Lucene search
K
SusecveRecent

59854 matches found

SUSE CVE
SUSE CVE
•added 2026/04/11 9:29 a.m.•8 views

SUSE CVE-2025-62718

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NOPROXY rules. Requests to loopback addresses like localhost. with a trailing dot or ::1 IPv6 literal skip NOPROXY matching and go...

9.9CVSS5.7AI score0.01186EPSS
Exploits1References4
SUSE CVE
SUSE CVE
•added 2026/04/11 9:27 a.m.•6 views

SUSE CVE-2026-1525

Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names e.g., Content-Length and content-length. This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: Applications using...

9.8CVSS7.1AI score0.00493EPSS
Exploits0References6
SUSE CVE
SUSE CVE
•added 2026/04/11 9:27 a.m.•5 views

SUSE CVE-2026-1526

The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit...

7.5CVSS7.1AI score0.0115EPSS
Exploits0References8
SUSE CVE
SUSE CVE
•added 2026/04/11 9:27 a.m.•6 views

SUSE CVE-2026-1527

ImpactWhen an application passes user-controlled input to the upgrade option of client.request, an attacker can inject CRLF sequences \r\n to: Inject arbitrary HTTP headers Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services Redis, Memcached, Elasticsearch The...

4.6CVSS7.2AI score0.00256EPSS
Exploits0References4
SUSE CVE
SUSE CVE
•added 2026/04/11 9:27 a.m.•6 views

SUSE CVE-2026-1528

ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version v7.24.0 and v6.24.0...

7.5CVSS7.1AI score0.00488EPSS
Exploits0References8
SUSE CVE
SUSE CVE
•added 2026/04/11 9:27 a.m.•3 views

SUSE CVE-2026-2229

ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the servermaxwindowbits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. ...

7.5CVSS7.1AI score0.00874EPSS
Exploits0References8
SUSE CVE
SUSE CVE
•added 2026/04/11 9:26 a.m.•4 views

SUSE CVE-2026-2581

This is an uncontrolled resource consumption vulnerability CWE-400 that can lead to Denial of Service DoS. In vulnerable Undici versions, when interceptors.deduplicate is enabled, response data for deduplicated requests could be accumulated in memory for downstream handlers. An attacker-controlle...

5.9CVSS7AI score0.00566EPSS
Exploits0References7
SUSE CVE
SUSE CVE
•added 2026/04/11 9:26 a.m.•4 views

SUSE CVE-2026-3902

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGIRequest allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants with hyphens or with underscores to a single version with underscores. Earlier, unsupported Django...

5.3CVSS5.8AI score0.00436EPSS
Exploits0References5
SUSE CVE
SUSE CVE
•added 2026/04/11 9:26 a.m.•4 views

SUSE CVE-2026-4631

Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH...

9.8CVSS6.2AI score0.142EPSS
Exploits3References7
SUSE CVE
SUSE CVE
•added 2026/04/11 9:26 a.m.•6 views

SUSE CVE-2026-4878

A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use TOCTOU race condition in the capsetfile function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so,...

7CVSS5.7AI score0.00188EPSS
Exploits1References14
SUSE CVE
SUSE CVE
•added 2026/04/11 9:26 a.m.•5 views

SUSE CVE-2026-5329

Rapid7 Velociraptor versions prior to 0.76.2 contain an improper input validation vulnerability in the client monitoring message handler on the Velociraptor server primarily Linux that allows an authenticated remote attacker to write to arbitrary internal server queues via a crafted monitoring...

8.5CVSS6.5AI score0.00432EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/04/11 9:26 a.m.•5 views

SUSE CVE-2026-5704

A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files...

5.5CVSS5.8AI score0.0043EPSS
Exploits1References6
SUSE CVE
SUSE CVE
•added 2026/04/11 9:26 a.m.•5 views

SUSE CVE-2026-5747

An out-of-bounds write issue in the virtio PCI transport in Firecracker 1.13.0 through 1.14.3 and 1.15.0 on x8664 and aarch64 might allow a local guest user with root privileges to crash the Firecracker VMM process or potentially execute arbitrary code on the host via modification of virtio queue...

7.5CVSS6.8AI score0.00208EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/04/11 9:26 a.m.•5 views

SUSE CVE-2026-5858

Heap buffer overflow in WebML in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code via a crafted HTML page. Chromium security severity: Critical...

8.8CVSS7.9AI score0.00608EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/04/11 9:26 a.m.•6 views

SUSE CVE-2026-5859

Integer overflow in WebML in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Chromium security severity: Critical...

7.4AI score0.00351EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/04/11 9:23 a.m.•12 views

SUSE CVE-2026-34986

Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption JWE, JSON Web Signature JWS, and JSON Web Token JWT standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption JWE object will panic if t...

