Security update for govulncheck-vulndb SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:0757-1 Final 1 1 2026-03-03T11:34:04Z current 2026-03-03T11:34:04Z 2026-03-03T11:34:04Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for govulncheck-vulndb This update for govulncheck-vulndb fixes the following issues: Update to version 0.0.20260226T182644 2026-02-26T18:26:44Z (jsc#PED-11136) Go CVE Numbering Authority IDs added or updated with aliases: * GO-2025-4259 CVE-2025-13767 GHSA-fmqf-pmcm-8cx9 * GO-2025-4260 CVE-2025-64641 GHSA-vww6-79rv-3j4x * GO-2026-4282 CVE-2017-18873 GHSA-x6mw-hf2j-vqpc * GO-2026-4305 CVE-2017-18903 GHSA-fcwg-45jh-5qhf * GO-2026-4325 CVE-2025-14822 GHSA-9r42-rhw3-2222 * GO-2026-4326 CVE-2025-14435 GHSA-mx8m-v8qm-xwr8 * GO-2026-4332 CVE-2026-23644 GHSA-2657-3c98-63jq * GO-2026-4348 CVE-2026-23991 GHSA-846p-jg2w-w324 * GO-2026-4349 CVE-2026-23992 GHSA-fphv-w9fq-2525 * GO-2026-4377 CVE-2026-24686 GHSA-jqc5-w2xx-5vq4 * GO-2026-4410 CVE-2026-25140 GHSA-f4w5-5xv9-85f6 * GO-2026-4502 CVE-2026-25766 GHSA-pgvm-wxw2-hrv9 * GO-2026-4534 CVE-2026-25899 GHSA-2mr3-m5q5-wgp6 * GO-2026-4535 CVE-2026-27585 GHSA-4xrr-hq4w-6vf4 * GO-2026-4536 CVE-2026-27590 GHSA-5r3v-vc8m-m96g * GO-2026-4537 CVE-2026-27589 GHSA-879p-475x-rqh2 * GO-2026-4538 CVE-2026-27587 GHSA-g7pc-pc7g-h8jh * GO-2026-4539 CVE-2026-27586 GHSA-hffm-g8v7-wrv7 * GO-2026-4540 CVE-2026-25891 GHSA-m3c2-496v-cw3v * GO-2026-4541 CVE-2026-27588 GHSA-x76f-jf84-rqj8 * GO-2026-4543 CVE-2026-25882 GHSA-mrq8-rjmw-wpq3 * GO-2026-4559 CVE-2026-27141 Update to version 0.0.20260225T230704 2026-02-25T23:07:04Z. * GO-2026-4358 CVE-2026-24137 GHSA-fcv2-xgw5-pqxf * GO-2026-4361 GHSA-c32p-wcqj-j677 * GO-2026-4394 CVE-2026-24051 GHSA-9h8m-3fm2-qjrq * GO-2026-4399 CVE-2026-25518 GHSA-gx3x-vq4p-mhhv * GO-2026-4507 CVE-2026-26314 GHSA-2gjw-fg97-vg3r * GO-2026-4508 CVE-2026-26313 GHSA-689v-6xwf-5jf3 * GO-2026-4509 CVE-2026-27017 GHSA-7m29-f4hw-g2vx * GO-2026-4511 CVE-2026-26315 GHSA-m6j8-rg6r-7mv8 * GO-2026-4512 CVE-2026-26995 GHSA-rrxv-pmq9-x67r * GO-2026-4531 CVE-2026-25591 GHSA-w6x6-9fp7-fqm4 * GO-2026-4532 CVE-2026-25802 GHSA-299v-8pq9-5gjq * GO-2026-4533 CVE-2026-27571 GHSA-qrvq-68c2-7grw * GO-2026-4542 CVE-2026-27598 GHSA-6v48-fcq6-ff23 * GO-2026-4545 CVE-2025-50180 GHSA-3c9r-837r-qqm4 * GO-2026-4546 CVE-2026-27611 GHSA-8vrh-3pm2-v4v6 * GO-2026-4547 CVE-2026-27626 GHSA-49gm-hh7w-wfvf * GO-2026-4548 GHSA-2phg-qgmm-r638 Update to version 0.0.20260223T182315 2026-02-23T18:23:15Z. * GO-2026-4392 CVE-2026-24845 GHSA-9m43-p3cx-w8j5 * GO-2026-4434 CVE-2023-43635 GHSA-4jvr-vj2c-8q37 * GO-2026-4435 CVE-2023-43636 GHSA-5h7v-g49c-h887 * GO-2026-4436 CVE-2023-43637 GHSA-g7vp-j25f-h34p * GO-2026-4442 GHSA-x9p2-77v6-6vhf * GO-2026-4444 CVE-2026-23989 GHSA-9j2f-3rj3-wgpg * GO-2026-4445 CVE-2026-25760 GHSA-2286-hxv5-cmp2 * GO-2026-4446 CVE-2026-24851 GHSA-jq9f-gm9w-rwm9 * GO-2026-4447 GHSA-vf5j-r2hw-2hrw * GO-2026-4448 CVE-2025-64111 GHSA-gg64-xxr9-qhjp * GO-2026-4449 CVE-2025-64175 GHSA-p6x6-9mx6-26wj * GO-2026-4450 CVE-2026-23632 GHSA-5qhx-gwfj-6jqr * GO-2026-4451 CVE-2026-22592 GHSA-cr88-6mqm-4g57 * GO-2026-4452 CVE-2026-24135 GHSA-jp7c-wj6q-3qf2 * GO-2026-4453 CVE-2026-23633 GHSA-mrph-w4hh-gx3g * GO-2026-4454 GHSA-26gq-grmh-6xm6 * GO-2026-4455 CVE-2025-70963 GHSA-9f8m-9547-2gqm * GO-2026-4456 CVE-2025-13523 GHSA-ffx7-34p2-vm3w * GO-2026-4457 CVE-2025-65852 GHSA-rjv5-9px2-fqw6 * GO-2026-4458 CVE-2026-25793 GHSA-69x3-g4r3-p962 * GO-2026-4459 CVE-2017-18907 GHSA-42x9-rr3c-gr59 * GO-2026-4460 CVE-2017-18918 GHSA-5ghq-28r7-qwfj * GO-2026-4461 CVE-2026-25804 GHSA-86x4-wp9f-wrr9 * GO-2026-4462 CVE-2017-18915 GHSA-hxxj-8phw-74vw * GO-2026-4463 CVE-2017-18917 GHSA-jxc4-w54c-qv5r * GO-2026-4464 CVE-2017-18911 GHSA-m462-mqw4-2c8m * GO-2026-4465 GHSA-vhvq-fv9f-wh4q * GO-2026-4466 CVE-2026-25791 GHSA-wxrw-gvg8-fqjp * GO-2026-4467 CVE-2017-18916 GHSA-x33g-375j-jhf7 * GO-2026-4471 CVE-2025-66630 GHSA-68rr-p4fp-j59v * GO-2026-4473 CVE-2026-25934 GHSA-37cx-329c-33x3 * GO-2026-4474 CVE-2026-25890 GHSA-4mh3-h929-w968 * GO-2026-4475 CVE-2026-25889 GHSA-hxw8-4h9j-hq2r * GO-2026-4476 CVE-2017-18908 GHSA-34cx-hvm4-vx7j * GO-2026-4477 CVE-2017-18906 GHSA-fpcr-4rr5-hpcp * GO-2026-4478 CVE-2017-18909 GHSA-r6j5-fqx9-7qv9 * GO-2026-4479 CVE-2026-26014 GHSA-9f3f-wv7r-qc8r * GO-2026-4480 CVE-2026-25935 GHSA-m4g2-2q66-vc9v * GO-2026-4481 CVE-2026-26190 GHSA-7ppg-37fh-vcr6 * GO-2026-4483 CVE-2026-21438 GHSA-2f2x-8mwp-p2gc * GO-2026-4484 CVE-2026-25949 GHSA-89p3-4642-cr2w * GO-2026-4485 CVE-2026-21434 GHSA-g6x7-jq8p-6q9q * GO-2026-4486 CVE-2026-24895 GHSA-g966-83w7-6w38 * GO-2026-4487 CVE-2017-18912 GHSA-m2ch-x2q7-2284 * GO-2026-4488 CVE-2026-21435 GHSA-px4r-g4p3-hhqv * GO-2026-4489 CVE-2026-24894 GHSA-r3xh-3r3w-47gp * GO-2026-4490 CVE-2025-67860 GHSA-3c9m-gq32-g4jx * GO-2026-4491 CVE-2026-26055 GHSA-965m-v4cc-6334 * GO-2026-4493 CVE-2026-26056 GHSA-wj8p-jj64-h7ff * GO-2026-4494 CVE-2026-26187 GHSA-699m-4v95-rmpm * GO-2026-4495 CVE-2026-20796 GHSA-2xf7-hmf6-p64j * GO-2026-4496 CVE-2026-22892 GHSA-9pj7-jh2r-87g8 * GO-2026-4497 GHSA-hr7j-63v7-vj7g * GO-2026-4498 CVE-2026-25232 GHSA-2c6v-8r3v-gh6p * GO-2026-4499 CVE-2026-25229 GHSA-cv22-72px-f4gh * GO-2026-4500 CVE-2026-25242 GHSA-fc3h-92p8-h36f * GO-2026-4501 CVE-2026-25120 GHSA-jj5m-h57j-5gv7 * GO-2026-4503 CVE-2026-26958 * GO-2026-4504 CVE-2026-26201 GHSA-f5p9-j34q-pwcc * GO-2026-4505 CVE-2026-26957 GHSA-wgm6-9rvv-3438 * GO-2026-4506 CVE-2026-26205 GHSA-9f29-v6mm-pw6w * GO-2026-4515 CVE-2026-27111 GHSA-5vvm-67pj-72g4 * GO-2026-4516 CVE-2026-27112 GHSA-7g9x-cp9g-92mr * GO-2026-4517 CVE-2026-24834 GHSA-wwj6-vghv-5p64 * GO-2026-4519 CVE-2026-0997 GHSA-2phx-frhf-xr55 * GO-2026-4520 CVE-2026-0999 GHSA-3c9r-7f29-qp32 * GO-2026-4521 CVE-2025-14350 GHSA-57cc-2pf4-mhmx * GO-2026-4522 CVE-2026-26963 GHSA-5r23-prx4-mqg3 * GO-2026-4523 CVE-2025-14573 GHSA-cgjg-p2m2-qm4p * GO-2026-4524 CVE-2025-13821 GHSA-pp9j-pf5c-659x * GO-2026-4525 CVE-2026-0998 GHSA-w65c-fvp5-fvc5 * GO-2026-4527 GHSA-6qr9-g2xw-cw92 * GO-2026-4528 GHSA-j9wf-6r2x-hqmx * GO-2026-4529 CVE-2026-24122 GHSA-wfqv-66vq-46rm * GO-2026-4530 GHSA-gv8r-9rw9-9697 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2026-757,openSUSE-SLE-15.6-2026-757 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ Link for SUSE-SU-2026:0757-1 https://lists.suse.com/pipermail/sle-security-updates/2026-March/024527.html E-Mail link for SUSE-SU-2026:0757-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2017-18873/ SUSE CVE CVE-2017-18873 page https://www.suse.com/security/cve/CVE-2017-18903/ SUSE CVE CVE-2017-18903 page https://www.suse.com/security/cve/CVE-2017-18906/ SUSE CVE CVE-2017-18906 page https://www.suse.com/security/cve/CVE-2017-18907/ SUSE CVE CVE-2017-18907 page https://www.suse.com/security/cve/CVE-2017-18908/ SUSE CVE CVE-2017-18908 page https://www.suse.com/security/cve/CVE-2017-18909/ SUSE CVE CVE-2017-18909 page https://www.suse.com/security/cve/CVE-2017-18911/ SUSE CVE CVE-2017-18911 page https://www.suse.com/security/cve/CVE-2017-18912/ SUSE CVE CVE-2017-18912 page https://www.suse.com/security/cve/CVE-2017-18915/ SUSE CVE CVE-2017-18915 page https://www.suse.com/security/cve/CVE-2017-18916/ SUSE CVE CVE-2017-18916 page https://www.suse.com/security/cve/CVE-2017-18917/ SUSE CVE CVE-2017-18917 page https://www.suse.com/security/cve/CVE-2017-18918/ SUSE CVE CVE-2017-18918 page https://www.suse.com/security/cve/CVE-2023-43635/ SUSE CVE CVE-2023-43635 page https://www.suse.com/security/cve/CVE-2023-43636/ SUSE CVE CVE-2023-43636 page https://www.suse.com/security/cve/CVE-2023-43637/ SUSE CVE CVE-2023-43637 page https://www.suse.com/security/cve/CVE-2025-13523/ SUSE CVE CVE-2025-13523 page https://www.suse.com/security/cve/CVE-2025-13767/ SUSE CVE CVE-2025-13767 page https://www.suse.com/security/cve/CVE-2025-13821/ SUSE CVE CVE-2025-13821 page https://www.suse.com/security/cve/CVE-2025-14350/ SUSE CVE CVE-2025-14350 page https://www.suse.com/security/cve/CVE-2025-14435/ SUSE CVE CVE-2025-14435 page https://www.suse.com/security/cve/CVE-2025-14573/ SUSE CVE CVE-2025-14573 page https://www.suse.com/security/cve/CVE-2025-14822/ SUSE CVE CVE-2025-14822 page https://www.suse.com/security/cve/CVE-2025-50180/ SUSE CVE CVE-2025-50180 page https://www.suse.com/security/cve/CVE-2025-64111/ SUSE CVE CVE-2025-64111 page https://www.suse.com/security/cve/CVE-2025-64175/ SUSE CVE CVE-2025-64175 page https://www.suse.com/security/cve/CVE-2025-64641/ SUSE CVE CVE-2025-64641 page https://www.suse.com/security/cve/CVE-2025-65852/ SUSE CVE CVE-2025-65852 page https://www.suse.com/security/cve/CVE-2025-66630/ SUSE CVE CVE-2025-66630 page