SUSE CVE-2026-7573

An authorization bypass CWE-639 in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy roles and permissions for any user across all organizations by supplying targeted Name and Org...

SUSE CVE-2026-35527

Incus is an open source container and virtual machine manager. In versions prior to 7.0.0, the image import flow issues an outbound HEAD request to a user-supplied URL before validating the request against project restrictions such as restricted.images.servers. The imgPostURLInfo function...

SUSE CVE-2026-43119

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcisync: annotate data-races around hdev-reqstatus hcicmdsyncsk sets hdev-reqstatus under hdev-reqlock: hdev-reqstatus = HCIREQPEND; However, several other functions read or write hdev-reqstatus without holding any loc...

SUSE CVE-2026-43223

In the Linux kernel, the following vulnerability has been resolved: media: pvrusb2: fix URB leak in pvr2sendrequestex When pvr2sendrequestex submits a write URB successfully but fails to submit the read URB e.g. returns -ENOMEM, it returns immediately without waiting for the write URB to complete...

SUSE CVE-2026-43255

In the Linux kernel, the following vulnerability has been resolved: wifi: libertas: fix WARNING in usbtxblock The function usbtxblock submits cardp-txurb without ensuring that any previous transmission on this URB has completed. If a second call occurs while the URB is still active e.g. during...

Improperly Implemented Security Check for Standard

Overview Affected versions of this package are vulnerable to Improperly Implemented Security Check for Standard in the handlePathSwitchRequestMain function. An attacker can cause persistent service disruption and corrupt internal security context by sending a crafted PathSwitchRequest message fro...

Free5GC AMF Bypasses UE Security Capabilities on NGAP PathSwitchRequest

Summary The AMF in Free5GC v4.2.1 does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values, as mandated by 3GPP TS 33.501 §6.7.3.1. A malicious gNB can overwrite the AMF's stored UE security capabilities with arbitrary values, whic...

GHSA-77X9-RF64-92GV Free5GC AMF Bypasses UE Security Capabilities on NGAP PathSwitchRequest

Summary The AMF in Free5GC v4.2.1 does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values, as mandated by 3GPP TS 33.501 §6.7.3.1. A malicious gNB can overwrite the AMF's stored UE security capabilities with arbitrary values, whic...

Server-side Request Forgery (SSRF)

Overview github.com/gotenberg/gotenberg/v7/pkg/modules/chromium is a Docker-powered stateless API for PDF files. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the convertUrlRoute and screenshotUrlRoute processes. An attacker can access sensitive files...

GHSA-G924-CJX7-2RJW Gotenberg allows Chromium URL conversion routes to read arbitrary files under /tmp via file:// scheme

Summary The /forms/chromium/convert/url and /forms/chromium/screenshot/url routes accept url=file:///tmp/... from anonymous callers. The default Chromium deny-list intentionally exempts file:///tmp/ so HTML/Markdown routes can load their own request-local assets, and those routes apply a...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the downloadFrom and webhook processes. An attacker can access internal network resources and potentially exfiltrate sensitive information or interact with internal-only services by supplying special...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the downloadFrom and webhook processes. An attacker can access internal network resources and potentially exfiltrate sensitive information or interact with internal-only services by supplying special...

Gotenberg's DNS rebinding bypasses SSRF validation on Chromium URL conversion routes

Summary FilterOutboundURL resolves the hostname, checks the resolved IPs against the private-address deny-list, and returns only the error. It discards the resolved addresses. Chromium later performs its own DNS resolution when it navigates to the URL. An attacker who controls DNS for a hostname...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the FilterOutboundURL process. An attacker can access internal network resources and retrieve sensitive information by exploiting DNS rebinding to bypass outbound URL filtering. This is only...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the FilterOutboundURL process. An attacker can access internal network resources and retrieve sensitive information by exploiting DNS rebinding to bypass outbound URL filtering. This is only...

GHSA-2PMR-289P-44R3 Gotenberg's DNS rebinding bypasses SSRF validation on Chromium URL conversion routes

Summary FilterOutboundURL resolves the hostname, checks the resolved IPs against the private-address deny-list, and returns only the error. It discards the resolved addresses. Chromium later performs its own DNS resolution when it navigates to the URL. An attacker who controls DNS for a hostname...

Gotenberg has a Server-Side Request Forgery (SSRF) Issue

Summary The SSRF hardening shipped in v8.31.0 only covers outbound URLs that Gotenberg's Go code handles — Chromium asset fetches, webhook delivery, and download-from. The LibreOffice conversion endpoint /forms/libreoffice/convert passes uploaded documents directly to LibreOffice without inspecti...

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the pdfengines/metadata/write endpoint when JSON metadata keys containing newline characters are passed directly to ExifTool without validation. An attacker can execute arbitrary operating system commands by...

HTTP Request Smuggling

Overview io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients. Affected versions of this package are vulnerable to HTTP Request Smuggling when parsed HTTP requests contain malformed Transfer-Encoding headers...

GHSA-38F8-5428-X5CV Netty vulnerable to HTTP Request Smuggling due to malformed Transfer-Encoding

Summary Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. Details Netty incorrectly marks a request as chunked when malformed "Transfer-Encoding: chunked, identity" is present. According to RFC...