3 matches found
CVE-2026-42188
Geyser is a bridge between Minecraft: Bedrock Edition and Minecraft: Java Edition. Prior to 2.9.3, a server-side request forgery SSRF vulnerability exists in Geyser’s handling of Bedrock player head texture data. By supplying a crafted Base64-encoded skin texture URL via the /give command, an...
Uncapped length of skin data fields submitted by players
Impact Some skin data fields e.g. skinID, geometryName are not capped in length. These fields are typically saved in the NBT data of a player when the player quits the server, or during an autosave. This is problematic due to the 32767 byte limit on TAGStrings. If any of these fields exceeds 3276...
GHSA-C6FG-99PR-25M9 Uncapped length of skin data fields submitted by players
Impact Some skin data fields e.g. skinID, geometryName are not capped in length. These fields are typically saved in the NBT data of a player when the player quits the server, or during an autosave. This is problematic due to the 32767 byte limit on TAGStrings. If any of these fields exceeds 3276...