https://www.suse.com/security/cve/CVE-2025-67860/ SUSE CVE CVE-2025-67860 page https://www.suse.com/security/cve/CVE-2025-70963/ SUSE CVE CVE-2025-70963 page https://www.suse.com/security/cve/CVE-2026-0997/ SUSE CVE CVE-2026-0997 page https://www.suse.com/security/cve/CVE-2026-0998/ SUSE CVE CVE-2026-0998 page https://www.suse.com/security/cve/CVE-2026-0999/ SUSE CVE CVE-2026-0999 page https://www.suse.com/security/cve/CVE-2026-20796/ SUSE CVE CVE-2026-20796 page https://www.suse.com/security/cve/CVE-2026-21434/ SUSE CVE CVE-2026-21434 page https://www.suse.com/security/cve/CVE-2026-21435/ SUSE CVE CVE-2026-21435 page https://www.suse.com/security/cve/CVE-2026-21438/ SUSE CVE CVE-2026-21438 page https://www.suse.com/security/cve/CVE-2026-22592/ SUSE CVE CVE-2026-22592 page https://www.suse.com/security/cve/CVE-2026-22892/ SUSE CVE CVE-2026-22892 page https://www.suse.com/security/cve/CVE-2026-23632/ SUSE CVE CVE-2026-23632 page https://www.suse.com/security/cve/CVE-2026-23633/ SUSE CVE CVE-2026-23633 page https://www.suse.com/security/cve/CVE-2026-23644/ SUSE CVE CVE-2026-23644 page https://www.suse.com/security/cve/CVE-2026-23989/ SUSE CVE CVE-2026-23989 page https://www.suse.com/security/cve/CVE-2026-23991/ SUSE CVE CVE-2026-23991 page https://www.suse.com/security/cve/CVE-2026-23992/ SUSE CVE CVE-2026-23992 page https://www.suse.com/security/cve/CVE-2026-24051/ SUSE CVE CVE-2026-24051 page https://www.suse.com/security/cve/CVE-2026-24122/ SUSE CVE CVE-2026-24122 page https://www.suse.com/security/cve/CVE-2026-24135/ SUSE CVE CVE-2026-24135 page https://www.suse.com/security/cve/CVE-2026-24137/ SUSE CVE CVE-2026-24137 page https://www.suse.com/security/cve/CVE-2026-24686/ SUSE CVE CVE-2026-24686 page https://www.suse.com/security/cve/CVE-2026-24834/ SUSE CVE CVE-2026-24834 page https://www.suse.com/security/cve/CVE-2026-24845/ SUSE CVE CVE-2026-24845 page https://www.suse.com/security/cve/CVE-2026-24851/ SUSE CVE CVE-2026-24851 page https://www.suse.com/security/cve/CVE-2026-24894/ SUSE CVE CVE-2026-24894 page https://www.suse.com/security/cve/CVE-2026-24895/ SUSE CVE CVE-2026-24895 page https://www.suse.com/security/cve/CVE-2026-25120/ SUSE CVE CVE-2026-25120 page https://www.suse.com/security/cve/CVE-2026-25140/ SUSE CVE CVE-2026-25140 page https://www.suse.com/security/cve/CVE-2026-25229/ SUSE CVE CVE-2026-25229 page https://www.suse.com/security/cve/CVE-2026-25232/ SUSE CVE CVE-2026-25232 page https://www.suse.com/security/cve/CVE-2026-25242/ SUSE CVE CVE-2026-25242 page https://www.suse.com/security/cve/CVE-2026-25518/ SUSE CVE CVE-2026-25518 page https://www.suse.com/security/cve/CVE-2026-25591/ SUSE CVE CVE-2026-25591 page https://www.suse.com/security/cve/CVE-2026-25760/ SUSE CVE CVE-2026-25760 page https://www.suse.com/security/cve/CVE-2026-25766/ SUSE CVE CVE-2026-25766 page https://www.suse.com/security/cve/CVE-2026-25791/ SUSE CVE CVE-2026-25791 page https://www.suse.com/security/cve/CVE-2026-25793/ SUSE CVE CVE-2026-25793 page https://www.suse.com/security/cve/CVE-2026-25802/ SUSE CVE CVE-2026-25802 page https://www.suse.com/security/cve/CVE-2026-25804/ SUSE CVE CVE-2026-25804 page https://www.suse.com/security/cve/CVE-2026-25882/ SUSE CVE CVE-2026-25882 page https://www.suse.com/security/cve/CVE-2026-25889/ SUSE CVE CVE-2026-25889 page https://www.suse.com/security/cve/CVE-2026-25890/ SUSE CVE CVE-2026-25890 page https://www.suse.com/security/cve/CVE-2026-25891/ SUSE CVE CVE-2026-25891 page https://www.suse.com/security/cve/CVE-2026-25899/ SUSE CVE CVE-2026-25899 page https://www.suse.com/security/cve/CVE-2026-25934/ SUSE CVE CVE-2026-25934 page https://www.suse.com/security/cve/CVE-2026-25935/ SUSE CVE CVE-2026-25935 page https://www.suse.com/security/cve/CVE-2026-25949/ SUSE CVE CVE-2026-25949 page https://www.suse.com/security/cve/CVE-2026-26014/ SUSE CVE CVE-2026-26014 page https://www.suse.com/security/cve/CVE-2026-26055/ SUSE CVE CVE-2026-26055 page https://www.suse.com/security/cve/CVE-2026-26056/ SUSE CVE CVE-2026-26056 page https://www.suse.com/security/cve/CVE-2026-26187/ SUSE CVE CVE-2026-26187 page https://www.suse.com/security/cve/CVE-2026-26190/ SUSE CVE CVE-2026-26190 page https://www.suse.com/security/cve/CVE-2026-26201/ SUSE CVE CVE-2026-26201 page https://www.suse.com/security/cve/CVE-2026-26205/ SUSE CVE CVE-2026-26205 page https://www.suse.com/security/cve/CVE-2026-26313/ SUSE CVE CVE-2026-26313 page https://www.suse.com/security/cve/CVE-2026-26314/ SUSE CVE CVE-2026-26314 page https://www.suse.com/security/cve/CVE-2026-26315/ SUSE CVE CVE-2026-26315 page https://www.suse.com/security/cve/CVE-2026-26957/ SUSE CVE CVE-2026-26957 page https://www.suse.com/security/cve/CVE-2026-26958/ SUSE CVE CVE-2026-26958 page https://www.suse.com/security/cve/CVE-2026-26963/ SUSE CVE CVE-2026-26963 page https://www.suse.com/security/cve/CVE-2026-26995/ SUSE CVE CVE-2026-26995 page https://www.suse.com/security/cve/CVE-2026-27017/ SUSE CVE CVE-2026-27017 page https://www.suse.com/security/cve/CVE-2026-27111/ SUSE CVE CVE-2026-27111 page https://www.suse.com/security/cve/CVE-2026-27112/ SUSE CVE CVE-2026-27112 page https://www.suse.com/security/cve/CVE-2026-27141/ SUSE CVE CVE-2026-27141 page https://www.suse.com/security/cve/CVE-2026-27571/ SUSE CVE CVE-2026-27571 page https://www.suse.com/security/cve/CVE-2026-27585/ SUSE CVE CVE-2026-27585 page https://www.suse.com/security/cve/CVE-2026-27586/ SUSE CVE CVE-2026-27586 page https://www.suse.com/security/cve/CVE-2026-27587/ SUSE CVE CVE-2026-27587 page https://www.suse.com/security/cve/CVE-2026-27588/ SUSE CVE CVE-2026-27588 page https://www.suse.com/security/cve/CVE-2026-27589/ SUSE CVE CVE-2026-27589 page https://www.suse.com/security/cve/CVE-2026-27590/ SUSE CVE CVE-2026-27590 page https://www.suse.com/security/cve/CVE-2026-27598/ SUSE CVE CVE-2026-27598 page https://www.suse.com/security/cve/CVE-2026-27611/ SUSE CVE CVE-2026-27611 page https://www.suse.com/security/cve/CVE-2026-27626/ SUSE CVE CVE-2026-27626 page openSUSE Leap 15.6 An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to cause a denial of service (channel invisibility) via a misformatted post. CVE-2017-18873 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2017-18873.html CVE-2017-18873 An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. CSRF can occur if CORS is enabled. CVE-2017-18903 important 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2017-18903.html CVE-2017-18903 An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when Single Sign-On OAuth2 is used. An attacker could claim somebody else's account. CVE-2017-18906 important 4.9 AV:N/AC:M/Au:S/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2017-18906.html CVE-2017-18906 An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. XSS could occur via a channel header. CVE-2017-18907 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2017-18907.html CVE-2017-18907 An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. A password-reset request was sometime sent to an attacker-provided e-mail address. CVE-2017-18908 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2017-18908.html CVE-2017-18908 An issue was discovered in Mattermost Server before 3.9.0 when SAML is used. Encryption and signature verification are not mandatory. CVE-2017-18909 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2017-18909.html CVE-2017-18909 An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. The X.509 certificate validation can be skipped for a TLS-based e-mail server. CVE-2017-18911 important 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2017-18911.html CVE-2017-18911 An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. It allows an attacker to specify a full pathname of a log file. CVE-2017-18912 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2017-18912.html CVE-2017-18912 An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. After a restart of a server, an attacker might suddenly gain API Endpoint access. CVE-2017-18915 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2017-18915.html CVE-2017-18915 An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. API endpoint access control does not honor an integration permission restriction. CVE-2017-18916 important 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2017-18916.html CVE-2017-18916 An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. Weak hashing was used for e-mail invitations, OAuth, and e-mail verification tokens. CVE-2017-18917 important 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2017-18917.html CVE-2017-18917 An issue was discovered in Mattermost