7.5CVSS5.9AI score0.00651EPSS
Exploits0References46
SUSE CVE
SUSE CVE
•added 2026/04/11 9:23 a.m.•5 views

SUSE CVE-2026-35204

Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, a specially crafted Helm plugin, when installed or updated, will cause Helm to write the contents of the plugin to an arbitrary filesystem location. To prevent this, validate that the plugin.yaml of the Helm plugin does not...

8.4CVSS5.9AI score0.00158EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/04/10 11:27 p.m.•5 views

SUSE CVE-2026-24880

Inconsistent Interpretation of HTTP Requests 'HTTP Request/Response Smuggling' vulnerability in Apache Tomcat via invalid chunk extension. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100,...

4.8CVSS5.8AI score0.00453EPSS
Exploits0References10
SUSE CVE
SUSE CVE
•added 2026/04/10 11:27 p.m.•5 views

SUSE CVE-2026-25854

Occasional URL redirection to untrusted Site 'Open Redirect' vulnerability in Apache Tomcat via the LoadBalancerDrainingValve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100. Other,...

4.8CVSS5.8AI score0.00526EPSS
Exploits0References10
SUSE CVE
SUSE CVE
•added 2026/04/10 11:26 p.m.•5 views

SUSE CVE-2026-29129

Configured cipher preference order not preserved vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue...

4.8CVSS5.8AI score0.00259EPSS
Exploits0References10
SUSE CVE
SUSE CVE
•added 2026/04/10 11:26 p.m.•8 views

SUSE CVE-2026-29145

CLIENTCERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat...

4.8CVSS5.8AI score0.00715EPSS
Exploits1References10
SUSE CVE
SUSE CVE
•added 2026/04/10 11:26 p.m.•10 views

SUSE CVE-2026-29146

Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are...

7.5CVSS5.8AI score0.03494EPSS
Exploits1References12
SUSE CVE
SUSE CVE
•added 2026/04/10 11:26 p.m.•9 views

SUSE CVE-2026-31412

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: fmassstorage: Fix potential integer overflow in checkcommandsizeinblocks The checkcommandsizeinblocks function calculates the data size in bytes by left shifting common-datasizefromcmnd by the block size...

6.8CVSS5.8AI score0.0017EPSS
Exploits0References16
SUSE CVE
SUSE CVE
•added 2026/04/10 11:25 p.m.•4 views

SUSE CVE-2026-32990

Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116,...

5.3CVSS5.8AI score0.00307EPSS
Exploits0References10
SUSE CVE
SUSE CVE
•added 2026/04/10 11:25 p.m.•7 views

SUSE CVE-2026-34177

Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden lxd/project/limits/permissions.go, which omits raw.apparmor and raw.qemu.conf from the set of keys blocked under the restricted.virtual-machines.lowlevel=block project restriction. A remote...

9.1CVSS5.8AI score0.00363EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/04/10 11:25 p.m.•5 views

SUSE CVE-2026-34178

In Canonical LXD before 6.8, the backup import path validates project restrictions against backup/index.yaml in the supplied tar archive but creates the instance from backup/container/backup.yaml, a separate file in the same archive that is never checked against project restrictions. An...

9.1CVSS5.9AI score0.00424EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/04/10 11:25 p.m.•5 views

SUSE CVE-2026-34179

In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/fingerprint for restricted TLS certificate users, allowing a remote authenticated attacker to escalate...

9.1CVSS5.8AI score0.00274EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/04/10 11:25 p.m.•5 views

SUSE CVE-2026-34483

Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 o...

4.8CVSS5.8AI score0.00461EPSS
Exploits0References10
SUSE CVE
SUSE CVE
•added 2026/04/10 11:25 p.m.•7 views

SUSE CVE-2026-34486

Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the...

7.5CVSS5.8AI score0.15831EPSS
Exploits5References12
SUSE CVE
SUSE CVE
•added 2026/04/10 11:25 p.m.•4 views

SUSE CVE-2026-34487

Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116. User...

5.9CVSS5.8AI score0.00447EPSS
Exploits0References10
SUSE CVE
SUSE CVE
•added 2026/04/10 11:25 p.m.•5 views

SUSE CVE-2026-34500

CLIENTCERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116. Users are recommended to upgrade to...

4.8CVSS5.8AI score0.00469EPSS
Exploits0References10
SUSE CVE
SUSE CVE
•added 2026/04/10 11:25 p.m.•6 views

SUSE CVE-2026-34580

Botan is a C++ cryptography library. In 3.11.0, the function CertificateStore::certificateknown had a misleading name; it would return true if any certificate in the store had a DN and subject key identifier, if set matching that of the argument. It did not check that the cert it found and the ce...

