34 files changed, 235 insertions, 87 deletions
diff --git a/security/cosign/Makefile b/security/cosign/Makefile
index af140597692c..9766fa711a8b 100644
--- a/security/cosign/Makefile
+++ b/security/cosign/Makefile
@@ -1,7 +1,6 @@
 PORTNAME=	cosign
 DISTVERSIONPREFIX=	v
-DISTVERSION=	2.5.3
-PORTREVISION=	2
+DISTVERSION=	2.6.0
 CATEGORIES=	security
 
 MAINTAINER=	bofh@FreeBSD.org
@@ -24,7 +23,7 @@ GO_BUILDFLAGS=	-ldflags="-buildid= \
 
 PLIST_FILES=	bin/${PORTNAME}
 
-GIT_HASH=	488ef8ceed5ab5d77379e9077a124a0d0df41d06
+GIT_HASH=	37fbfc7018fb4d60a9a2c9175bd64c75dda5869a
 
 .include <bsd.port.pre.mk>
 
diff --git a/security/cosign/distinfo b/security/cosign/distinfo
index 162267863be7..04260adacbe1 100644
--- a/security/cosign/distinfo
+++ b/security/cosign/distinfo
@@ -1,5 +1,5 @@
-TIMESTAMP = 1752874321
-SHA256 (go/security_cosign/cosign-v2.5.3/v2.5.3.mod) = 3d3e90c2ad6b9f1dc45c9f83c5408d4296d80ae3728998504d9d3e077dd19afe
-SIZE (go/security_cosign/cosign-v2.5.3/v2.5.3.mod) = 16693
-SHA256 (go/security_cosign/cosign-v2.5.3/v2.5.3.zip) = e0158a5721ba7c8e2b775af499c07d89957ae42177a1794c8382e1e91901b531
-SIZE (go/security_cosign/cosign-v2.5.3/v2.5.3.zip) = 1335557
+TIMESTAMP = 1757797254
+SHA256 (go/security_cosign/cosign-v2.6.0/v2.6.0.mod) = 5bdb0b024ddd7ed55330cccaf993f544d68917acac507d0f3c78e22be77afabb
+SIZE (go/security_cosign/cosign-v2.6.0/v2.6.0.mod) = 17701
+SHA256 (go/security_cosign/cosign-v2.6.0/v2.6.0.zip) = 2952d765dacdaebf7c651cfbad99e4736a086a9732e3a42bf8e9ce963bc73ae3
+SIZE (go/security_cosign/cosign-v2.6.0/v2.6.0.zip) = 1366214
diff --git a/security/keysmith/distinfo b/security/keysmith/distinfo
index 35f288229720..2b1d0859e6c8 100644
--- a/security/keysmith/distinfo
+++ b/security/keysmith/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1754646550
-SHA256 (KDE/release-service/25.08.0/keysmith-25.08.0.tar.xz) = 0e5f21ebffb21856e22dfd2fa961f5d14c5c565a88002a32ce1f4117bad60987
-SIZE (KDE/release-service/25.08.0/keysmith-25.08.0.tar.xz) = 237728
+TIMESTAMP = 1757410252
+SHA256 (KDE/release-service/25.08.1/keysmith-25.08.1.tar.xz) = bf4aeda0e45993d3bd76deca5edc85216ddb0dbdcb309ebf5520f33d1cd572d3
+SIZE (KDE/release-service/25.08.1/keysmith-25.08.1.tar.xz) = 237656
diff --git a/security/kf6-kdesu/distinfo b/security/kf6-kdesu/distinfo
index 8c98e35c7322..5e2b09c85181 100644
--- a/security/kf6-kdesu/distinfo
+++ b/security/kf6-kdesu/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1754127975
-SHA256 (KDE/frameworks/6.17/kdesu-6.17.0.tar.xz) = 666899ad546b7bd002e3fc1697032f8920ce7261df2ef519e81d4aae91971123
-SIZE (KDE/frameworks/6.17/kdesu-6.17.0.tar.xz) = 57012
+TIMESTAMP = 1757408198
+SHA256 (KDE/frameworks/6.18/kdesu-6.18.0.tar.xz) = 3203b047113cf08bca3981ede657e45b417a7cd0f2879bb4f9e901ad4e594616
+SIZE (KDE/frameworks/6.18/kdesu-6.18.0.tar.xz) = 57020
diff --git a/security/kgpg/distinfo b/security/kgpg/distinfo
index e639670f58dd..853712e77c9d 100644
--- a/security/kgpg/distinfo
+++ b/security/kgpg/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1754646553
-SHA256 (KDE/release-service/25.08.0/kgpg-25.08.0.tar.xz) = c343f27b1d024a9497d6df81439fdfc5a6d13016725a225d7a1d195fdb002427
-SIZE (KDE/release-service/25.08.0/kgpg-25.08.0.tar.xz) = 3049812
+TIMESTAMP = 1757410254
+SHA256 (KDE/release-service/25.08.1/kgpg-25.08.1.tar.xz) = c3afee476c61ecd322502217ce97fa4dcc16dab39f7793c31be2bee8ac2455b5
+SIZE (KDE/release-service/25.08.1/kgpg-25.08.1.tar.xz) = 3049880
diff --git a/security/kleopatra/distinfo b/security/kleopatra/distinfo
