freedesktop

Top products

The 15 most recently published vulnerabilities affecting freedesktop.

• CVE-2026-50292In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution7.4Jun 4, 2026
• CVE-2026-46470An issue was discovered in GStreamer gst-plugins-good before 1.28.2. When parsing MP4 audio tracks, the isomp4 plugin's qtdemux_audio_caps function does not sufficiently validate atom data before p...4.0May 14, 2026
• CVE-2026-46469An issue was discovered in GStreamer gst-plugins-good before 1.28.2. When parsing MP4 audio tracks, the isomp4 plugin's qtdemux_parse_trak function does not sufficiently validate atom data before p...4.0May 14, 2026
• CVE-2026-35094Libinput: libinput: information disclosure via dangling pointer in lua plugin handling3.3Apr 1, 2026
• CVE-2026-35093Libinput: libinput: unauthorized code execution and information disclosure through lua bytecode plugins8.8Apr 1, 2026
• CVE-2026-4897Polkit: polkit: denial of service via unbounded input processing through standard input5.5Mar 26, 2026
• CVE-2026-1940Gstreamer: incomplete fix of cve-2026-19405.1Mar 23, 2026
• CVE-2026-26104Udisks: missing authorization check allows unprivileged users to back up luks headers via udisks d-bus api5.5Feb 25, 2026
• CVE-2026-26103Udisks: missing authorization check allows unprivileged users to restore luks headers via udisks d-bus api7.1Feb 25, 2026
• CVE-2025-43718Poppler 24.06.1 through 25.x before 25.04.0 allows stack consumption and a SIGSEGV via deeply nested structures within the metadata (such as GTS_PDFEVersion) of a PDF document, e.g., a regular expr...2.9Oct 1, 2025
• CVE-2025-50420An issue in the pdfseparate utility of freedesktop poppler v25.04.0 allows attackers to cause an infinite recursion via supplying a crafted PDF file. This can lead to a Denial of Service (DoS).6.5Aug 4, 2025
• CVE-2025-52886Poppler Use After Free Vulnerability5.9Jul 2, 2025
• CVE-2025-52968xdg-open in xdg-utils through 1.2.1 can send requests containing SameSite=Strict cookies, which can facilitate CSRF. (For example, xdg-open could be modified to, by default, associate x-scheme-hand...2.7Jun 23, 2025
• CVE-2025-43903NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the adbe.pkcs7.sha1 signatures on documents, resulting in potential signature forgeries.4.3Apr 18, 2025
• CVE-2025-32365Poppler before 25.04.0 allows crafted input files to trigger out-of-bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc because of a misplaced isOk check.4.0Apr 5, 2025