SUSE-SU-2026:1749-1 Security update for webkit2gtk3

This update for webkit2gtk3 fixes the following issues: Update to version 2.52.1. Security issues fixed: - CVE-2026-20643: processing maliciously crafted web content may bypass Same Origin Policy bsc1261172. - CVE-2026-20664: processing maliciously crafted web content may lead to an unexpected...

Linux Distros Unpatched Vulnerability : CVE-2026-7968

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Insufficient validation of untrusted input in CORS in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to...

RHEL 9 : webkit2gtk3 (RHSA-2026:14659)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:14659 advisory. WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Security Fixes: webkitgtk: Processing maliciously...

Google Chrome Network Integer Overflow Vulnerability

Google Chrome is a web browser developed by Google to provide web browsing, application running and internet communication features. Google Chrome suffers from an integer overflow vulnerability that stems from the Network component failing to properly handle certain data, which can be exploited b...

GHSA-GPXG-FX2G-QXJ2 Kanidm: Stored HTML injection in "passkey-enrolment" partial via displayname → htmx-driven authenticated request forgery

Summary The kanidmd web UI renders the WebAuthn passkey-registration challenge as raw JSON inside an inline element using the Askama |safe filter. The challenge embeds the account's displayname, which serdejson serialises without escaping . A displayname containing therefore terminates the script...

Kanidm: Stored HTML injection in "passkey-enrolment" partial via displayname → htmx-driven authenticated request forgery

Summary The kanidmd web UI renders the WebAuthn passkey-registration challenge as raw JSON inside an inline element using the Askama |safe filter. The challenge embeds the account's displayname, which serdejson serialises without escaping . A displayname containing therefore terminates the script...

GHSA-FCX8-PH5R-MXR4 Flight has reflected XSS through an unvalidated JSONP callback in Flight::jsonp()

Summary Flight::jsonp concatenates the ?jsonp= query parameter directly into an application/javascript response body without validating that the value is a legal JavaScript identifier. An attacker can inject arbitrary JavaScript that executes in the response origin, enabling reflected cross-site...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Flight::jsonp process. An attacker can execute arbitrary JavaScript in the context of the response origin by supplying a crafted jsonp query parameter, which is concatenated directly into the JavaScript...

EUVD-2026-28113

Insufficient validation of untrusted input in Cast in Google Chrome prior to 148.0.7778.96 allowed an attacker on the local network segment to bypass same origin policy via malicious network traffic. Chromium security severity: Low...

EUVD-2026-28042

Integer overflow in Network in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. Chromium security severity: Medium...

EUVD-2026-28057

Inappropriate implementation in Canvas in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to bypass same origin policy via a crafted HTML page. Chromium security severity: Medium...

CVE-2026-8005

Insufficient validation of untrusted input in Cast in Google Chrome prior to 148.0.7778.96 allowed an attacker on the local network segment to bypass same origin policy via malicious network traffic. Chromium security severity: Low...

CVE-2026-7977

Inappropriate implementation in Canvas in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to bypass same origin policy via a crafted HTML page. Chromium security severity: Medium...

CVE-2026-7968

Insufficient validation of untrusted input in CORS in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. Chromium security severity: Medium...

CVE-2026-7969

Integer overflow in Network in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. Chromium security severity: Medium...

CVE-2026-8005

Insufficient validation of untrusted input in Cast in Google Chrome prior to 148.0.7778.96 allowed an attacker on the local network segment to bypass same origin policy via malicious network traffic. Chromium security severity: Low...

CVE-2026-8005

Insufficient validation of untrusted input in Cast in Google Chrome prior to 148.0.7778.96 allowed an attacker on the local network segment to bypass same origin policy via malicious network traffic. Chromium security severity: Low...

CVE-2026-8005

Summary: CVE-2026-8005 in Google Chrome involves insufficient validation of untrusted input in the Cast component, enabling a local-network attacker to bypass the same-origin policy. Affected software/area: Google Chrome prior to 148.0.7778.96 (Cast). Root cause / scope: Insufficient input valida...

CVE-2026-8005

Insufficient validation of untrusted input in Cast in Google Chrome prior to 148.0.7778.96 allowed an attacker on the local network segment to bypass same origin policy via malicious network traffic. Chromium security severity: Low...

CVE-2026-7977

Inappropriate implementation in Canvas in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to bypass same origin policy via a crafted HTML page. Chromium security severity: Medium...