index 4264a1a02270..9a4e29e665f7 100644
--- a/security/kleopatra/distinfo
+++ b/security/kleopatra/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1754646555
-SHA256 (KDE/release-service/25.08.0/kleopatra-25.08.0.tar.xz) = f3cba816041732ed915e4941f728f04ef9cb3129f31d845bfe8df3f4e0f0b3db
-SIZE (KDE/release-service/25.08.0/kleopatra-25.08.0.tar.xz) = 2861400
+TIMESTAMP = 1757410257
+SHA256 (KDE/release-service/25.08.1/kleopatra-25.08.1.tar.xz) = 27081153cd29ff300454ca1bcd4da57541d07a52a9741bcd8fabc2a094b4bdf8
+SIZE (KDE/release-service/25.08.1/kleopatra-25.08.1.tar.xz) = 2861848
diff --git a/security/kpkpass/distinfo b/security/kpkpass/distinfo
index ee3a7ed3c2ea..89a44718e1f4 100644
--- a/security/kpkpass/distinfo
+++ b/security/kpkpass/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1754646557
-SHA256 (KDE/release-service/25.08.0/kpkpass-25.08.0.tar.xz) = 2ee2a25ff90f23026dd687e2b62ac1a908c1c55fdf685a42583d67472a1badbb
-SIZE (KDE/release-service/25.08.0/kpkpass-25.08.0.tar.xz) = 31868
+TIMESTAMP = 1757410259
+SHA256 (KDE/release-service/25.08.1/kpkpass-25.08.1.tar.xz) = e75e339814e124203bb6205eb435d2283ff0828b08d13108bfc66ef454cfa7bb
+SIZE (KDE/release-service/25.08.1/kpkpass-25.08.1.tar.xz) = 31864
diff --git a/security/kwalletmanager/distinfo b/security/kwalletmanager/distinfo
index 84d27d4eab2b..1aa0b0bfc238 100644
--- a/security/kwalletmanager/distinfo
+++ b/security/kwalletmanager/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1754646560
-SHA256 (KDE/release-service/25.08.0/kwalletmanager-25.08.0.tar.xz) = 0110bbc55733392f49d2de333082d29c1929a1073af27799f6c277289c8359a3
-SIZE (KDE/release-service/25.08.0/kwalletmanager-25.08.0.tar.xz) = 1052868
+TIMESTAMP = 1757410261
+SHA256 (KDE/release-service/25.08.1/kwalletmanager-25.08.1.tar.xz) = cd52e2746aabc52aa9e7918c6a2788b4f2777b1a19479b0af9364d4f714a8704
+SIZE (KDE/release-service/25.08.1/kwalletmanager-25.08.1.tar.xz) = 1052792
diff --git a/security/libkleo/distinfo b/security/libkleo/distinfo
index e75aa8c676d4..d048235b3504 100644
--- a/security/libkleo/distinfo
+++ b/security/libkleo/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1754646562
-SHA256 (KDE/release-service/25.08.0/libkleo-25.08.0.tar.xz) = 20c9553c7652f8bc59949cf4b92711c7b0e5a486fc4b10d851346439056d2bd4
-SIZE (KDE/release-service/25.08.0/libkleo-25.08.0.tar.xz) = 663320
+TIMESTAMP = 1757410264
+SHA256 (KDE/release-service/25.08.1/libkleo-25.08.1.tar.xz) = 6a9a2bef659a4294c6114ac2300fc62dc5e2d1b48eb29ef2ead9be59997d8baf
+SIZE (KDE/release-service/25.08.1/libkleo-25.08.1.tar.xz) = 667908
diff --git a/security/libkleo/pkg-plist b/security/libkleo/pkg-plist
index 25a2223e34e3..3d504d3d50ec 100644
--- a/security/libkleo/pkg-plist
+++ b/security/libkleo/pkg-plist
@@ -168,7 +168,7 @@ lib/libKPim6Libkleo.so.6
 lib/libKPim6Libkleo.so.%%KDE_APPLICATIONS_SHLIB_VER%%
 share/KPim6Libkleo/find-modules/FindLibAssuan.cmake
 share/KPim6Libkleo/find-modules/FindLibGpgError.cmake
-%%DATADIR%%patra/pics/smartcard.xpm
+share/libkleopatra/pics/smartcard.xpm
 share/locale/ar/LC_MESSAGES/libkleopatra6.mo
 share/locale/ast/LC_MESSAGES/libkleopatra6.mo
 share/locale/be/LC_MESSAGES/libkleopatra6.mo
diff --git a/security/netbird/Makefile b/security/netbird/Makefile
index cac5d2216eae..d018c374af81 100644
--- a/security/netbird/Makefile
+++ b/security/netbird/Makefile
@@ -1,6 +1,7 @@
 PORTNAME=	netbird
 DISTVERSIONPREFIX=	v
 DISTVERSION=	0.56.0
+PORTREVISION=	1
 CATEGORIES=	security net net-vpn
 
