📡 GitHub-Advisory · 2026-05-07 CVE-2026-42459 - Free5GC UDM has Improper Input Validation and Generation of Error Messages Conta CVE-2026-42459 GHSA-585v-hcgf-jhfr HIGH go/github.com/free5gc/udm CVE: CVE-2026-42459 Summary The free5GC UDM component fails to validate the supi path parameter in six GET handlers of the nudm-sdm (Subscriber Data Management) service. An

📡 GitHub-Advisory · 2026-05-07 CVE-2026-42328 - go-ipld-prime's DAG-CBOR and DAG-JSON decoders have unbounded recursion depth CVE-2026-42328 GHSA-w239-58x2-q8p5 MEDIUM go/github.com/ipld/go-ipld-prime CVE: CVE-2026-42328 The DAG-CBOR and DAG-JSON decoders recurse on each nested map or list without a depth limit. A payload containing deeply nested collections causes the decoder

📡 GitHub-Advisory · 2026-05-07 CVE-2026-44312 - CSS Parser: Improper Certificate Validation allows MITM injection of remote CSS CVE-2026-44312 GHSA-ff6c-w6qf-7xqc MEDIUM rubygems/css_parser CVE: CVE-2026-44312 Summary The CSS Parser gem does not validate HTTPS connections, allowing a Man-in-the-Middle (MITM) attacker to inject or modify CSS content when stylesheets are loaded via HTTPS.

📡 GitHub-Advisory · 2026-05-07 CVE-2026-42083 - Free5GC PCF: Missing authentication middleware in Npcf_SMPolicyControl allows ac CVE-2026-42083 GHSA-6rgm-gr97-x3j5 HIGH go/github.com/free5gc/pcf CVE: CVE-2026-42083 Summary PCF Npcf_SMPolicyControl missing authentication middleware allows unauthenticated access to SM policy handlers and disclosure of subscriber SUPI Details In NewServer(), the smPolicyGroup route group

📡 GitHub-Advisory · 2026-05-07 CVE-2026-42082 - Free5GC AMF has Missing Concurrent NAS SMC Validation During NGAP Handover CVE-2026-42082 GHSA-vrrx-58h3-prmh LOW go/github.com/free5gc/amf CVE: CVE-2026-42082 Summary The AMF in Free5GC v4.2.1 does not enforce the concurrent security procedure rules defined in 3GPP TS 33.501 §6.9.5.

📡 GitHub-Advisory · 2026-05-07 GHSA-fpf5-4jw8-67x8 - rust-zserio has Unbounded Memory Allocation GHSA-fpf5-4jw8-67x8 HIGH rust/rust-zserio CVE: Impact When deserializing arrays, strings or bytes (blob) types zserio first reads the size of the variable, and then allocates sufficient memory to load data. Since the size is always trusted this can be abused by

📡 GitHub-Advisory · 2026-05-07 CVE-2026-42081 - Free5GC AMF Bypasses UE Security Capabilities on NGAP PathSwitchRequest CVE-2026-42081 GHSA-77x9-rf64-92gv MEDIUM go/github.com/free5gc/amf CVE: CVE-2026-42081 Summary The AMF in Free5GC v4.2.1 does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values, as mandated

📡 GitHub-Advisory · 2026-05-07 CVE-2026-44504 - Aegra has cross-user run injection in /threads/{thread_id}/runs (IDOR) CVE-2026-44504 GHSA-m98r-6667-4wq7 HIGH pip/aegra-api CVE: CVE-2026-44504 Impact Aegra deployments running 0.9.0 through 0.9.6 with multiple authenticated users on a shared instance are vulnerable to a cross-tenant IDOR. Any authenticated user

📡 GitHub-Advisory · 2026-05-07 CVE-2026-44503 - Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on c CVE-2026-44503 GHSA-7j59-v9qr-6fq9 HIGH maven/com.microsoft.kiota:microsoft-kiota-abstractions CVE: CVE-2026-44503 Summary The RedirectHandler middleware in microsoft/kiota-java (com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0) and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx

📡 GitHub-Advisory · 2026-05-07 GHSA-39g5-644c-qwcg - container: pf Rule Injection via Domain Name Argument in `container system dns c GHSA-39g5-644c-qwcg LOW swift/github.com/apple/container CVE: Product Name: container Github Link: https://github.com/apple/container Version: <= 0.12.2 Summary The container system dns create --localhost command accepts a

📡 GitHub-Advisory · 2026-05-07 CVE-2026-41050 - Fleet: Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` d CVE-2026-41050 GHSA-765j-qfrp-hm3j CRITICAL go/github.com/rancher/fleet CVE: CVE-2026-41050 Impact Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository

📡 GitHub-Advisory · 2026-05-07 CVE-2026-42597 - Gotenberg allows Chromium URL conversion routes to read arbitrary files under /t CVE-2026-42597 GHSA-g924-cjx7-2rjw MEDIUM go/github.com/gotenberg/gotenberg/v8 CVE: CVE-2026-42597 Summary The /forms/chromium/convert/url and /forms/chromium/screenshot/url routes accept url=file:///tmp/... from anonymous callers. The default Chromium deny-list

📡 GitHub-Advisory · 2026-05-07 CVE-2026-42596 - Gotenberg vulnerable to unauthenticated SSRF via default deny-list bypass in dow CVE-2026-42596 GHSA-4vmc-gm8v-m35h CRITICAL go/github.com/gotenberg/gotenberg/v8 CVE: CVE-2026-42596 Summary The default deny-lists used by Gotenberg's downloadFrom feature and webhook feature are bypassable. Because the filter is regex-based and case-sensitive, an

