Data is truncated wrong when its length is greater than 255 bytes.
Authorized users of the openbuildservice before 2.9.4 could delete packages by using a malicious request against projects having the OBS:InitializeDevelPackage attribute, a similar issue to CVE-2018-7689.
A Command Injection vulnerability in Schneider Electric homeLYnk Controller exists in all versions before 1.5.0.
Lack of permission checks in the InitializeDevelPackage function in openSUSE Open Build Service before 2.9.3 allowed authenticated users to modify packages where they do not have write permissions.