 MAINTAINER=	hakan.external@netbird.io
diff --git a/security/netbird/files/patch-vendor_golang.zx2c4.com_wireguard_wgctrl_internal_wgfreebsd_internal_nv_decode.go b/security/netbird/files/patch-vendor_golang.zx2c4.com_wireguard_wgctrl_internal_wgfreebsd_internal_nv_decode.go
new file mode 100644
index 000000000000..3d89c7d66a97
--- /dev/null
+++ b/security/netbird/files/patch-vendor_golang.zx2c4.com_wireguard_wgctrl_internal_wgfreebsd_internal_nv_decode.go
@@ -0,0 +1,11 @@
+--- vendor/golang.zx2c4.com/wireguard/wgctrl/internal/wgfreebsd/internal/nv/decode.go.orig	2025-09-06 11:14:13 UTC
++++ vendor/golang.zx2c4.com/wireguard/wgctrl/internal/wgfreebsd/internal/nv/decode.go
+@@ -13,7 +13,7 @@ func Unmarshal(d []byte, out List) error {
+ 
+ // Unmarshal decodes a FreeBSD name-value list (nv(9)) to a Go map
+ func Unmarshal(d []byte, out List) error {
+-	sz := C.ulong(len(d))
++	sz := C.size_t(len(d))
+ 	dp := unsafe.Pointer(&d[0])
+ 	nvl := C.nvlist_unpack(dp, sz, 0)
+ 
diff --git a/security/netbird/files/patch-vendor_golang.zx2c4.com_wireguard_wgctrl_internal_wgfreebsd_internal_nv_encode.go b/security/netbird/files/patch-vendor_golang.zx2c4.com_wireguard_wgctrl_internal_wgfreebsd_internal_nv_encode.go
new file mode 100644
index 000000000000..54a18ac871bf
--- /dev/null
+++ b/security/netbird/files/patch-vendor_golang.zx2c4.com_wireguard_wgctrl_internal_wgfreebsd_internal_nv_encode.go
@@ -0,0 +1,33 @@
+--- vendor/golang.zx2c4.com/wireguard/wgctrl/internal/wgfreebsd/internal/nv/encode.go.orig	2025-09-06 11:15:21 UTC
++++ vendor/golang.zx2c4.com/wireguard/wgctrl/internal/wgfreebsd/internal/nv/encode.go
+@@ -44,7 +44,7 @@ func marshal(m List) (nvl *C.struct_nvlist, err error)
+ 			C.nvlist_add_bool(nvl, ckey, C.bool(value))
+ 
+ 		case uint64:
+-			C.nvlist_add_number(nvl, ckey, C.ulong(value))
++			C.nvlist_add_number(nvl, ckey, C.uint64_t(value))
+ 
+ 		case []byte:
+ 			sz := len(value)
+@@ -54,8 +54,8 @@ func marshal(m List) (nvl *C.struct_nvlist, err error)
+ 
+ 		case []List:
+ 			sz := len(value)
+-			buf := C.malloc(C.size_t(C.sizeof_nvlist_ptr * sz))
+-			items := (*[1<<30 - 1]*C.struct_nvlist)(buf)
++			buf := (**C.struct_nvlist)(C.malloc(C.size_t(C.sizeof_nvlist_ptr * sz)))
++			items := unsafe.Slice(buf, sz)
+ 
+ 			for i, val := range value {
+ 				if items[i], err = marshal(val); err != nil {
+@@ -64,8 +64,8 @@ func marshal(m List) (nvl *C.struct_nvlist, err error)
+ 				}
+ 			}
+ 
+-			C.nvlist_add_nvlist_array(nvl, ckey, (**C.struct_nvlist)(buf), C.size_t(sz))
+-			C.free(buf)
++			C.nvlist_add_nvlist_array(nvl, ckey, buf, C.size_t(sz))
++			C.free(unsafe.Pointer(buf))
+ 		}
+ 
+ 		C.free(unsafe.Pointer(ckey))
diff --git a/security/node-sqlcipher/Makefile b/security/node-sqlcipher/Makefile
index 203bde07839f..1154e081f29d 100644
--- a/security/node-sqlcipher/Makefile
+++ b/security/node-sqlcipher/Makefile
@@ -1,5 +1,5 @@
 PORTNAME=	node-sqlcipher
-DISTVERSION=	2.2.2
+DISTVERSION=	2.4.4
 CATEGORIES=	security
 MASTER_SITES=	https://github.com/signalapp/node-sqlcipher/archive/refs/tags/v${DISTVERSION}/:sqlcipher \
 		https://registry.npmjs.org/@esbuild/freebsd-arm64/-/:esbuildarm64 \
diff --git a/security/node-sqlcipher/distinfo b/security/node-sqlcipher/distinfo
index 542021a3cf7f..f303ead4222c 100644
--- a/security/node-sqlcipher/distinfo
+++ b/security/node-sqlcipher/distinfo
@@ -1,9 +1,9 @@
-TIMESTAMP = 1755508730
+TIMESTAMP = 1757237368
 SHA256 (freebsd-arm64-0.25.9.tgz) = ffa1616767d7660bc93d439c19d91a9b1e5751065c946d09382e330ea688f3f2
 SIZE (freebsd-arm64-0.25.9.tgz) = 4016542
 SHA256 (freebsd-x64-0.25.9.tgz) = 86d04ec7f0dc3fe07b91e625c283f07b82ef2da04809f9ba4193492743c7fcbc
 SIZE (freebsd-x64-0.25.9.tgz) = 4370517
-SHA256 (node-sqlcipher-2.2.2.tar.gz) = 924916f16f61a0448c8fa062963055d73ba7af104781e8848766a97c88b1662b
-SIZE (node-sqlcipher-2.2.2.tar.gz) = 2714491
-SHA256 (node-sqlcipher-2.2.2-npm-cache.tar.gz) = 45b4c5bf67cd9f6eac4f02f1bbed0bbae57ca0d97733e0d4cbecf0ebb327cac8
-SIZE (node-sqlcipher-2.2.2-npm-cache.tar.gz) = 67597779
+SHA256 (node-sqlcipher-2.4.4.tar.gz) = b28b7a05d139edbf0a5aaf35caeb296ad3d90b107e0d3242451c6bf78e12f85f
+SIZE (node-sqlcipher-2.4.4.tar.gz) = 2732706
+SHA256 (node-sqlcipher-2.4.4-npm-cache.tar.gz) = ead2a8db40b7bc84c4e4edf45f88f1e50be0302ed42efd3b870b005dd4e6bb0f
+SIZE (node-sqlcipher-2.4.4-npm-cache.tar.gz) = 67535275
diff --git a/security/nss/Makefile b/security/nss/Makefile
index c9a20263a864..525635c1e763 100644
--- a/security/nss/Makefile
+++ b/security/nss/Makefile
@@ -1,5 +1,5 @@
 PORTNAME=	nss
-PORTVERSION=	3.115.1
+PORTVERSION=	3.116
 CATEGORIES=	security
 MASTER_SITES=	MOZILLA/security/${PORTNAME}/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src
 