Server before 3.7.3 and 3.6.5. A System Administrator can place a SAML certificate at an arbitrary pathname. CVE-2017-18918 important 4 AV:N/AC:L/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2017-18918.html CVE-2017-18918 Vault Key Sealed With SHA1 PCRs The measured boot solution implemented in EVE OS leans on a PCR locking mechanism. Different parts of the system update different PCR values in the TPM, resulting in a unique value for each PCR entry. These PCRs are then used in order to seal/unseal a key from the TPM which is used to encrypt/decrypt the "vault" directory. This "vault" directory is the most sensitive point in the system and as such, its content should be protected. This mechanism is noted in Zededa's documentation as the "measured boot" mechanism, designed to protect said "vault". The code that's responsible for generating and fetching the key from the TPM assumes that SHA256 PCRs are used in order to seal/unseal the key, and as such their presence is being checked. The issue here is that the key is not sealed using SHA256 PCRs, but using SHA1 PCRs. This leads to several issues: • Machines that have their SHA256 PCRs enabled but SHA1 PCRs disabled, as well as not sealing their keys at all, meaning the "vault" is not protected from an attacker. • SHA1 is considered insecure and reduces the complexity level required to unseal the key in machines which have their SHA1 PCRs enabled. An attacker can very easily retrieve the contents of the "vault", which will effectively render the "measured boot" mechanism meaningless. CVE-2023-43635 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2023-43635.html CVE-2023-43635 In EVE OS, the "measured boot" mechanism prevents a compromised device from accessing the encrypted data located in the vault. As per the "measured boot" design, the PCR values calculated at different stages of the boot process will change if any of their respective parts are changed. This includes, among other things, the configuration of the bios, grub, the kernel cmdline, initrd, and more. However, this mechanism does not validate the entire rootfs, so an attacker can edit the filesystem and gain control over the system. As the default filesystem used by EVE OS is squashfs, this is somewhat harder than an ext4, which is easily changeable. This will not stop an attacker, as an attacker can repackage the squashfs with their changes in it and replace the partition altogether. This can also be done directly on the device, as the "003-storage-init" container contains the "mksquashfs" and "unsquashfs" binaries (with the corresponding libs). An attacker can gain full control over the device without changing the PCR values, thus not triggering the "measured boot" mechanism, and having full access to the vault. Note: This issue was partially fixed in these commits (after disclosure to Zededa), where the config partition measurement was added to PCR13: • aa3501d6c57206ced222c33aea15a9169d629141 • 5fef4d92e75838cc78010edaed5247dfbdae1889. This issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot. CVE-2023-43636 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2023-43636.html CVE-2023-43636 Due to the implementation of "deriveVaultKey", prior to version 7.10, the generated vault key would always have the last 16 bytes predetermined to be "arfoobarfoobarfo". This issue happens because "deriveVaultKey" calls "retrieveCloudKey" (which will always return "foobarfoobarfoobarfoobarfoobarfo" as the key), and then merges the 32byte randomly generated key with this key (by takeing 16bytes from each, see "mergeKeys"). This makes the key a lot weaker. This issue does not persist in devices that were initialized on/after version 7.10, but devices that were initialized before that and updated to a newer version still have this issue. Roll an update that enforces the full 32bytes key usage. CVE-2023-43637 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2023-43637.html CVE-2023-43637 Mattermost Confluence plugin version <1.7.0 fails to properly escape user-controlled display names in HTML template rendering which allows authenticated Confluence users with malicious display names to execute arbitrary JavaScript in victim browsers via sending a specially crafted OAuth2 connection link that, when visited, renders the attacker's display name without proper sanitization. Mattermost Advisory ID: MMSA-2025-00557 CVE-2025-13523 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2025-13523.html CVE-2025-13523 Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to. CVE-2025-13767 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2025-13767.html CVE-2025-13767 Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Advisory ID: MMSA-2025-00560 CVE-2025-13821 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2025-13821.html CVE-2025-13821 Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observing the channel_mentions property in the API response. Mattermost Advisory ID: MMSA-2025-00563 CVE-2025-14350 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2025-14350.html CVE-2025-14350 Mattermost versions 10.11.x <= 10.11.8, 11.1.x <= 11.1.1, 11.0.x <= 11.0.6 fail to prevent infinite re-renders on API errors which allows authenticated users to cause application-level DoS via triggering unbounded component re-render loops. CVE-2025-14435 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2025-14435.html CVE-2025-14435 Mattermost versions 10.11.x <= 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561 CVE-2025-14573 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2025-14573.html CVE-2025-14573 Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens CVE-2025-14822 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2025-14822.html CVE-2025-14822 esm.sh is a no-build content delivery network (CDN) for web development. In version 136, esm.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability. Version 137 fixes the vulnerability. CVE-2025-50180 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2025-50180.html CVE-2025-50180 Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, due to the insufficient patch for CVE-2024-56731, it's still possible to update files in the .git directory and achieve remote command execution. This issue has been patched in versions 0.13.4 and 0.14.0+dev. CVE-2025-64111 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2025-64111.html CVE-2025-64111 Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs' 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim's username and password, they can use any unused recovery code (e.g., from their own account) to bypass the victim's 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it's enabled.. This issue has been patched in versions 0.13.4 and 0.14.0+dev. CVE-2025-64175 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2025-64175.html CVE-2025-64175 Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exfiltrate Jira tickets when victim users interacted with affected posts CVE-2025-64641 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2025-64641.html CVE-2025-64641 unknown CVE-2025-65852 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2025-65852.html CVE-2025-65852 Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. Because no error is returned by the Fiber v2 UUID functions, application code may unknowingly rely on predictable, repeated, or low-entropy identifiers in security-critical pathways. This is especially impactful because many Fiber v2 middleware components (session middleware, CSRF, rate limiting, request-ID generation, etc.) default to using utils.UUIDv4(). This vulnerability is fixed in 2.52.11. CVE-2025-66630 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2025-66630.html CVE-2025-66630 A vulnerability has been identified in the NeuVector scanner where the scanner process accepts registry and controller credentials as command-line arguments, potentially exposing sensitive credentials to local users. CVE-2025-67860 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2025-67860.html CVE-2025-67860 https://bugzilla.suse.com/1257766 SUSE Bug 1257766 Gophish <=0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user's long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context. CVE-2025-70963 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2025-70963.html CVE-2025-70963 Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 and Mattermost Plugin Zoom versions <=1.11.0 fail to validate the authenticated user when processing {{/plugins/zoom/api/v1/channel-preference}}, which allows any