Many will have seen the recent post from Anthropic (1) and associated reporting that says they found 500+ vulnerabilities and lists 3 of them. These three issues don’t appear to have CVEs and two don’t appear in releases. I don’t know if that indicates the maintainers don't agree with the significance of these findings, but I wonder if the other 498+ vulnerabilities also lack CVEs.
1. For OpenSC, the commit appears to be: https://github.com/OpenSC/OpenSC/commit/9ab1daf21029dd18f8828d684ee6151d9238edab There are no disclosed security issues more recent than 2024 at https://github.com/OpenSC/OpenSC/security and the last release was OpenSC 0.26.1. 2. For cgif, the fix is https://github.com/dloebl/cgif/commit/07052febd3a252d30e6f0de67b2ea4f6b9aacddd and it appears in v0.5.1. 4. For ghostscript, the commit appears to be https://github.com/ArtifexSoftware/ghostpdl/commit/4e392a82d1b1780cab85804728317f36a9c4f7f7 which references a nonpublic bug 709080 <https://bugs.ghostscript.com/show_bug.cgi?id=709080>. The last release is 10.06.0 (2025-09-09) so there is no release with this fix. Anthropic’s post: https://red.anthropic.com/2026/zero-days/ Joe