diff --git a/security/nss/distinfo b/security/nss/distinfo
index 37d2ef7208b7..c913edb41197 100644
--- a/security/nss/distinfo
+++ b/security/nss/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1755861627
-SHA256 (nss-3.115.1.tar.gz) = b8189c030b528e57dc5290023c07eea429ce242912a51a0388c184c75a257bcf
-SIZE (nss-3.115.1.tar.gz) = 76656855
+TIMESTAMP = 1757695731
+SHA256 (nss-3.116.tar.gz) = 3938611de4ad1e3b71f27f3cd5ea717a5b5f83bffc9cd427e6d929dc67f2bb73
+SIZE (nss-3.116.tar.gz) = 76661970
diff --git a/security/nss/pkg-plist b/security/nss/pkg-plist
index 54ad14fae62f..c815d71f45ca 100644
--- a/security/nss/pkg-plist
+++ b/security/nss/pkg-plist
@@ -50,6 +50,7 @@ include/nss/keythi.h
 include/nss/kyber.h
 include/nss/lowkeyi.h
 include/nss/lowkeyti.h
+include/nss/ml_dsat.h
 include/nss/nss.h
 include/nss/nssb64.h
 include/nss/nssb64t.h
diff --git a/security/nuclei/Makefile b/security/nuclei/Makefile
index 14307cedd2a0..884ebf15b0e1 100644
--- a/security/nuclei/Makefile
+++ b/security/nuclei/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	nuclei
 DISTVERSIONPREFIX=	v
-DISTVERSION=	3.4.7
+DISTVERSION=	3.4.10
 CATEGORIES=	security
 
 MAINTAINER=	dutra@FreeBSD.org
@@ -9,7 +9,7 @@ WWW=		https://github.com/projectdiscovery/nuclei
 
 LICENSE=	MIT
 
-USES=		go:1.22,modules
+USES=		go:1.24,modules
 GO_MODULE=	github.com/projectdiscovery/nuclei/v3
 
 GO_TARGET=	./cmd/${PORTNAME}
diff --git a/security/nuclei/distinfo b/security/nuclei/distinfo
index e84c8fc80136..d08b4c74bfad 100644
--- a/security/nuclei/distinfo
+++ b/security/nuclei/distinfo
@@ -1,5 +1,5 @@
-TIMESTAMP = 1753317860
-SHA256 (go/security_nuclei/nuclei-v3.4.7/v3.4.7.mod) = bc1fb722b23218fe4ec211f30a80341a92e69f62fe0a5625afbb0a86599726fc
-SIZE (go/security_nuclei/nuclei-v3.4.7/v3.4.7.mod) = 18779
-SHA256 (go/security_nuclei/nuclei-v3.4.7/v3.4.7.zip) = 0356b818c4d68bff08f690128ed089b37a83b43dfdea9a045c8f13500d52300e
-SIZE (go/security_nuclei/nuclei-v3.4.7/v3.4.7.zip) = 12380996
+TIMESTAMP = 1757787405
+SHA256 (go/security_nuclei/nuclei-v3.4.10/v3.4.10.mod) = 0d3b692dbe6922d8bc13cbc334140df320f21650d7b5d073bcb2e4ae294ef913
+SIZE (go/security_nuclei/nuclei-v3.4.10/v3.4.10.mod) = 18905
+SHA256 (go/security_nuclei/nuclei-v3.4.10/v3.4.10.zip) = c42c0eb9f5727fca98aa5ee45fdeebd39c26292dcd500d3f5bf7cfb9ae552abd
+SIZE (go/security_nuclei/nuclei-v3.4.10/v3.4.10.zip) = 12401381
diff --git a/security/osv-scanner/Makefile b/security/osv-scanner/Makefile
index e1b4fc3acda3..c3f0fa16bbd3 100644
--- a/security/osv-scanner/Makefile
+++ b/security/osv-scanner/Makefile
@@ -1,7 +1,6 @@
 PORTNAME=	osv-scanner
 DISTVERSIONPREFIX=	v
-DISTVERSION=	2.2.1
-PORTREVISION=	1
+DISTVERSION=	2.2.2
 CATEGORIES=	security
 