logged-in user to change Zoom meeting restrictions for arbitrary channels via crafted API requests.. Mattermost Advisory ID: MMSA-2025-00558 CVE-2026-0997 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-0997.html CVE-2026-0997 Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 and Mattermost Plugin Zoom versions <=1.11.0 fail to validate user identity and post ownership in the {{/api/v1/askPMI}} endpoint which allows unauthorized users to start Zoom meetings as any user and overwrite arbitrary posts via direct API calls with manipulated user IDs and post data.. Mattermost Advisory ID: MMSA-2025-00534 CVE-2026-0998 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-0998.html CVE-2026-0998 Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate login method restrictions which allows an authenticated user to bypass SSO-only login requirements via userID-based authentication. Mattermost Advisory ID: MMSA-2025-00548 CVE-2026-0999 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-0999.html CVE-2026-0999 Mattermost versions 10.11.x <= 10.11.9 fail to properly validate channel membership at the time of data retrieval which allows a deactivated user to learn team names they should not have access to via a race condition in the /common_teams API endpoint.. Mattermost Advisory ID: MMSA-2025-00549 CVE-2026-20796 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-20796.html CVE-2026-20796 webtransport-go is an implementation of the WebTransport protocol. From 0.3.0 to 0.9.0, an attacker can cause excessive memory consumption in webtransport-go's session implementation by sending a WT_CLOSE_SESSION capsule containing an excessively large Application Error Message. The implementation does not enforce the draft-mandated limit of 1024 bytes on this field, allowing a peer to send an arbitrarily large message payload that is fully read and stored in memory. This allows an attacker to consume an arbitrary amount of memory. The attacker must transmit the full payload to achieve the memory consumption, but the lack of any upper bound makes large-scale attacks feasible given sufficient bandwidth. This vulnerability is fixed in 0.10.0. CVE-2026-21434 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-21434.html CVE-2026-21434 webtransport-go is an implementation of the WebTransport protocol. Prior to v0.10.0, an attacker can cause a denial of service in webtransport-go by preventing or indefinitely delaying WebTransport session closure. A malicious peer can withhold QUIC flow control credit on the CONNECT stream, blocking transmission of the WT_CLOSE_SESSION capsule and causing the close operation to hang. This vulnerability is fixed in v0.10.0. CVE-2026-21435 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-21435.html CVE-2026-21435 webtransport-go is an implementation of the WebTransport protocol. Prior to 0.10.0, an attacker can cause unbounded memory consumption repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage collection of their resources. This vulnerability is fixed in v0.10.0. CVE-2026-21438 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-21438.html CVE-2026-21438 Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, an authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash. This issue has been patched in versions 0.13.4 and 0.14.0+dev. CVE-2026-22592 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-22592.html CVE-2026-22592 Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to validate user permissions when creating Jira issues from Mattermost posts, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to via the /create-issue API endpoint by providing the post ID of an inaccessible post.. Mattermost Advisory ID: MMSA-2025-00550 CVE-2026-22892 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-22892.html CVE-2026-22892 Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/*" does not require write permissions and allows access with read permission only via repoAssignment(). After passing the permission check, PutContents() invokes UpdateRepoFile(), which results in commit creation and the execution of git push. As a result, a token with read-only permission can be used to modify repository contents. This issue has been patched in versions 0.13.4 and 0.14.0+dev. CVE-2026-23632 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-23632.html CVE-2026-23632 Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, there is an arbitrary file read/write via path traversal in Git hook editing. This issue has been patched in versions 0.13.4 and 0.14.0+dev. CVE-2026-23633 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-23633.html CVE-2026-23633 esm.sh is a no-build content delivery network (CDN) for web development. Prior to Go pseeudoversion 0.0.0-20260116051925-c62ab83c589e, the software has a path traversal vulnerability due to an incomplete fix. `path.Clean` normalizes a path but does not prevent absolute paths in a malicious tar file. Commit https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16, corresponding to pseudoversion 0.0.0-20260116051925-c62ab83c589e, fixes this issue. CVE-2026-23644 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-23644.html CVE-2026-23644 REVA is an interoperability platform. Prior to 2.42.3 and 2.40.3, a bug in the GRPC authorization middleware of the "Reva" component of OpenCloud allows a malicious user to bypass the scope verification of a public link. By exploiting this via the the "archiver" service this can be leveraged to create an archive (zip or tar-file) containing all resources that this creator of the public link has access to. This vulnerability is fixed in 2.42.3 and 2.40.3. CVE-2026-23989 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-23989.html CVE-2026-23989 go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available. CVE-2026-23991 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-23991.html CVE-2026-23991 https://bugzilla.suse.com/1257079 SUSE Bug 1257079 go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. This can lead to unauthorized modification to TUF metadata files is possible at rest, or during transit as no integrity checks are made. Version 2.3.1 fixes the issue. As a workaround, always make sure that the TUF metadata roles are configured with a threshold of at least 1. CVE-2026-23992 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-23992.html CVE-2026-23992 https://bugzilla.suse.com/1257084 SUSE Bug 1257084 OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0. CVE-2026-24051 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-24051.html CVE-2026-24051 https://bugzilla.suse.com/1259133 SUSE Bug 1259133 Cosign provides code signing and transparency for containers and binaries. In versions 3.0.4 and below, an issuing certificate with a validity that expires before the leaf certificate will be considered valid during verification even if the provided timestamp would mean the issuing certificate should be considered expired. When verifying artifact signatures using a certificate, Cosign first verifies the certificate chain using the leaf certificate's "not before" timestamp and later checks expiry of the leaf certificate using either a signed timestamp provided by the Rekor transparency log or from a timestamp authority, or using the current time. The root and all issuing certificates are assumed to be valid during the leaf certificate's validity. There is no impact to users of the public Sigstore infrastructure. This may affect private deployments with customized PKIs. This issue has been fixed in version 3.0.5. CVE-2026-24122 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-24122.html CVE-2026-24122 https://bugzilla.suse.com/1258540 SUSE Bug 1258540 Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, a path traversal vulnerability exists in the updateWikiPage function of Gogs. The vulnerability allows an authenticated user with write access to a repository's wiki to delete arbitrary files on the server by manipulating the old_title parameter in the wiki editing form. This issue has been patched in versions 0.13.4 and 0.14.0+dev. CVE-2026-24135 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-24135.html CVE-2026-24135 sigstore framework is a common go library shared across sigstore services and clients. In versions 1.10.3 and below, the legacy TUF client (pkg/tuf/client.go) supports caching target files to disk. It constructs a filesystem path by joining a cache base directory with a target name sourced from signed target metadata; however, it does not validate that the resulting path stays within