Detections
Analytics

Debian dsa-6232 : gir1.2-javascriptcoregtk-4.1 - security update

medium Nessus Plugin ID 310721

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 13 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6232 advisory.

 - ------------------------------------------------------------------------- Debian Security Advisory DSA-6232-1 [email protected] https://www.debian.org/security/ Alberto Garcia April 28, 2026 https://www.debian.org/security/faq
 - -------------------------------------------------------------------------

 Package : webkit2gtk CVE ID : CVE-2025-46299 CVE-2026-20643 CVE-2026-20664 CVE-2026-20665 CVE-2026-20691 CVE-2026-28857 CVE-2026-28859 CVE-2026-28861 CVE-2026-28871

 The following vulnerabilities have been discovered in the WebKitGTK web engine:

 CVE-2025-46299

 Google Big Sleep discovered that processing maliciously crafted web content may disclose internal states of the app.

 CVE-2026-20643

 Thomas Espach discovered that processing maliciously crafted web content may bypass Same Origin Policy.

 CVE-2026-20664

 Daniel Rhea, Soehnke Benedikt Fischedick, Emrovsky & Switch, and Yevhen Pervushyn discovered that processing maliciously crafted web content may lead to an unexpected process crash

 CVE-2026-20665

 webb discovered that processing maliciously crafted web content may prevent Content Security Policy from being enforced.

 CVE-2026-20691

 Gongyu Ma discovered that a maliciously crafted webpage may be able to fingerprint the user.

 CVE-2026-28857

 Narcis Oliveras Fontas, Soehnke Benedikt Fischedick, Daniel Rhea, and Nathaniel Oh discovered that processing maliciously crafted web content may lead to an unexpected process crash.

 CVE-2026-28859

 greenbynox and Arni Hardarson discovered that a malicious website may be able to process restricted web content outside the sandbox.

 CVE-2026-28861

 Hongze Wu and Shuaike Dong discovered that a malicious website may be able to access script message handlers intended for other origins.

 CVE-2026-28871

 @hamayanhamayan discovered that visiting a maliciously crafted website may lead to a cross- site scripting attack.

 Starting from version 2.52.0, WebKitGTK can no longer be backported to the oldstable distribution (bookworm). Because of that, the webkit2gtk packages are no longer covered by security support in bookworm.

 For the stable distribution (trixie), these problems have been fixed in version 2.52.1-1~deb13u1.

 We recommend that you upgrade your webkit2gtk packages.

 For the detailed security status of webkit2gtk please refer to its security tracker page at:
 https://security-tracker.debian.org/tracker/webkit2gtk

 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

 Mailing list: [email protected]

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the gir1.2-javascriptcoregtk-4.1 packages.

See Also

https://security-tracker.debian.org/tracker/source-package/webkit2gtk

https://security-tracker.debian.org/tracker/CVE-2025-46299

https://security-tracker.debian.org/tracker/CVE-2026-20643

https://security-tracker.debian.org/tracker/CVE-2026-20664

https://security-tracker.debian.org/tracker/CVE-2026-20665

https://security-tracker.debian.org/tracker/CVE-2026-20691

https://security-tracker.debian.org/tracker/CVE-2026-28857

https://security-tracker.debian.org/tracker/CVE-2026-28859

https://security-tracker.debian.org/tracker/CVE-2026-28861

https://security-tracker.debian.org/tracker/CVE-2026-28871

https://packages.debian.org/source/trixie/webkit2gtk

Plugin Details

Severity: Medium

ID: 310721

File Name: debian_DSA-6232.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 4/28/2026

Updated: 4/28/2026

Supported Sensors: Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.0

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-28859

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2026-20665

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:libjavascriptcoregtk-4.0-bin, p-cpe:/a:debian:debian_linux:libwebkit2gtk-4.0-doc, p-cpe:/a:debian:debian_linux:webkit2gtk-driver, p-cpe:/a:debian:debian_linux:gir1.2-javascriptcoregtk-4.1, p-cpe:/a:debian:debian_linux:gir1.2-javascriptcoregtk-6.0, p-cpe:/a:debian:debian_linux:gir1.2-webkit-6.0, p-cpe:/a:debian:debian_linux:gir1.2-webkit2-4.1, p-cpe:/a:debian:debian_linux:libjavascriptcoregtk-4.1-0, p-cpe:/a:debian:debian_linux:libjavascriptcoregtk-4.1-dev, p-cpe:/a:debian:debian_linux:libjavascriptcoregtk-6.0-1, p-cpe:/a:debian:debian_linux:libjavascriptcoregtk-6.0-dev, p-cpe:/a:debian:debian_linux:libwebkit2gtk-4.1-0, p-cpe:/a:debian:debian_linux:libwebkit2gtk-4.1-dev, p-cpe:/a:debian:debian_linux:libwebkitgtk-6.0-4, p-cpe:/a:debian:debian_linux:libwebkitgtk-6.0-dev, cpe:/o:debian:debian_linux:13.0, p-cpe:/a:debian:debian_linux:libjavascriptcoregtk-bin, p-cpe:/a:debian:debian_linux:libwebkitgtk-doc, p-cpe:/a:debian:debian_linux:webkitgtk-webdriver

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/28/2026

Vulnerability Publication Date: 12/15/2025

Reference Information

CVE: CVE-2025-46299, CVE-2026-20643, CVE-2026-20664, CVE-2026-20665, CVE-2026-20691, CVE-2026-28857, CVE-2026-28859, CVE-2026-28861, CVE-2026-28871