diff --git a/CVE-2025-31176.patch b/CVE-2025-31176.patch
new file mode 100644
index 0000000000000000000000000000000000000000..b0db372873d73df2fff01ebca3cc2993612be490
--- /dev/null
+++ b/CVE-2025-31176.patch
@@ -0,0 +1,58 @@
+From 9d192bf71bdf5c8aa78252a985b24d3348ccc751 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=E7=99=BD=E8=B6=85=E8=B6=85?=
+ <baichaochao@cqsoftware.com.cn>
+Date: Fri, 22 Aug 2025 12:52:54 +0800
+Subject: [PATCH] CVE-2025-31176
+
+---
+ src/graph3d.c  | 4 ++--
+ src/graphics.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/graph3d.c b/src/graph3d.c
+index c58d9df..a382059 100644
+--- a/src/graph3d.c
++++ b/src/graph3d.c
+@@ -1766,7 +1766,7 @@ plot3d_points(struct surface_points *plot)
+     /* Set whatever we can that applies to every point in the loop */
+     if (plot->lp_properties.p_type == PT_CHARACTER) {
+ 	ignore_enhanced(TRUE);
+-	if (plot->labels->font && plot->labels->font[0])
++	if (plot->labels && plot->labels->font && plot->labels->font[0])
+ 	    (*t->set_font) (plot->labels->font);
+ 	(*t->justify_text) (CENTRE);
+     }
+@@ -1829,7 +1829,7 @@ plot3d_points(struct surface_points *plot)
+ 
+     /* Return to initial state */
+     if (plot->lp_properties.p_type == PT_CHARACTER) {
+-	if (plot->labels->font && plot->labels->font[0])
++	if (plot->labels && plot->labels->font && plot->labels->font[0])
+ 	    (*t->set_font) ("");
+ 	ignore_enhanced(FALSE);
+     }
+diff --git a/src/graphics.c b/src/graphics.c
+index ef58d80..81b6909 100644
+--- a/src/graphics.c
++++ b/src/graphics.c
+@@ -2047,7 +2047,7 @@ plot_points(struct curve_points *plot)
+     /* Set whatever we can that applies to every point in the loop */
+     if (plot->lp_properties.p_type == PT_CHARACTER) {
+ 	ignore_enhanced(TRUE);
+-	if (plot->labels->font && plot->labels->font[0])
++	if (plot->labels && plot->labels->font && plot->labels->font[0])
+ 	    (*t->set_font) (plot->labels->font);
+ 	(*t->justify_text) (CENTRE);
+     }
+@@ -2104,7 +2104,7 @@ plot_points(struct curve_points *plot)
+ 
+     /* Return to initial state */
+     if (plot->lp_properties.p_type == PT_CHARACTER) {
+-	if (plot->labels->font && plot->labels->font[0])
++	if (plot->labels && plot->labels->font && plot->labels->font[0])
+ 	    (*t->set_font) ("");
+ 	ignore_enhanced(FALSE);
+     }
+-- 
+2.43.5
+
diff --git a/CVE-2025-31179.patch b/CVE-2025-31179.patch
new file mode 100644
index 0000000000000000000000000000000000000000..21b9f659374b2fd873e2059b68c3530435953dde
--- /dev/null
+++ b/CVE-2025-31179.patch
@@ -0,0 +1,30 @@
+From ca83b273f979cbe7074831c8466d7196a04a30b9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=E7=99=BD=E8=B6=85=E8=B6=85?=
+ <baichaochao@cqsoftware.com.cn>
+Date: Fri, 22 Aug 2025 13:16:25 +0800
+Subject: [PATCH] CVE-2025-31179
+
+---
+ src/mouse.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/mouse.c b/src/mouse.c
+index 5c8a4ac..829af96 100644
+--- a/src/mouse.c
++++ b/src/mouse.c
+@@ -490,6 +490,12 @@ xDateTimeFormat(double x, char *b, int mode)
+ {
+     struct tm tm;
+ 
++    if (fabs(x) > 1.e12) {  /* Some time in the year 33688 */
