Xint public tracker adds seven CVE-backed findings beyond CopyFail

Source status: Xint's public tracker is the AI-attribution source. The tracker data was published on April 29, 2026, and listed 50 Xint tracker findings when checked on May 5, 2026. This cluster indexes the seven CVE-backed non-CopyFail entries; CVE/vendor or upstream records corroborate the vulnerabilities and fixes, while Xint provides the discovery attribution.

Summary

Xint Code’s public record is broader than CopyFail. Theori’s Xint public bug tracker lists 50 Xint tracker findings as of May 5, 2026, with severity labels spanning critical, high, medium, and low issues.

Bugflation does not import all 50 tracker rows as separate findings because many entries are still embargoed or lack enough public corroboration for the main ledger. This entry indexes the seven CVE-backed non-CopyFail tracker items:

CVE-2026-6100, a CPython use-after-free affecting multiple decompressor classes after memory-allocation failure and object reuse.
CVE-2026-34979, a CUPS scheduler heap-based buffer overflow in option-string construction from IPP job attributes.
CVE-2026-32647, an NGINX MP4 module heap buffer overflow around stco/co64 atom handling.
CVE-2025-12875 and CVE-2025-13120, two mruby memory-safety issues.
CVE-2026-32710, a MariaDB heap buffer overflow in JSON schema validation.
CVE-2026-2005, a PostgreSQL pgcrypto heap buffer overflow in pgp_parse_pubenc_sesskey.

CopyFail, CVE-2026-31431, remains a separate Bugflation entry because it has its own detailed disclosure, Linux kernel fix trail, proof-of-concept repository, and CISA KEV listing.

Attribution

This cluster is labeled self-reported. The Xint tracker is a primary source from the system operator and supplies the Xint Code discovery attribution. The CVE, GHSA, and upstream-fix links in the tracker corroborate the underlying vulnerabilities and fixes, but the independent records do not all describe the AI workflow.

That distinction is the important correction. Xint Code should not be described as a one-finding system. At the same time, tracker-only and embargoed entries should not be blended with fully public CVE-backed disclosures.

Why it matters

The Xint tracker is another bugflation signal: a single AI-assisted security system is producing a stream of reportable findings across runtimes, server software, databases, compression paths, and media parsers.

For defenders, the lesson is not tied to CopyFail alone. If AI-assisted systems can repeatedly surface credible bugs across unrelated open-source projects, the pressure moves from discovery to validation, coordination, patching, and deployment.

References

Catalogued in the Bugflation public ledger. Disagree with the attribution or severity label? Email the desk.