📡 GitHub-Advisory · 2026-05-07 CVE-2026-42594 - Gotenberg has an unauthenticated denial of service via echo.Context pool reuse i CVE-2026-42594 GHSA-r33j-c622-r6qp HIGH go/github.com/gotenberg/gotenberg/v8 CVE: CVE-2026-42594 Summary The webhook middleware spawns a goroutine that holds a reference to the request's echo.Context after the synchronous handler

📡 GitHub-Advisory · 2026-05-07 CVE-2026-42593 - Goteberg has arbitrary PDF read via stampExpression and watermarkExpression in m CVE-2026-42593 GHSA-3cv5-q585-h563 MEDIUM go/github.com/gotenberg/gotenberg/v8 CVE: CVE-2026-42593 Summary Six conversion routes (pdfengines/merge, pdfengines/split, libreoffice/convert, chromium/convert/url, chromium/convert/html, chromium/convert/markdown) accept stampSource=pdf + stampExpression=/path

📡 GitHub-Advisory · 2026-05-07 CVE-2026-42592 - Gotenberg's DNS rebinding bypasses SSRF validation on Chromium URL conversion ro CVE-2026-42592 GHSA-2pmr-289p-44r3 MEDIUM go/github.com/gotenberg/gotenberg/v8 CVE: CVE-2026-42592 Summary FilterOutboundURL resolves the hostname, checks the resolved IPs against the private-address deny-list, and returns only the error. It discards the resolved

📡 GitHub-Advisory · 2026-05-07 CVE-2026-42591 - Gotenberg has a Server-Side Request Forgery (SSRF) Issue CVE-2026-42591 GHSA-rm4c-xj6x-49mw HIGH go/github.com/gotenberg/gotenberg/v8 CVE: CVE-2026-42591 Summary The SSRF hardening shipped in v8.31.0 only covers outbound URLs that Gotenberg's Go code handles — Chromium asset fetches, webhook delivery, and download-from.

📡 GitHub-Advisory · 2026-05-07 CVE-2026-42590 - Gotenberg's ExifTool group-prefix syntax bypasses dangerous-tag blocklist CVE-2026-42590 GHSA-7v3r-m9c8-r855 HIGH go/github.com/gotenberg/gotenberg/v8 CVE: CVE-2026-42590 Summary The ExifTool metadata write blocklist in Gotenberg v8 can be bypassed using ExifTool's group-prefix syntax, enabling arbitrary file rename, move, hardlink, and symlink

📡 GitHub-Advisory · 2026-05-07 CVE-2026-42589 - Gotenberg has Unauthenticated RCE via ExifTool Metadata Key Injection CVE-2026-42589 GHSA-rqgh-gxv4-6657 CRITICAL go/github.com/gotenberg/gotenberg/v8 CVE: CVE-2026-42589 Unauthenticated RCE in Gotenberg via Metadata Key Newline Injection Summary Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata object and passes

📡 GitHub-Advisory · 2026-05-07 CVE-2026-42587 - Netty: HttpContentDecompressor maxAllocation bypass when Content-Encoding set to CVE-2026-42587 GHSA-f6hv-jmp6-3vwv HIGH maven/io.netty:netty-codec-http CVE: CVE-2026-42587 Summary HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but

📡 GitHub-Advisory · 2026-05-07 CVE-2026-42586 - Netty Redis Codec Encoder has a CRLF Injection Issue CVE-2026-42586 GHSA-rgrr-p7gp-5xj7 MEDIUM maven/io.netty:netty-codec-redis CVE: CVE-2026-42586 Security Vulnerability Report: CRLF Injection in Netty Redis Codec Encoder 1. Vulnerability Summary FieldValue **Product**Netty **Version**4.2.12.Final (and all prior versions with codec-redis) **Component*

📡 GitHub-Advisory · 2026-05-07 CVE-2026-42585 - Netty vulnerable to HTTP Request Smuggling due to malformed Transfer-Encoding CVE-2026-42585 GHSA-38f8-5428-x5cv MEDIUM maven/io.netty:netty-codec-http CVE: CVE-2026-42585 Summary Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. Details Netty incorrectly marks a request as chunked when malformed "Transfer-Encoding: chunked, identity" is present.

📡 GitHub-Advisory · 2026-05-07 CVE-2026-42584 - Netty has HttpClientCodec response desynchronization CVE-2026-42584 GHSA-57rv-r2g8-2cj3 HIGH maven/io.netty:netty-codec-http CVE: CVE-2026-42584 Summary If HttpClientCodec is configured, there are use cases when a response body from one request, can be parsed as another's. Details HttpClientCodec pairs each inbound response with an outbound

📡 GitHub-Advisory · 2026-05-07 CVE-2026-42583 - Netty Lz4FrameDecoder is vulnerable to resource exhaustion CVE-2026-42583 GHSA-mj4r-2hfc-f8p6 HIGH maven/io.netty:netty-codec-compression CVE: CVE-2026-42583 Summary Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22

📡 GitHub-Advisory · 2026-05-07 CVE-2026-42582 - Netty HTTP/3 QPACK literal unbounded allocation CVE-2026-42582 GHSA-2c5c-chwr-9hqw HIGH maven/io.netty:netty-codec-http3 CVE: CVE-2026-42582 Summary When Netty decodes HTTP/3 headers, it sometimes runs new byte[length] using a length from the wire before checking that many bytes are really there. A small malicious