++        int_warn(NO_CARET, "time value out of range");
++	*b = '\0';
++	return b;
++    }
++
+     switch (mode) {
+     case MOUSE_COORDINATES_XDATE:
+ 	ggmtime(&tm, x);
+-- 
+2.43.5
+
diff --git a/CVE-2025-31180.patch b/CVE-2025-31180.patch
new file mode 100644
index 0000000000000000000000000000000000000000..3c1438319cc18055c4d408d797b8b307aee570ad
--- /dev/null
+++ b/CVE-2025-31180.patch
@@ -0,0 +1,35 @@
+From 3d551934b3cfcdb25a9cef806811c7f2d51fdc30 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=E7=99=BD=E8=B6=85=E8=B6=85?=
+ <baichaochao@cqsoftware.com.cn>
+Date: Fri, 22 Aug 2025 13:23:42 +0800
+Subject: [PATCH] CVE-2025-31180
+
+---
+ term/canvas.trm | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/term/canvas.trm b/term/canvas.trm
+index 5b5c960..efdbbf4 100644
+--- a/term/canvas.trm
++++ b/term/canvas.trm
+@@ -647,7 +647,7 @@ CANVAS_text()
+ 	} else
+ 	    fprintf(gpoutfile, "gnuplot.plot_axis_x2min = \"none\"\n");
+ 	if (axis_array[SECOND_X_AXIS].linked_to_primary 
+-	&&  axis_array[FIRST_X_AXIS].link_udf->at) {
++        &&  axis_array[FIRST_X_AXIS].link_udf && axis_array[FIRST_X_AXIS].link_udf->at) {
+ 	    fprintf(gpoutfile, "gnuplot.x2_mapping = function(x) { return x; };");
+ 	    fprintf(gpoutfile, "  // replace returned value with %s\n",
+ 			axis_array[FIRST_X_AXIS].link_udf->definition);
+@@ -658,7 +658,7 @@ CANVAS_text()
+ 	} else
+ 	    fprintf(gpoutfile, "gnuplot.plot_axis_y2min = \"none\"\n");
+ 	if (axis_array[SECOND_Y_AXIS].linked_to_primary 
+-	&&  axis_array[FIRST_Y_AXIS].link_udf->at) {
++        &&  axis_array[FIRST_Y_AXIS].link_udf && axis_array[FIRST_Y_AXIS].link_udf->at) {
+ 	    fprintf(gpoutfile, "gnuplot.y2_mapping = function(y) { return y; };");
+ 	    fprintf(gpoutfile, "  // replace returned value with %s\n",
+ 			axis_array[FIRST_Y_AXIS].link_udf->definition);
+-- 
+2.43.5
+
diff --git a/CVE-2025-31181.patch b/CVE-2025-31181.patch
new file mode 100644
index 0000000000000000000000000000000000000000..de3bbfd1bc020794ec6f68ae5bd2bccb2aa84ca4
--- /dev/null
+++ b/CVE-2025-31181.patch
@@ -0,0 +1,39 @@
+From 1eed1ff9993792175514a7e35de2bb9d25e2adb7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=E7=99=BD=E8=B6=85=E8=B6=85?=
+ <baichaochao@cqsoftware.com.cn>
+Date: Fri, 22 Aug 2025 13:27:10 +0800
+Subject: [PATCH] CVE-2025-31181
+
+---
+ term/x11.trm | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/term/x11.trm b/term/x11.trm
+index 9e552b6..594a839 100644
+--- a/term/x11.trm
++++ b/term/x11.trm
+@@ -861,8 +861,9 @@ X11_atexit()
+ 	/* dont wait(), since they might be -persist */
+ 	X11_ipc = NULL;
+ #ifdef PIPE_IPC
+-	close(ipc_back_fd);
+-	ipc_back_fd = -1;
++        if (ipc_back_fd >= 0)
++	    close(ipc_back_fd);
++	ipc_back_fd = IPC_BACK_CLOSED;
+ #endif
+     }
+ }
+@@ -1388,7 +1389,8 @@ X11_graphics()
+ #ifdef PIPE_IPC
+     /* if we know the outboard driver has stopped, restart it */
+     if (ipc_back_fd == IPC_BACK_CLOSED) {
+-	fclose(X11_ipc);
++ 	if (X11_ipc > 0)
++	    fclose(X11_ipc);
+ 	X11_ipc = NULL;
+ 	X11_init();
+     }
+-- 
+2.43.5
+
diff --git a/CVE-2025-3359.patch b/CVE-2025-3359.patch
new file mode 100644