the cache base directory. A malicious TUF repository can trigger arbitrary file overwriting, limited to the permissions that the calling process has. Note that this should only affect clients that are directly using the TUF client in sigstore/sigstore or are using an older version of Cosign. Public Sigstore deployment users are unaffected, as TUF metadata is validated by a quorum of trusted collaborators. This issue has been fixed in version 1.10.4. As a workaround, users can disable disk caching for the legacy client by setting SIGSTORE_NO_CACHE=true in the environment, migrate to https://github.com/sigstore/sigstore-go/tree/main/pkg/tuf, or upgrade to the latest sigstore/sigstore release. CVE-2026-24137 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-24137.html CVE-2026-24137 https://bugzilla.suse.com/1257137 SUSE Bug 1257137 go-tuf is a Go implementation of The Update Framework (TUF). go-tuf's TAP 4 Multirepo Client uses the map file repository name string (`repoName`) as a filesystem path component when selecting the local metadata cache directory. Starting in version 2.0.0 and prior to version 2.4.1, if an application accepts a map file from an untrusted source, an attacker can supply a `repoName` containing traversal (e.g., `../escaped-repo`) and cause go-tuf to create directories and write the root metadata file outside the intended `LocalMetadataDir` cache base, within the running process's filesystem permissions. Version 2.4.1 contains a patch. CVE-2026-24686 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-24686.html CVE-2026-24686 https://bugzilla.suse.com/1257350 SUSE Bug 1257350 Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In versions prior to 3.27.0, an issue in Kata with Cloud Hypervisor allows a user of the container to modify the file system used by the Guest micro VM ultimately achieving arbitrary code execution as root in said VM. The current understanding is this doesn't impact the security of the Host or of other containers / VMs running on that Host (note that arm64 QEMU lacks NVDIMM read-only support: It is believed that until the upstream QEMU gains this capability, a guest write could reach the image file). Version 3.27.0 patches the issue. CVE-2026-24834 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-24834.html CVE-2026-24834 malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 0.10.0 and prior to version 1.20.3, malcontent could be made to expose Docker registry credentials if it scanned a specially crafted OCI image reference. malcontent uses google/go-containerregistry for OCI image pulls, which by default uses the Docker credential keychain. A malicious registry could return a `WWW-Authenticate` header redirecting token authentication to an attacker-controlled endpoint, causing credentials to be sent to that endpoint. Version 1.20.3 fixes the issue by defaulting to anonymous auth for OCI pulls. CVE-2026-24845 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-24845.html CVE-2026-24845 OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.5 to v1.11.2 ( openfga-0.2.22<= Helm chart <= openfga-0.2.51, v.1.8.5 <= docker <= v.1.11.2) are vulnerable to improper policy enforcement when certain Check calls are executed. The vulnerability requires a model that has a a relation directly assignable by a type bound public access and assignable by type bound non-public access, a tuple assigned for the relation that is a type bound public access, a tuple assigned for the same object with the same relation that is not type bound public access, and a tuple assigned for a different object that has an object ID lexicographically larger with the same user and relation which is not type bound public access. This vulnerability is fixed in v1.11.3. CVE-2026-24851 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-24851.html CVE-2026-24851 FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $_SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $_SESSION data of the previous request (potentially belonging to a different user) before session_start() is called. This vulnerability is fixed in 1.11.2. CVE-2026-24894 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-24894.html CVE-2026-24894 FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP's CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index (for finding .php) on a lowercased copy of the request path but applies that byte index to the original path. Because strings.ToLower() in Go can increase the byte length of certain UTF-8 characters (e.g., Ⱥ expands when lowercased), the computed index may not align with the correct position in the original string. This results in an incorrect SCRIPT_NAME and SCRIPT_FILENAME, potentially causing FrankenPHP to execute a file other than the one intended by the URI. This vulnerability is fixed in 1.11.2. CVE-2026-24895 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-24895.html CVE-2026-24895 Gogs is an open source self-hosted Git service. In versions 0.13.4 and below, the DeleteComment API does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by supplying arbitrary comment IDs, bypassing authorization controls. The DeleteComment function retrieves a comment by ID without verifying repository ownership and the Database function DeleteCommentByID performs no repository validation. This issue has been fixed in version 0.14.0. CVE-2026-25120 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-25120.html CVE-2026-25120 apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build host. The ExpandApk function in pkg/apk/expandapk/expandapk.go expands .apk streams without enforcing decompression limits, allowing a malicious repository to serve a small, highly-compressed .apk that inflates into a large tar stream, consuming excessive disk space and CPU time, causing build failures or denial of service. This issue has been patched in version 1.1.1. CVE-2026-25140 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-25140.html CVE-2026-25140 Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have a broken access control vulnerability which allows authenticated users with write access to any repository to modify labels belonging to other repositories. The UpdateLabel function in the Web UI (internal/route/repo/issue.go) fails to verify that the label being modified belongs to the repository specified in the URL path, enabling cross-repository label tampering attacks. The vulnerability exists in the Web UI's label update endpoint POST /:username/:reponame/labels/edit. The handler function UpdateLabel uses an incorrect database query function that bypasses repository ownership validation. This issue has been fixed in version 0.14.1. CVE-2026-25229 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-25229.html CVE-2026-25229 Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have an access control bypass vulnerability which allows any repository collaborator with Write permissions to delete protected branches (including the default branch) by sending a direct POST request, completely bypassing the branch protection mechanism. This vulnerability in the DeleteBranchPost function eenables privilege escalation from Write to Admin level, allowing low-privilege users to perform dangerous operations that should be restricted to administrators only. Although Git Hook layer correctly prevents protected branch deletion via SSH push, the web interface deletion operation does not trigger Git Hooks, resulting in complete bypass of protection mechanisms. In oder to exploit this vulnerability, attackers must have write permissions to the target repository, protected branches configured to the target repository and access to the Gogs web interface. This issue has been fixed in version 0.14.1. CVE-2026-25232 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-25232.html CVE-2026-25232 Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments and /issues/attachments. This enables the instance to be abused as a public file host, potentially leading to disk exhaustion, content hosting, or delivery of malware. CSRF tokens do not mitigate this attack due to same-origin cookie issuance. This issue has been fixed in version 0.14.1. CVE-2026-25242 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-25242.html CVE-2026-25242 cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates. In versions from 1.18.0 to before 1.18.5 and from 1.19.0 to before 1.19.3, the cert-manager-controller performs DNS lookups during ACME DNS-01 processing (for zone discovery and propagation self-checks). By default, these lookups use