OPENSUSE-SU-2026:10741-1 go1.26-1.26.3-1.1 on GA media

These are all security issues fixed in the go1.26-1.26.3-1.1 package on the GA media of openSUSE Tumbleweed...

Uncaught Exception

Overview std/net is a Go standard library package std/net Affected versions of this package are vulnerable to Uncaught Exception. Go Vulnerability Report: The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL 0. Remediation Upgrade std/net to version...

CLEANSTART-2026-LI47669 Security fixes for CVE-2025-47913, CVE-2025-47914, CVE-2025-58181, CVE-2025-61727, CVE-2025-61729, CVE-2026-25679, CVE-2026-27139, CVE-2026-27142, CVE-2026-33186 applied in versions: 1.26.2-r0, 1.26.3-r0, 1.26.3-r1

Multiple security vulnerabilities affect the cloudnative-pg-fips package. These issues are resolved in later releases. See references for individual vulnerability details...

EUVD-2025-29200

Malicious code in bioql PyPI...

EUVD-2025-31655

Malicious code in bioql PyPI...

EUVD-2025-31651

Malicious code in bioql PyPI...

EUVD-2025-31662

Malicious code in bioql PyPI...

EUVD-2025-31663

Malicious code in bioql PyPI...

EUVD-2025-31652

Malicious code in bioql PyPI...

EUVD-2025-31622

Malicious code in bioql PyPI...

CVE-2025-61586

FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below are vulnerable to directory enumeration by setting path in theme field, allowing attackers to gain additional information about the server by checking if certain directories exist. This issue is fixed in version 1.27.0...

CVE-2025-57769

FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below contain a vulnerability where a specially crafted page can trick a user into executing arbitrary JS code or promoting a user in FreshRSS by obscuring UI elements in iframes. If embedding an authenticated iframe is possibl...

CVE-2025-54591

FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below expose information about feeds and tags of default admin users, due to lack of access checking in the FreshRSSAuth::hasAccess function used by some of the tag/feed related endpoints. FreshRSS controllers usually have a...

CVE-2025-61586

FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below are vulnerable to directory enumeration by setting path in theme field, allowing attackers to gain additional information about the server by checking if certain directories exist. This issue is fixed in version 1.27.0...

CVE-2025-59950 FreshRSS: Double clickjacking can lead to privilege escalation

FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.3 and below, due to a bypass of double clickjacking protection confirmation dialog, it is possible to trick the admin into clicking the Promote button in another user's management page after the admin double clicks on a button...

CVE-2025-61586

CVE-2025-61586 affects FreshRSS. Versions 1.26.3 and earlier are vulnerable to directory enumeration by manipulating the theme field path, allowing an attacker to determine existence of directories on the server and gain additional information. The issue is fixed in 1.27.0 . There are multiple co...

CVE-2025-61586 FreshRSS is vulnerable to directory enumeration by setting path in its theme field

FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below are vulnerable to directory enumeration by setting path in theme field, allowing attackers to gain additional information about the server by checking if certain directories exist. This issue is fixed in version 1.27.0...

CVE-2025-61586 FreshRSS is vulnerable to directory enumeration by setting path in its theme field

FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below are vulnerable to directory enumeration by setting path in theme field, allowing attackers to gain additional information about the server by checking if certain directories exist. This issue is fixed in version 1.27.0...

CVE-2025-59948

FreshRSS versions 1.26.3 and earlier are vulnerable to XSS due to unsanitized event handler attributes in feed content. The attack requires that the instance has API access authentication enabled and uses the /api/query.php endpoint; successful exploitation can lead to account takeover and, if th...

CVE-2025-54592

FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below do not properly terminate the session during logout. After a user logs out, the session cookie remains active and unchanged. The unchanged cookie could be reused by an attacker if a new session were to be started. This...