index 0000000000000000000000000000000000000000..0d1355e2ff972d8e47269d9c0e2b37b0514f1fb0
--- /dev/null
+++ b/CVE-2025-3359.patch
@@ -0,0 +1,59 @@
+From 928adec16ed68b7ef6aede8a4b4c22cb42ea01e4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=E7=99=BD=E8=B6=85=E8=B6=85?=
+ <baichaochao@cqsoftware.com.cn>
+Date: Fri, 22 Aug 2025 13:31:35 +0800
+Subject: [PATCH] CVE-2025-3359
+
+---
+ term/hpgl.trm | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/term/hpgl.trm b/term/hpgl.trm
+index 8723f50..17bc018 100644
+--- a/term/hpgl.trm
++++ b/term/hpgl.trm
+@@ -1321,8 +1321,9 @@ HPGL2_set_font(const char *font)
+ {
+     struct termentry *t = term;
+     char name[MAX_ID_LEN + 1];
+-    int i, sep, int_size, sep2;
+-    double size;
++    int i, sep2;
++    char *sep;
++    double size = HPGL2_point_size;
+ /*
+  * If in Polyline Encoded command, leave Polyline Encoded command
+  */
+@@ -1331,9 +1332,7 @@ HPGL2_set_font(const char *font)
+ 	HPGL2_in_pe = 0;
+     }
+ /* determine font, use default from options if invalid */
+-    sep = strcspn(font, ",");
+     strncpy(name, font, sep);
+-    name[sep] = NUL;
+     for (i = 0; i < HPGL2_FONTS; i++) {
+ 	sep2 = strcspn(HPGL2_font_table[i].compare, "$");
+ 	if (strncmp(name, HPGL2_font_table[i].compare, sep2) == 0)
+@@ -1342,12 +1341,13 @@ HPGL2_set_font(const char *font)
+     if (i >= HPGL2_FONTS)
+ 	i = HPGL2_font_num;
+ /* determine font size, use default from options if invalid */
+-    int_size = 0;
+-    sscanf(&(font[sep + 1]), "%d", &int_size);
+-    if (int_size > 0) {
+-	size = int_size;
+-    } else
+-	size = HPGL2_point_size;
++    sep = strchr(font, ',');
++    if (sep) {
++	double req_size = strtod(sep+1, NULL);
++	if (req_size > 0)
++    	size = req_size;
++	*sep = '\0';
++    }
+ /* apply font changes only if necessary */
+     if (size == HPGL2_point_size_current && i == HPGL2_font_num_current)
+ 	return FALSE;
+-- 
+2.43.5
+
diff --git a/gnuplot.spec b/gnuplot.spec
index 707a66ae1d3ba1ab8592941ae6648e29ce8a6cee..4e368ad9f812507f4d160d8ab01c4006f005be6c 100644
--- a/gnuplot.spec
+++ b/gnuplot.spec
@@ -2,7 +2,7 @@
 Name: gnuplot
 Summary: a portable command-line driven graphing utility
 Version: %{major_minor}.6
-Release: 14
+Release: 15
 License: gnuplot and MIT
 URL: http://www.gnuplot.info/
 
@@ -15,6 +15,11 @@ Patch3: gnuplot-4.6.4-singlethread.patch
 Patch4: gnuplot-5.0.6-no-lena.patch
 Patch5: gnuplot-5.0.6-add-lib-gobject-when-config.patch
 Patch6: CVE-2020-25969.patch
+Patch7: CVE-2025-31176.patch
+Patch9: CVE-2025-31179.patch
+Patch10: CVE-2025-31180.patch
+Patch11: CVE-2025-31181.patch
+Patch12: CVE-2025-3359.patch
 
 BuildRequires: cairo-devel latex2html emacs gd-devel giflib-devel libotf libpng-devel
 BuildRequires: librsvg2 texinfo libX11-devel libXt-devel lua-devel  m17n-lib tex-tex4ht
@@ -162,6 +167,9 @@ fi
 %exclude %{_mandir}/man1/%{name}-ja.1*
 
 %changelog
+* Fri Aug 22 2025 Chaochao Bai <baichaochao@cqsoftware.com.cn> - 5.0.6-15
+- Fix CVE-2025-31176、CVE-2025-31179、CVE-2025-31180、CVE-2025-31181、CVE-2025-3359
+
 * Thu Jul 13 2023 yaoxin <yao_xin001@hoperun.com> - 5.0.6-14
 - Fix CVE-2020-25969