 MAINTAINER=	dutra@FreeBSD.org
diff --git a/security/osv-scanner/distinfo b/security/osv-scanner/distinfo
index 265d20a79f1b..1a2041a4e6ed 100644
--- a/security/osv-scanner/distinfo
+++ b/security/osv-scanner/distinfo
@@ -1,5 +1,5 @@
-TIMESTAMP = 1754949434
-SHA256 (go/security_osv-scanner/osv-scanner-v2.2.1/v2.2.1.mod) = 0dce5dbfafb99b5582b02777a4a2b0b806fde168be423da7ed1ac6f0d9529abd
-SIZE (go/security_osv-scanner/osv-scanner-v2.2.1/v2.2.1.mod) = 9801
-SHA256 (go/security_osv-scanner/osv-scanner-v2.2.1/v2.2.1.zip) = d249264cb9bfef83ef63567466dd7321032e7e7c44532be933fc12b920151637
-SIZE (go/security_osv-scanner/osv-scanner-v2.2.1/v2.2.1.zip) = 5234820
+TIMESTAMP = 1757786339
+SHA256 (go/security_osv-scanner/osv-scanner-v2.2.2/v2.2.2.mod) = d54389929750cc4839c89a8f2083a8d735c105d2aac0a3d90cdfb9a5e8fc998f
+SIZE (go/security_osv-scanner/osv-scanner-v2.2.2/v2.2.2.mod) = 9801
+SHA256 (go/security_osv-scanner/osv-scanner-v2.2.2/v2.2.2.zip) = 5dbba62ae3d7fec8f1d61d3cb011b54f8b994ac6b7aa9a33a3f9bee0abf0a70a
+SIZE (go/security_osv-scanner/osv-scanner-v2.2.2/v2.2.2.zip) = 12527375
diff --git a/security/osv-scanner/files/patch-internal_sourceanalysis_go.go b/security/osv-scanner/files/patch-internal_sourceanalysis_go.go
index 04a027230126..024b5e0dda44 100644
--- a/security/osv-scanner/files/patch-internal_sourceanalysis_go.go
+++ b/security/osv-scanner/files/patch-internal_sourceanalysis_go.go
@@ -1,11 +1,11 @@
---- internal/sourceanalysis/go.go.orig	1979-11-30 03:00:00 UTC
+--- internal/sourceanalysis/go.go.orig	2025-09-13 17:59:56 UTC
 +++ internal/sourceanalysis/go.go
-@@ -19,7 +19,7 @@ func goAnalysis(pkgs []models.PackageVulns, source mod
- )
+@@ -21,7 +21,7 @@ func goAnalysis(pkgs []models.PackageVulns, source mod
  
  func goAnalysis(pkgs []models.PackageVulns, source models.SourceInfo) {
--	cmd := exec.Command("go", "version")
-+	cmd := exec.Command("go%%GO_SUFFIX%%", "version")
+ 	// TODO: This will be moved to enrichers which does have context.
+-	cmd := exec.CommandContext(context.TODO(), "go", "version")
++	cmd := exec.CommandContext(context.TODO(), "go%%GO_SUFFIX%%", "version")
  	_, err := cmd.Output()
  	if err != nil {
- 		slog.Info("Skipping call analysis on Go code since Go is not installed.")
+ 		cmdlogger.Infof("Skipping call analysis on Go code since Go is not installed.")
diff --git a/security/p11-kit/Makefile b/security/p11-kit/Makefile
index c2bba5c883c4..845f8ab77d6b 100644
--- a/security/p11-kit/Makefile
+++ b/security/p11-kit/Makefile
@@ -1,5 +1,5 @@
 PORTNAME=	p11-kit
-DISTVERSION=	0.25.5
+DISTVERSION=	0.25.8
 CATEGORIES=	security devel
 MASTER_SITES=	https://github.com/p11-glue/${PORTNAME}/releases/download/${DISTVERSION}/
 
@@ -21,6 +21,7 @@ CPE_VENDOR=	p11-kit_project
 
 MESON_ARGS=	-Dnls=false \
 		-Dsystemd=disabled \
+		-Dzsh_completion=disabled \
 		-Dtrust_paths=${DATADIR}/certs
 
