Security update for python

This update for python fixes the following issues: Modified CVE-2025-6075 fix to not use re.ASCII flag not available in Python 2.7 bsc1257064. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch". Alternatively you...

CVE-2026-24888

Maker.js (makerjs.extendObject) is vulnerable to unsafe property copying. The function iterates with for...in without hasOwnProperty() checks and fails to filter dangerous keys, enabling inherited or crafted properties (e.g., proto ) to be copied to targets. This prototype-pollution risk is docum...

CVE-2026-23743

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, permalinks pointing to access-restricted resources private topics, categories, posts, or hidden tags were redirecting users to URLs containing the resource slug, even when the user...

CVE-2026-24742

Discourse (open‑source discussion platform) is affected in CVE-2026-24742 for versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. The issue allows non‑admin moderators to view sensitive data in staff action logs that should be restricted to administrators, exposing webhook URLs and secre...

CVE-2025-68666 Discourse users archives leaked to users with moderation privileges

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, users archives are viewable by users with moderation privileges even though moderators should not have access to the archives. Private topic/post content made by the users are leaked...

EUVD-2025-206452

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, an endpoint lets any authenticated user bypass the aidiscoverpersona access controls and gain ongoing DM access to personas that may be wired to staff-only categories, RAG document set...

CVE-2025-68479 Discourse subscriptions are susceptible to takeover

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, some subscription endpoints lack proper checking for ownership before making changes. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds...

CVE-2026-24775

OpenProject 17.0.0 added a BlockNote editor extension that may expose internal resources. The vulnerability (CVE-2026-24775) arises because the extension does not properly validate the work package ID when loading details via the OpenProject API, allowing an attacker to craft documents with relat...

GHSA-253Q-9Q78-63X4 Clatter has a PSK Validity Rule Violation issue

Impact Protocol compliance vulnerability. The library allowed post-quantum handshake patterns that violated the PSK validity rule Noise Protocol Framework Section 9.3. This could allow PSK-derived keys to be used for encryption without proper randomization by self-chosen ephemeral randomness,...

PT-2026-5127

A security flaw has been discovered in Open5GS up to 2.7.6. This affects the function sgwc s5c handle bearer resource failure indication of the file src/sgwc/s5c-handler.c of the component SGWC. Performing a manipulation results in denial of service. The attack can be initiated remotely. The...

PT-2026-5185

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 3.5.4 Discourse versions prior to 2025.11.2 Discourse versions prior to 2025.12.1 Discourse versions prior to 2026.1.0 Description Discourse is an open source discussion platform. A hostname validation issue in the...

PT-2026-5192

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 3.5.4 Discourse versions prior to 2025.11.2 Discourse versions prior to 2025.12.1 Discourse versions prior to 2026.1.0 Description Discourse is an open source discussion platform. Non-admin moderators with the...

PT-2026-5123

Microsoft has issued an emergency patch for a zero-day vulnerability CVE-2021-21509 in Office, allowing attackers to bypass OLE mitigations and execute malware. CISA has included the flaw in their KEV catalog. Microsoft Office SecurityPatch ZeroDayVulnerability https://t.co/WMeToNOuIK...

CVE-2026-24785

Clatter is a nostd compatible, pure Rust implementation of the Noise protocol framework with post-quantum support. Versiosn prior to2.2.0 have a protocol compliance vulnerability. The library allowed post-quantum handshake patterns that violated the PSK validity rule Noise Protocol Framework...

CVE-2026-24778 Ghost vulnerable to XSS via malicious Portal preview links

Ghost is an open source content management system. In Ghost versions 5.43.0 through 5.12.04 and 6.0.0 through 6.14.0, an attacker was able to craft a malicious link that, when accessed by an authenticated staff user or member, would execute JavaScript with the victim's permissions, potentially...

CVE-2026-24740

Dozzle is a realtime log viewer for docker containers. Prior to version 9.0.3, a flaw in Dozzle’s agent-backed shell endpoints allows a user restricted by label filters for example, label=env=dev to obtain an interactive root shell in out‑of‑scope containers for example, env=prod on the same agen...

EUVD-2026-4741

Dozzle is a realtime log viewer for docker containers. Prior to version 9.0.3, a flaw in Dozzle’s agent-backed shell endpoints allows a user restricted by label filters for example, label=env=dev to obtain an interactive root shell in out‑of‑scope containers for example, env=prod on the same agen...

CVE-2026-24771 Hono has a Cross-site Scripting vulnerability

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, a Cross-Site Scripting XSS vulnerability exists in the ErrorBoundary component of the hono/jsx library. Under certain usage patterns, untrusted user-controlled strings may be rendered as...

CVE-2026-24398 Hono's IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, IP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The IPV4REGEX pattern and convertIPv4ToBinary function in src/utils/ipaddr.ts do not properly validate...

CLSA-2026-1769506462 Fix CVE(s): CVE-2025-8225

SECURITY UPDATE: debuginformation memory leak in processdebuginfo - debian/patches/CVE-2025-8225.patch: prevent memory leak by checking allocnumdebuginfoentries instead of numdebuginfoentries to determine whether debuginformation has been allocated - CVE-2025-8225...