standard unencrypted DNS. An attacker who can intercept and modify DNS traffic from the cert-manager-controller pod can insert a crafted entry into cert-manager's DNS cache. Accessing this entry will trigger a panic, resulting in denial-of-service (DoS) of the cert-manager controller. The issue can also be exploited if the authoritative DNS server for the domain being validated is controlled by a malicious actor. This issue has been patched in versions 1.18.5 and 1.19.3. CVE-2026-25518 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-25518.html CVE-2026-25518 New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.10, a SQL LIKE wildcard injection vulnerability in the `/api/token/search` endpoint allows authenticated users to cause denial of service through resource exhaustion by crafting malicious search patterns. The token search endpoint accepts user-supplied `keyword` and `token` parameters that are directly concatenated into SQL LIKE clauses without escaping wildcard characters (`%`, `_`). This allows attackers to inject patterns that trigger expensive database queries. Version 0.10.8-alpha.10 contains a patch. CVE-2026-25591 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-25591.html CVE-2026-25591 Sliver is a command and control framework that uses a custom Wireguard netstack. Prior to 1.6.11, a path traversal in the website content subsystem lets an authenticated operator read arbitrary files on the Sliver server host. This is an authenticated path traversal / arbitrary file read issue, and it can expose credentials, configs, and keys. This vulnerability is fixed in 1.6.11. CVE-2026-25760 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-25760.html CVE-2026-25760 Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echo's `middleware.Static` using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. In `middleware/static.go`, the requested path is unescaped and normalized with `path.Clean` (URL semantics). `path.Clean` does not treat `\` as a path separator, so `..\` sequences remain in the cleaned path. The resulting path is then passed to `currentFS.Open(...)`. When the filesystem is left at the default (nil), Echo uses `defaultFS` which calls `os.Open` (`echo.go:792`). On Windows, `os.Open` treats `\` as a path separator and resolves `..\`, allowing traversal outside the static root. Version 5.0.3 fixes the issue. CVE-2026-25766 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-25766.html CVE-2026-25766 Sliver is a command and control framework that uses a custom Wireguard netstack. Prior to 1.7.0, the DNS C2 listener accepts unauthenticated TOTP bootstrap messages and allocates server-side DNS sessions without validating OTP values, even when EnforceOTP is enabled. Because sessions are stored without a cleanup/expiry path in this flow, an unauthenticated remote actor can repeatedly create sessions and drive memory exhaustion. This vulnerability is fixed in 1.7.0. CVE-2026-25791 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-25791.html CVE-2026-25791 Nebula is a scalable overlay networking tool. In versions from 1.7.0 to 1.10.2, when using P256 certificates (which is not the default configuration), it is possible to evade a blocklist entry created against the fingerprint of a certificate by using ECDSA Signature Malleability to use a copy of the certificate with a different fingerprint. This issue has been patched in version 1.10.3. CVE-2026-25793 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-25793.html CVE-2026-25793 https://bugzilla.suse.com/1257887 SUSE Bug 1257887 New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.9, a potential unsafe operation occurs in component `MarkdownRenderer.jsx`, allowing for Cross-Site Scripting(XSS) when the model outputs items containing `<script>` tag. Version 0.10.8-alpha.9 fixes the issue. CVE-2026-25802 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-25802.html CVE-2026-25802 Antrea is a Kubernetes networking solution intended to be Kubernetes native. Prior to versions 2.3.2 and 2.4.3, Antrea's network policy priority assignment system has a uint16 arithmetic overflow bug that causes incorrect OpenFlow priority calculations when handling a large numbers of policies with various priority values. This results in potentially incorrect traffic enforcement. This issue has been patched in versions 2.4.3. CVE-2026-25804 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-25804.html CVE-2026-25804 Fiber is an Express inspired web framework written in Go. A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route registration combined with an unbounded array write during request matching. Version 2.52.12 patches the issue in the v2 branch and 3.1.0 patches the issue in the v3 branch. CVE-2026-25882 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-25882.html CVE-2026-25882 File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, a case-sensitivity flaw in the password validation logic allows any authenticated user to change their password (or an admin to change any user's password) without providing the current password. By using Title Case field name "Password" instead of lowercase "password" in the API request, the current_password verification is completely bypassed. This enables account takeover if an attacker obtains a valid JWT token through XSS, session hijacking, or other means. This vulnerability is fixed in 2.57.1. CVE-2026-25889 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-25889.html CVE-2026-25889 File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, an authenticated user can bypass the application's "Disallow" file path rules by modifying the request URL. By adding multiple slashes (e.g., //private/) to the path, the authorization check fails to match the rule, while the underlying filesystem resolves the path correctly, granting unauthorized access to restricted files. This vulnerability is fixed in 2.57.1. CVE-2026-25890 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-25890.html CVE-2026-25890 Fiber is an Express inspired web framework written in Go. A Path Traversal (CWE-22) vulnerability in Fiber allows a remote attacker to bypass the static middleware sanitizer and read arbitrary files on the server file system on Windows. This affects Fiber v3 through version 3.0.0. This has been patched in Fiber v3 version 3.1.0. CVE-2026-25891 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-25891.html CVE-2026-25891 Fiber is an Express inspired web framework written in Go. In versions on the v3 branch prior to 3.1.0, the use of the `fiber_flash` cookie can force an unbounded allocation on any server. A crafted 10-character cookie value triggers an attempt to allocate up to 85GB of memory via unvalidated msgpack deserialization. No authentication is required. Every GoFiber v3 endpoint is affected regardless of whether the application uses flash messages. Version 3.1.0 fixes the issue. CVE-2026-25899 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-25899.html CVE-2026-25899 go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files, which would likely result in unexpected errors such as object not found. For context, clients fetch packfiles from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (.idx) are generated locally by go-git, or the git cli, when new .pack files are received and processed. The integrity checks for both files were not being verified correctly. This vulnerability is fixed in 5.16.5. CVE-2026-25934 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-25934.html CVE-2026-25934 https://bugzilla.suse.com/1258093 SUSE Bug 1258093 Vikunja is a todo-app to organize your life. Prior to 1.1.0, TaskGlanceTooltip.vue temporarily creates a div and sets the innerHtml to the description. Since there is no escaping on either the server or client side, a malicious user can share a project, create a malicious task, and cause an XSS on hover. This vulnerability is fixed in 1.1.0. CVE-2026-25935 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-25935.html CVE-2026-25935 Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service. This vulnerability is fixed in 3.6.8. CVE-2026-25949 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-25949.html CVE-2026-25949 https://bugzilla.suse.com/1258162 SUSE Bug 1258162 Pion DTLS is a Go implementation of Datagram Transport Layer Security. Pion DTLS versions v1.0.0 through v3.0.10 and 3.1.0 use random nonce generation with AES GCM ciphers, which makes it easier for remote attackers to obtain the authentication key and spoof data by leveraging the reuse of a nonce