 OPTIONS_DEFINE=		DOCS MANPAGES TEST
diff --git a/security/p11-kit/distinfo b/security/p11-kit/distinfo
index 5dc3e4629f51..8792b97e4abc 100644
--- a/security/p11-kit/distinfo
+++ b/security/p11-kit/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1720110883
-SHA256 (p11-kit-0.25.5.tar.xz) = 04d0a86450cdb1be018f26af6699857171a188ac6d5b8c90786a60854e1198e5
-SIZE (p11-kit-0.25.5.tar.xz) = 1002056
+TIMESTAMP = 1757740866
+SHA256 (p11-kit-0.25.8.tar.xz) = 2fd4073ee2a47edafaae2c8affa2bcca64e0697f8881f68f580801ef43cab0ce
+SIZE (p11-kit-0.25.8.tar.xz) = 1060504
diff --git a/security/p11-kit/pkg-plist b/security/p11-kit/pkg-plist
index a865245891c4..b46c8f26f9a5 100644
--- a/security/p11-kit/pkg-plist
+++ b/security/p11-kit/pkg-plist
@@ -11,7 +11,7 @@ include/p11-kit-1/p11-kit/uri.h
 include/p11-kit-1/p11-kit/version.h
 lib/libp11-kit.so
 lib/libp11-kit.so.0
-lib/libp11-kit.so.0.4.1
+lib/libp11-kit.so.0.4.3
 lib/p11-kit-proxy.so
 lib/pkcs11/p11-kit-client.so
 lib/pkcs11/p11-kit-trust.so
@@ -47,6 +47,7 @@ share/bash-completion/completions/trust
 %%DOCS%%share/gtk-doc/html/p11-kit/p11-kit.devhelp2
 %%DOCS%%share/gtk-doc/html/p11-kit/p11-kit.html
 %%DOCS%%share/gtk-doc/html/p11-kit/pkcs11-conf.html
+%%DOCS%%share/gtk-doc/html/p11-kit/proxy.html
 %%DOCS%%share/gtk-doc/html/p11-kit/reference.html
 %%DOCS%%share/gtk-doc/html/p11-kit/remoting.html
 %%DOCS%%share/gtk-doc/html/p11-kit/right-insensitive.png
diff --git a/security/p5-GSSAPI/Makefile b/security/p5-GSSAPI/Makefile
index ff17e4d13599..25102d1fa128 100644
--- a/security/p5-GSSAPI/Makefile
+++ b/security/p5-GSSAPI/Makefile
@@ -22,11 +22,9 @@ OPTIONS_DEFAULT=GSSAPI_BASE
 GSSAPI_BASE_USES=	gssapi
 GSSAPI_HEIMDAL_USES=	gssapi:heimdal
 GSSAPI_MIT_USES=	gssapi:mit
-GSSAPI_MIT_VARS=	KRB5CONF=${KRB5_HOME}/bin/krb5-config
-GSSAPI_MIT_VARS_OFF=	KRB5CONF=${HEIMDAL_HOME}/bin/krb5-config
 
 post-patch:
-	@${REINPLACE_CMD} -e 's|%%KRB5CONF%%|${KRB5CONF}|g' ${WRKSRC}/Makefile.PL
+	@${REINPLACE_CMD} -e 's|%%KRB5CONF%%|${KRB5CONFIG}|g' ${WRKSRC}/Makefile.PL
 
