dotnet
dotnet bulletins.
dotnet/aspire v13.4.4-release: DCP reconnection and ExcludeFromMcp() fixes
Patch release for Aspire 13.4 with two fixes: improved DCP connection reliability during request execution (reconnection is now at
MessagePack for .NET: LZ4 decompression out-of-bounds read vulnerability
A vulnerability in the LZ4 decompression path of MessagePack for .
Polly 8.7.0 Released
Release of Polly version 8.7.0, a .NET resilience and transient-fault-handling library.
.NET Blog Announces .NET Day of Agentic Modernization Livestream
Announced .NET Day of Agentic Modernization Livestream event.
.NET 11 Preview 5 Released with New Features
.NET 11 Preview 5 is out, bringing updates to the runtime, SDK, libraries, ASP.NET Core, .NET MAUI, C#, Entity Framework Core, and
dotnet/runtime v8.0.28: WebSocket fix, JIT fix, CRL cache, QUIC update
Release v8.0.28 of dotnet/runtime includes multiple fixes and dependency updates: WebSocket Server now denies unmasked frame recei
dotnet/runtime v9.0.17: WebSocket fix, JIT bug fix, MsQuic update, CRL cache
Release v9.0.17 of dotnet/runtime includes multiple fixes and dependency updates: WebSocket server now denies unmasked frame recei
dotnet/runtime v10.0.9: Bug fixes, optimizations, and dependency updates
Release v10.0.9 includes fixes for docker compose, MetaDataGetDispenser linking in singlefilehost, IJW OverflowException with 17+
dotnet/aspire v13.4.1 patch fixes four bugs
Patch release v13.4.1 fixes four bugs: explicit-start resource lifecycle callbacks triggered too early; Redis persistent container
dotnet/aspire 13.4.2 fixes Redis TLS deadlock in persistent containers
Patch release 13.4.2 fixes a deadlock in Redis persistent containers when using TLS, caused by using public host ports instead of
.NET Blog: Microsoft Build 2026 .NET Sessions Recap
Microsoft Build 2026 included .NET sessions on .NET 11, union types in C#, AI building blocks, the agentic web, .NET MAUI, and mor
dotnet/aspire v13.4.3: persistent container endpoint allocation regression fix
Patch release fixing persistent container endpoint allocation regression: persistent containers now default to proxied endpoint be
Nerdbank.MessagePack deserializers vulnerable to memory amplification via collection preallocation
Nerdbank.MessagePack deserializers for collection-shaped types allocate storage based on attacker-controlled element counts from M
Nerdbank.MessagePack: Denial of Service via ExpandoObject Converter
A security advisory was published for Nerdbank.
dotnet/aspire v13.4.0: TypeScript AppHost GA, aspire ps breaking change, Foundry API update
TypeScript AppHost is now GA; experimental markers removed.
TinyMCE 6.8.x-7.0.x XSS via SVG namespace handling
TinyMCE 6.8.x-7.0.x contains an XSS vulnerability due to improper SVG namespace scope handling in the sanitizer, allowing arbitrar
TinyMCE Stored XSS via data-mce-* attributes
Stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style).
TinyMCE Stored XSS via forged mce:protected comments
Stored XSS vulnerability via forged mce:protected comments allows attackers to bypass sanitization and inject scripts when content
TinyMCE Media Plugin Stored XSS Vulnerability
Stored XSS vulnerability in the media plugin allows attackers to inject malicious scripts via crafted data-mce-* attributes.