in a session and a "forbidden attack". Upgrade to v3.0.11, v3.1.1, or later. CVE-2026-26014 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-26014.html CVE-2026-26014 Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller (ATC) component of Yoke. The ATC webhook endpoints lack proper authentication mechanisms, allowing any pod within the cluster network to directly send AdmissionReview requests to the webhook, bypassing Kubernetes API Server authentication. This enables attackers to trigger WASM module execution in the ATC controller context without proper authorization. CVE-2026-26055 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-26055.html CVE-2026-26055 Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller (ATC) component of Yoke. It allows users with CR create/update permissions to execute arbitrary WASM code in the ATC controller context by injecting a malicious URL through the overrides.yoke.cd/flight annotation. The ATC controller downloads and executes the WASM module without proper URL validation, enabling attackers to create arbitrary Kubernetes resources or potentially escalate privileges to cluster-admin level. CVE-2026-26056 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-26056.html CVE-2026-26056 lakeFS is an open-source tool that transforms object storage into a Git-like repositories. Prior to 1.77.0, the local block adapter (pkg/block/local/adapter.go) allows authenticated users to read and write files outside their designated storage boundaries. The verifyRelPath function used strings.HasPrefix() to verify that requested paths fall within the configured storage directory. This check was insufficient because it validated only the path prefix without requiring a path separator, allowing access to sibling directories with similar names. Also, the adapter verified that resolved paths stayed within the adapter's base path, but did not verify that object identifiers stayed within their designated storage namespace. This allowed attackers to use path traversal sequences in the object identifier to access files in other namespaces. Fixed in version v1.77.0. CVE-2026-26187 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-26187.html CVE-2026-26187 Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus exposes TCP port 9091 by default, which enables authentication bypasses. The /expr debug endpoint uses a weak, predictable default authentication token derived from etcd.rootPath (default: by-dev), enabling arbitrary expression evaluation. The full REST API (/api/v1/*) is registered on the metrics/management port without any authentication, allowing unauthenticated access to all business operations including data manipulation and credential management. This vulnerability is fixed in 2.5.27 and 2.6.10. CVE-2026-26190 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-26190.html CVE-2026-26190 emp3r0r is a C2 designed by Linux users for Linux environments. Prior to version 3.21.2, multiple shared maps are accessed without consistent synchronization across goroutines. Under concurrent activity, Go runtime can trigger `fatal error: concurrent map read and map write`, causing C2 process crash (availability loss). Version 3.21.2 fixes this issue. CVE-2026-26201 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-26201.html CVE-2026-26201 opa-envoy-plugun is a plugin to enforce OPA policies with Envoy. Versions prior to 1.13.2-envoy-2 have a vulnerability in how the `input.parsed_path` field is constructed. HTTP request paths are treated as full URIs when parsed; interpreting leading path segments prefixed with double slashes (`//`) as authority components, and therefore dropping them from the parsed path. This creates a path interpretation mismatch between authorization policies and backend servers, enabling attackers to bypass access controls by crafting requests where the authorization filter evaluates a different path than the one ultimately served. Version 1.13.2-envoy-2 fixes the issue. CVE-2026-26205 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-26205.html CVE-2026-26205 go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.17.0, an attacker can cause high memory usage by sending a specially-crafted p2p message. The issue is resolved in the v1.17.0 release. CVE-2026-26313 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-26313.html CVE-2026-26313 go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.16.9, a vulnerable node can be forced to shutdown/crash using a specially crafted message. The problem is resolved in the v1.16.9 and v1.17.0 releases of Geth. CVE-2026-26314 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-26314.html CVE-2026-26314 go-ethereum (Geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.16.9, through a flaw in the ECIES cryptography implementation, an attacker may be able to extract bits of the p2p node key. The issue is resolved in the v1.16.9 and v1.17.0 releases of Geth. Geth maintainers recommend rotating the node key after applying the upgrade, which can be done by removing the file `<datadir>/geth/nodekey` before starting Geth. CVE-2026-26315 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-26315.html CVE-2026-26315 Libredesk is a self-hosted customer support desk application. Versions prior to 1.0.2-0.20260215211005-727213631ce6 fail to validate destination URLs for webhooks, allowing an attacker posing as an authenticated "Application Admin" to force the server to make HTTP requests to arbitrary internal destinations. This could compromise the underlying cloud infrastructure or internal corporate network where the service is hosted. This issue has been fixed in version 1.0.2-0.20260215211005-727213631ce6. CVE-2026-26957 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-26957.html CVE-2026-26957 filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If (*Point).MultiScalarMult is called on an initialized point that is not the identity point, it returns an incorrect result. If the method is called on an uninitialized point, the behavior is undefined. In particular, if the receiver is the zero value, MultiScalarMult returns an invalid point that compares Equal to every other point. Note that MultiScalarMult is a rarely used, advanced API. For example, users who depend on filippo.io/edwards25519 only through github.com/go-sql-driver/mysql are not affected. This issue has been fixed in version 1.1.1. CVE-2026-26958 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-26958.html CVE-2026-26958 https://bugzilla.suse.com/1258570 SUSE Bug 1258570 Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Versions 1.18.0 through 1.18.5 will incorrectly permit traffic from Pods on other nodes when Native Routing, WireGuard and Node Encryption are enabled. This issue has been fixed in version 1.18.6. CVE-2026-26963 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-26963.html CVE-2026-26963 Further research determined the issue is an external dependency vulnerability. CVE-2026-26995 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-26995.html CVE-2026-26995 uTLS is a fork of crypto/tls, created to customize ClientHello for fingerprinting resistance while still using it for the handshake. Versions 1.6.0 through 1.8.0 contain a fingerprint mismatch with Chrome when using GREASE ECH, related to cipher suite selection. When Chrome selects the preferred cipher suite in the outer ClientHello and for ECH, it does so consistently based on hardware support-for example, if it prefers AES for the outer cipher suite, it also uses AES for ECH. However, the Chrome parrot in uTLS hardcodes AES preference for outer cipher suites but selects the ECH cipher suite randomly between AES and ChaCha20. This creates a 50% chance of selecting ChaCha20 for ECH while using AES for the outer cipher suite, a combination impossible in Chrome. This issue only affects GREASE ECH; in real ECH, Chrome selects the first valid cipher suite when AES is preferred, which uTLS handles correctly. This issue has been fixed in version 1.8.1. CVE-2026-27017 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-27017.html CVE-2026-27017 https://bugzilla.suse.com/1258546 SUSE Bug 1258546 Kargo manages and automates the promotion of software artifacts. From v1.9.0 to v1.9.2, Kargo's authorization model includes a promote verb -- a non-standard Kubernetes "dolphin verb" -- that gates the ability to advance Freight through a promotion pipeline. This verb exists to separate the ability to manage promotion-related resources from the ability to trigger promotions, enabling fine-grained access control