 post-install:
 	${STRIP_CMD} ${STAGEDIR}${PREFIX}/${SITE_ARCH_REL}/auto/GSSAPI/GSSAPI.so
diff --git a/security/plasma6-kscreenlocker/distinfo b/security/plasma6-kscreenlocker/distinfo
index 0343749b22a8..7d1cd97476ae 100644
--- a/security/plasma6-kscreenlocker/distinfo
+++ b/security/plasma6-kscreenlocker/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1754413473
-SHA256 (KDE/plasma/6.4.4/kscreenlocker-6.4.4.tar.xz) = 5cc1dd23be325f1ddcf005556f0ac14077789524aa0b3e1e83b97ff77d4932a8
-SIZE (KDE/plasma/6.4.4/kscreenlocker-6.4.4.tar.xz) = 187256
+TIMESTAMP = 1757499239
+SHA256 (KDE/plasma/6.4.5/kscreenlocker-6.4.5.tar.xz) = fac4f9d53d63cb9b06e90feb82c28f471971d15defd4a068bb1e7d2886b7090d
+SIZE (KDE/plasma/6.4.5/kscreenlocker-6.4.5.tar.xz) = 187560
diff --git a/security/plasma6-ksshaskpass/distinfo b/security/plasma6-ksshaskpass/distinfo
index f9b0e72d57f4..fdbbdb4bb8b5 100644
--- a/security/plasma6-ksshaskpass/distinfo
+++ b/security/plasma6-ksshaskpass/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1754413474
-SHA256 (KDE/plasma/6.4.4/ksshaskpass-6.4.4.tar.xz) = ab47b94b6024fab148c9a7a8f8c4403a81edea96eabbb0d5f805a120fc5df230
-SIZE (KDE/plasma/6.4.4/ksshaskpass-6.4.4.tar.xz) = 30964
+TIMESTAMP = 1757499239
+SHA256 (KDE/plasma/6.4.5/ksshaskpass-6.4.5.tar.xz) = 5b2da11937079c61919755c3d55ff9bfc5bf97ed1dbf080b43c0c2af50e354da
+SIZE (KDE/plasma/6.4.5/ksshaskpass-6.4.5.tar.xz) = 31120
diff --git a/security/plasma6-kwallet-pam/distinfo b/security/plasma6-kwallet-pam/distinfo
index d23794cb6bc5..c8a46d495814 100644
--- a/security/plasma6-kwallet-pam/distinfo
+++ b/security/plasma6-kwallet-pam/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1754413474
-SHA256 (KDE/plasma/6.4.4/kwallet-pam-6.4.4.tar.xz) = e464f9bc73a4db2b593d1b19e1e8aee385d155513e58b6b11470fa78c52efbc1
-SIZE (KDE/plasma/6.4.4/kwallet-pam-6.4.4.tar.xz) = 22548
+TIMESTAMP = 1757499240
+SHA256 (KDE/plasma/6.4.5/kwallet-pam-6.4.5.tar.xz) = 8ffbf1cc42de9aa32afc99dcc5dc0482f1967145416f05449b1e727b55b1373e
+SIZE (KDE/plasma/6.4.5/kwallet-pam-6.4.5.tar.xz) = 22508
diff --git a/security/py-nitrokey/Makefile b/security/py-nitrokey/Makefile
index 4fbcdf8adcd3..6e2c63495263 100644
--- a/security/py-nitrokey/Makefile
+++ b/security/py-nitrokey/Makefile
@@ -1,5 +1,6 @@
 PORTNAME=	nitrokey
 DISTVERSION=	0.3.2
+PORTREVISION=	1
 CATEGORIES=	security devel python
 MASTER_SITES=	PYPI
 PKGNAMEPREFIX=	${PYTHON_PKGNAMEPREFIX}
@@ -15,13 +16,15 @@ BUILD_DEPENDS=	${PYTHON_PKGNAMEPREFIX}fido2>=1.1.2,<3:security/py-fido2@${PY_FLA
 		${PYTHON_PKGNAMEPREFIX}requests>=0:www/py-requests@${PY_FLAVOR} \
 		${PYTHON_PKGNAMEPREFIX}semver>=0:devel/py-semver@${PY_FLAVOR} \
 		${PYTHON_PKGNAMEPREFIX}tlv8>=0:converters/py-tlv8@${PY_FLAVOR} \
-		${PYTHON_PKGNAMEPREFIX}poetry>=0:devel/py-poetry@${PY_FLAVOR}
+		${PYTHON_PKGNAMEPREFIX}poetry>=0:devel/py-poetry@${PY_FLAVOR} \
+		${PYTHON_PKGNAMEPREFIX}hidapi>=0.14,<0.15:comms/py-hidapi@${PY_FLAVOR}
 RUN_DEPENDS=	${PYTHON_PKGNAMEPREFIX}fido2>=1.1.2,<3:security/py-fido2@${PY_FLAVOR} \
 		${PYTHON_PKGNAMEPREFIX}pyusb>=0:devel/py-pyusb@${PY_FLAVOR} \
 		${PYTHON_PKGNAMEPREFIX}requests>=0:www/py-requests@${PY_FLAVOR} \
 		${PYTHON_PKGNAMEPREFIX}pyserial>=0:comms/py-pyserial@${PY_FLAVOR} \
 		${PYTHON_PKGNAMEPREFIX}semver>=0:devel/py-semver@${PY_FLAVOR} \
-		${PYTHON_PKGNAMEPREFIX}tlv8>=0:converters/py-tlv8@${PY_FLAVOR}
+		${PYTHON_PKGNAMEPREFIX}tlv8>=0:converters/py-tlv8@${PY_FLAVOR} \
+		${PYTHON_PKGNAMEPREFIX}hidapi>=0.14,<0.15:comms/py-hidapi@${PY_FLAVOR}
 
 USES=		python shebangfix
 USE_PYTHON=	autoplist concurrent cryptography pep517
diff --git a/security/tailscale/Makefile b/security/tailscale/Makefile
index a4c4b5d22cae..80d4c73e3e33 100644
--- a/security/tailscale/Makefile
+++ b/security/tailscale/Makefile
@@ -1,7 +1,6 @@
 PORTNAME=	tailscale
-PORTVERSION=	1.86.4
+PORTVERSION=	1.88.1
 DISTVERSIONPREFIX=	v
-PORTREVISION=	1
 CATEGORIES=	security net-vpn
 
