicious Conflux Endpoint Can Leave Stale Global OOO Queue Accounting After Teardown
Bug reported by was disclosed at June 16, 2026, 7:16 am | Uncontrolled Resource Consumption
A vulnerability was discovered in Tor's Conflux OOO queue accounting. The vulnerability could cause the global OOO queue byte counter to remain inflated after a Conflux set was torn down, even though the memory had already been freed. This was due to a lack of accounting updates during the teardown process. No sensitive information was included in the report.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
