2.4
CVE-2026-42188
- EPSS 0.16%
- Veröffentlicht 11.05.2026 21:25:27
- Zuletzt bearbeitet 13.05.2026 16:32:31
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Geyser: Server-Side Request Forgery (SSRF) via Player Head Texture URL
Geyser is a bridge between Minecraft: Bedrock Edition and Minecraft: Java Edition. Prior to 2.9.3, a server-side request forgery (SSRF) vulnerability exists in Geyser’s handling of Bedrock player head texture data. By supplying a crafted Base64-encoded skin texture URL via the /give command, an attacker can cause the Minecraft server to issue arbitrary HTTP GET requests to attacker-controlled or internal endpoints. This occurs server-side, without proper URL validation, and can be triggered by a Bedrock client. This vulnerability is fixed in 2.9.3.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerGeyserMC
≫
Produkt
Geyser
Version
< 2.9.3
Status
affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.16% | 0.053 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 2.4 | 0.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N
|
CWE-918 Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
https://github.com/GeyserMC/Geyser/security/advisories/GHSA-xcfg-fcr5-gw9r