9.3CVSS5.8AI score0.00249EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/04/10 11:25 p.m.•6 views

SUSE CVE-2026-34582

Botan is a C++ cryptography library. Prior to version 3.11.1, the TLS 1.3 implementation allowed ApplicationData records to be processed prior to the Finished message being received. A server which is attempting to enforce client authentication via certificates can by bypassed by a client which...

9.1CVSS5.8AI score0.00233EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/04/10 11:25 p.m.•7 views

SUSE CVE-2026-34734

HDF5 is software for managing data. In 1.14.1-2 and earlier, a heap-use-after-free was found in the h5dump helper utility. An attacker who can supply a malicious h5 file can trigger a heap use-after-free. The freed object is referenced in a memmove call from H5Tconvstruct. The original object was...

7.8CVSS5.7AI score0.00193EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/04/10 11:25 p.m.•6 views

SUSE CVE-2026-34941

Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a vulnerability where when transcoding a UTF-16 string to the latin1+utf16 component-model encoding it would incorrectly validate the byte length of the input string when performing a bounds chec...

5.3CVSS5.8AI score0.00376EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/04/10 11:25 p.m.•4 views

SUSE CVE-2026-34942

Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings into the Component Model's utf16 or latin1+utf16 encodings improperly verified the alignment of reallocated strings. This meant that unaligned pointers could be...

6.5CVSS5.8AI score0.00354EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/04/10 11:25 p.m.•10 views

SUSE CVE-2026-39395

Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures,...

6.5CVSS5.8AI score0.00241EPSS
Exploits0References4
SUSE CVE
SUSE CVE
•added 2026/04/10 11:25 p.m.•5 views

SUSE CVE-2026-39853

osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.12, A stack buffer overflow vulnerability exists in osslsigncode in several signature verification paths. During verification of a PKCS7 signature, the code copies the digest value from a parsed...

7.8CVSS6.1AI score0.00163EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/04/10 11:25 p.m.•5 views

SUSE CVE-2026-39855

osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.13, an integer underflow vulnerability exists in osslsigncode version 2.12 and earlier in the PE page-hash computation code pepagehashcalc. When page hash processing is performed on a PE file, the function...

5.5CVSS6AI score0.00143EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/04/10 11:25 p.m.•4 views

SUSE CVE-2026-39856

osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.13, an out-of-bounds read vulnerability exists in osslsigncode version 2.12 and earlier in the PE page-hash computation code pepagehashcalc. When processing PE sections for page hashing, the function uses...

5.5CVSS5.8AI score0.00143EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/04/10 11:25 p.m.•7 views

SUSE CVE-2026-39860

Nix is a package manager for Linux and other Unix systems. A bug in the fix for CVE-2024-27297 allowed for arbitrary overwrites of files writable by the Nix process orchestrating the builds typically the Nix daemon running as root in multi-user installations by following symlinks during...

9CVSS5.9AI score0.00193EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/04/10 11:25 p.m.•5 views

SUSE CVE-2026-39892

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers e.g. Hash.update, this could lead to buffer overflows. This vulnerability is fixed in...

5.3CVSS6AI score0.00652EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/04/10 11:25 p.m.•7 views

SUSE CVE-2026-39977

flatpak-builder is a tool to build flatpaks from source. From 1.4.5 to before 1.4.8, the license-files manifest key takes an array of paths to user defined licence files relative to the source directory of the module. The paths from that array are resolved using gfileresolverelativepath and...

7.1CVSS5.9AI score0.00288EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/04/09 11:30 p.m.•6 views

SUSE CVE-2026-5860

Use after free in WebRTC in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...

8.8CVSS7.7AI score0.0048EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/04/09 11:30 p.m.•5 views

SUSE CVE-2026-5861

Use after free in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...

7.7AI score0.00303EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/04/09 11:30 p.m.•8 views

SUSE CVE-2026-5862

Inappropriate implementation in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...

8.8CVSS7.7AI score0.00303EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/04/09 11:30 p.m.•10 views

SUSE CVE-2026-5863

Inappropriate implementation in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...

8.8CVSS7.7AI score0.00292EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/04/09 11:30 p.m.•8 views

SUSE CVE-2026-5864

Heap buffer overflow in WebAudio in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. Chromium security severity: High...

6.5CVSS7.5AI score0.00241EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/04/09 11:30 p.m.•5 views

SUSE CVE-2026-5865

Type Confusion in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...

8.8CVSS7.7AI score0.00422EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/04/09 11:30 p.m.•5 views

SUSE CVE-2026-5866

Use after free in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...

8.8CVSS7.7AI score0.00303EPSS
Exploits0References3
Total number of security vulnerabilities59854