 MAINTAINER=	ashish@FreeBSD.org
@@ -13,7 +12,7 @@ LICENSE_FILE=	${WRKSRC}/LICENSE
 
 RUN_DEPENDS=	ca_root_nss>0:security/ca_root_nss
 
-USES=		go:1.24,modules
+USES=		go:1.25,modules
 
 GO_MODULE=	github.com/tailscale/tailscale
 
diff --git a/security/tailscale/distinfo b/security/tailscale/distinfo
index 08daa50120f4..c9056030aa68 100644
--- a/security/tailscale/distinfo
+++ b/security/tailscale/distinfo
@@ -1,5 +1,5 @@
-TIMESTAMP = 1755178462
-SHA256 (go/security_tailscale/tailscale-v1.86.4/v1.86.4.mod) = ad5983e44eecba029c80a179d58e6cfa074ea5508ce0f4c3cceffd1c67e4c9f5
-SIZE (go/security_tailscale/tailscale-v1.86.4/v1.86.4.mod) = 20667
-SHA256 (go/security_tailscale/tailscale-v1.86.4/v1.86.4.zip) = 157f4bfb56c489ff46b9afabbd3234e6a2a6bfeff7ed51802c8154c41d2d81a2
-SIZE (go/security_tailscale/tailscale-v1.86.4/v1.86.4.zip) = 5178809
+TIMESTAMP = 1757683579
+SHA256 (go/security_tailscale/tailscale-v1.88.1/v1.88.1.mod) = 75ff8036ac1682b88dd2d35c7115a7305d8eae138135b0173b2ebe752e08536c
+SIZE (go/security_tailscale/tailscale-v1.88.1/v1.88.1.mod) = 21190
+SHA256 (go/security_tailscale/tailscale-v1.88.1/v1.88.1.zip) = fc07508fd0479ec58d9ecc917367f21f71d4a8577862bdbec2ad4e1eb42b97b4
+SIZE (go/security_tailscale/tailscale-v1.88.1/v1.88.1.zip) = 5259701
diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml
index 6a4e1eec9395..fbc1d03321f7 100644
--- a/security/vuxml/vuln/2025.xml
+++ b/security/vuxml/vuln/2025.xml
@@ -1,3 +1,105 @@
+  <vuln vid="3aee6703-8ff6-11f0-b8da-589cfc10a551">
+    <topic>cups -- security vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>cups</name>
+	<range><lt>2.4.13</lt></range>
+      </package>
+    </affects>
+    <description>
+	<body xmlns="http://www.w3.org/1999/xhtml">
+	<p>SO-AND-SO reports:</p>
+	<blockquote cite="https://github.com/OpenPrinting/cups/releases/tag/v2.4.13">
+	  <p>The release 2.4.13 brings two CVE fixes - fix for important CVE-2025-58060
+	  and fix for moderate CVE-2025-58364, together with several bug fixes.</p>
+	</blockquote>
+	</body>
+    </description>
+    <references>
+      <cvename>CVE-2025-58060</cvename>
+      <cvename>CVE-2025-58364</cvename>
+      <url>https://github.com/OpenPrinting/cups/releases/tag/v2.4.13</url>
+    </references>
+    <dates>
+      <discovery>2025-09-12</discovery>
+      <entry>2025-09-12</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="f50640fa-89a4-4795-a302-47b0dea8cee5">
+    <topic>chromium -- multiple security fixes</topic>
+    <affects>
+      <package>
+       <name>chromium</name>
+       <range><lt>140.0.7339.127</lt></range>
+      </package>
+      <package>
+       <name>ungoogled-chromium</name>
+       <range><lt>140.0.7339.127</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+       <p>Chrome Releases reports:</p>
+       <blockquote cite="https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_9.html">
+	 <p>This update includes 2 security fixes:</p>
+	 <ul>
+	    <li>[440454442] Critical CVE-2025-10200: Use after free in Serviceworker. Reported by Looben Yang on 2025-08-22</li>
+	    <li>[439305148] High CVE-2025-10201: Inappropriate implementation in Mojo. Reported by Sahan Fernando &amp; Anon on 2025-08-18</li>
+	 </ul>
+       </blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2025-10200</cvename>
+      <cvename>CVE-2025-10201</cvename>
+      <url>https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_9.html</url>
+    </references>
+    <dates>
+      <discovery>2025-09-09</discovery>
+      <entry>2025-09-11</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="602fc0fa-8ece-11f0-9d03-2cf05da270f3">
+    <topic>Gitlab -- Vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>gitlab-ce</name>
+	<name>gitlab-ee</name>
+	<range><ge>18.3.0</ge><lt>18.3.2</lt></range>
+	<range><ge>18.2.0</ge><lt>18.2.6</lt></range>
+	<range><ge>7.8.0</ge><lt>18.1.6</lt></range>
+      </package>
+    </affects>
+    <description>
+	<body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Gitlab reports:</p>
+	<blockquote cite="https://about.gitlab.com/releases/2025/09/10/patch-release-gitlab-18-3-2-released/">
+	  <p>Denial of Service issue in SAML Responses impacts GitLab CE/EE</p>
+	  <p>Server-Side Request Forgery issue in Webhook custom header impacts GitLab CE/EE</p>
+	  <p>Denial of Service issue in User-Controllable Fields impacts GitLab CE/EE</p>
+	  <p>Denial of Service issue in endpoint file upload impacts GitLab CE/EE</p>
+	  <p>Denial of Service issue in token listing operations impacts GitLab CE/EE</p>
+	  <p>Information disclosure issue in runner endpoints impacts GitLab CE/EE</p>
+	</blockquote>
+	</body>
+    </description>
+    <references>
+      <cvename>CVE-2025-2256</cvename>
+      <cvename>CVE-2025-6454</cvename>
+      <cvename>CVE-2025-1250</cvename>
+      <cvename>CVE-2025-7337</cvename>
+      <cvename>CVE-2025-10094</cvename>
+      <cvename>CVE-2025-6769</cvename>
+      <url>https://about.gitlab.com/releases/2025/09/10/patch-release-gitlab-18-3-2-released/</url>
+    </references>
+    <dates>
+      <discovery>2025-09-10</discovery>
+      <entry>2025-09-11</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="bda50cf1-8bcf-11f0-b3f7-a8a1599412c6">
     <topic>chromium -- multiple security fixes</topic>
     <affects>