Hello everyone! (I know that some of you have already updated — thanks!) Expat 2.7.4 has been released earlier today, and it brings two security fixes… CVE-2026-24515 — NULL pointer dereference (CWE-476) CVE-2026-25210 — integer overflow (CWE-190) …and (off-by-default) symbol versioning. As usual, the change log has more information and is available at https://github.com/libexpat/libexpat/blob/R_2_7_4/expat/Changes . There is also a blog-post version of this from as slightly different angle: https://blog.hartwork.org/posts/expat-2-7-4-released/ . If you have patches for Expat that are still required with version 2.7.4, please send them my way so we can get them included with a future release. Thank you! Best Sebastian