over what is often a sensitive operation. The promote verb is correctly enforced in Kargo's legacy gRPC API. However, three endpoints in the newer REST API omit this check, relying only on standard Kubernetes RBAC for the underlying resource operations (patch on freights/status or create on promotions). This permits users who hold those standard permissions -- but who were deliberately not granted promote -- to bypass the intended authorization boundary. The affected endpoints are /v1beta1/projects/{project}/freight/{freight}/approve, /v1beta1/projects/{project}/stages/{stage}/promotions, and /v1beta1/projects/{project}/stages/{stage}/promotions/downstream. This vulnerability is fixed in v1.9.3. CVE-2026-27111 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-27111.html CVE-2026-27111 https://bugzilla.suse.com/1258696 SUSE Bug 1258696 Kargo manages and automates the promotion of software artifacts. From 1.7.0 to before v1.7.8, v1.8.11, and v1.9.3, the batch resource creation endpoints of both Kargo's legacy gRPC API and newer REST API accept multi-document YAML payloads. Specially crafted payloads can manifest a bug present in the logic of both endpoints to inject arbitrary resources (of specific types only) into the underlying namespace of an existing Project using the API server's own permissions when that behavior was not intended. Critically, an attacker may exploit this as a vector for elevating their own permissions, which can then be leveraged to achieve remote code execution or secret exfiltration. Exfiltrated artifact repository credentials can be leveraged, in turn, to execute further attacks. In some configurations of the Kargo control plane's underlying Kubernetes cluster, elevated permissions may additionally be leveraged to achieve remote code execution or secret exfiltration using kubectl. This can reduce the complexity of the attack, however, worst case scenarios remain entirely achievable even without this. This vulnerability is fixed in v1.7.8, v1.8.11, and v1.9.3. CVE-2026-27112 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-27112.html CVE-2026-27112 https://bugzilla.suse.com/1258697 SUSE Bug 1258697 Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic CVE-2026-27141 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-27141.html CVE-2026-27141 https://bugzilla.suse.com/1259062 SUSE Bug 1259062 NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated compression. Prior to versions 2.11.2 and 2.12.3, the implementation bound the memory size of a NATS message but did not independently bound the memory consumption of the memory stream when constructing a NATS message which might then fail validation for size reasons. An attacker can use a compression bomb to cause excessive memory consumption, often resulting in the operating system terminating the server process. The use of compression is negotiated before authentication, so this does not require valid NATS credentials to exploit. The fix, present in versions 2.11.2 and 2.12.3, was to bounds the decompression to fail once the message was too large, instead of continuing on. The vulnerability only affects deployments which use WebSockets and which expose the network port to untrusted end-points. CVE-2026-27571 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-27571.html CVE-2026-27571 Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations. Version 2.11.1 fixes the issue. CVE-2026-27585 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-27585.html CVE-2026-27585 https://bugzilla.suse.com/1258840 SUSE Bug 1258840 Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallowed errors in `ClientAuthentication.provision()` cause mTLS client certificate authentication to silently fail open when a CA certificate file is missing, unreadable, or malformed. The server starts without error but accepts any client certificate signed by any system-trusted CA, completely bypassing the intended private CA trust boundary. Any deployment using `trusted_ca_cert_file` or `trusted_ca_certs_pem_files` for mTLS will silently degrade to accepting any system-trusted client certificate if the CA file becomes unavailable. This can happen due to a typo in the path, file rotation, corruption, or permission changes. The server gives no indication that mTLS is misconfigured. Version 2.11.1 fixes the vulnerability. CVE-2026-27586 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-27586.html CVE-2026-27586 https://bugzilla.suse.com/1258841 SUSE Bug 1258841 Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path. Version 2.11.1 contains a fix for the issue. CVE-2026-27587 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-27587.html CVE-2026-27587 https://bugzilla.suse.com/1258842 SUSE Bug 1258842 Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `host` request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls attached to that route by changing the casing of the `Host` header. Version 2.11.1 contains a fix for the issue. CVE-2026-27588 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-27588.html CVE-2026-27588 https://bugzilla.suse.com/1258843 SUSE Bug 1258843 Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enforcement is not enabled (`enforce_origin` not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. This can change the admin listener settings and alter HTTP server behavior without user intent. Version 2.11.1 contains a fix for the issue. CVE-2026-27589 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-27589.html CVE-2026-27589 https://bugzilla.suse.com/1258844 SUSE Bug 1258844 Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect `SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` to execute a different on-disk file than intended (path confusion). In setups where an attacker can control file contents (e.g., upload features), this can lead to unintended PHP execution of non-.php files (potential RCE depending on deployment). Version 2.11.1 fixes the issue. CVE-2026-27590 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-27590.html CVE-2026-27590 https://bugzilla.suse.com/1258845 SUSE Bug 1258845 Dagu is a workflow engine with a built-in Web user interface. In versions up to and including 1.16.7, the `CreateNewDAG` API endpoint (`POST /api/v1/dags`) does not validate the DAG name before passing it to the file store. An authenticated user with DAG write permissions can write arbitrary YAML files anywhere on the filesystem (limited by the process permissions). Since dagu executes DAG files as shell commands, writing a malicious DAG to the DAGs directory of another instance or overwriting config files can lead to remote code execution. Commit e2ed589105d79273e4e6ac8eb31525f765bb3ce4 fixes the issue. CVE-2026-27598 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-27598.html CVE-2026-27598 FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to versions 1.1.3-stable and 1.2.6-beta, when users share password-protected files, the recipient can completely bypass the password and still download the file. This happens because the API returns a direct download link in the details of the share, which is accessible to anyone with JUST THE SHARE LINK, even without the password. Versions 1.1.3-stable and 1.2.6-beta fix the issue. CVE-2026-27611 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-27611.html CVE-2026-27611 OliveTin gives access to predefined shell commands from a web interface. In versions up to and including 3000.10.0, OliveTin's shell mode safety check (`checkShellArgumentSafety`) blocks several dangerous argument types but not `password`. A user supplying a `password`-typed argument can inject shell metacharacters that execute arbitrary OS commands. A second independent vector allows unauthenticated RCE via webhook-extracted JSON values that skip type safety checks entirely before reaching `sh -c`. When exploiting vector 1, any authenticated user (registration enabled by default, `authType: none` by default) can execute arbitrary OS commands on the OliveTin host with the permissions of the OliveTin process. When exploiting vector 2, an unauthenticated attacker can achieve the same if the instance receives webhooks from external sources, which is a primary OliveTin use case. When an attacker exploits both vectors, this results in unauthenticated RCE on any OliveTin instance using Shell mode with webhook-triggered actions. As of time of publication, a patched version is not available. CVE-2026-27626 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260757-1/ https://www.suse.com/security/cve/CVE-2026-27626.html CVE-2026-27626