Lucene search
K
SusecveRecent

59854 matches found

SUSE CVE
SUSE CVE
•added 2026/03/25 11:52 a.m.•8 views

SUSE CVE-2026-4729

Memory safety bugs present in Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149 and Thunderbird 149...

8.8CVSS7.4AI score0.0033EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 11:52 a.m.•6 views

SUSE CVE-2026-4751

NULL Pointer Dereference vulnerability in tmate-io tmate.This issue affects tmate: before 2.4.0...

5.3CVSS5.9AI score0.00312EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 11:52 a.m.•8 views

SUSE CVE-2026-4775

A flaw was found in the libtiff library. A remote attacker could exploit a signed integer overflow vulnerability in the putcontig8bitYCbCr44tile function by providing a specially crafted TIFF file. This flaw can lead to an out-of-bounds heap write due to incorrect memory pointer calculations,...

8.6CVSS6.1AI score0.00553EPSS
Exploits0References17
SUSE CVE
SUSE CVE
•added 2026/03/25 11:52 a.m.•3 views

SUSE CVE-2026-22728

Bitnami Sealed Secrets is vulnerable to a scope-widening attack during the secret rotation /v1/rotate flow. The rotation handler derives the sealing scope for the newly encrypted output from untrusted spec.template.metadata.annotations present in the input SealedSecret. By submitting a victim...

4.9CVSS5.9AI score0.00352EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:28 a.m.•3 views

SUSE CVE-2026-23999

Fleet is open source device management software. In versions prior to 4.80.1, Fleet generated device lock and wipe PINs using a predictable algorithm based solely on the current Unix timestamp. Because no secret key or additional entropy was used, the resulting PIN could potentially be derived if...

5.5CVSS6AI score0.00124EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:28 a.m.•9 views

SUSE CVE-2026-24004

Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet's Android MDM Pub/Sub handling could allow unauthenticated requests to trigger device unenrollment events. This may result in unauthorized removal of individual Android devices from Fleet...

6.3CVSS6.1AI score0.00262EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:28 a.m.•5 views

SUSE CVE-2026-24005

Kruise provides automated management of large-scale applications on Kubernetes. Prior to versions 1.8.3 and 1.7.5, PodProbeMarker allows defining custom probes with TCPSocket or HTTPGet handlers. The webhook validation does not restrict the Host field in these probe configurations. Since...

7.6CVSS6AI score0.00285EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:28 a.m.•10 views

SUSE CVE-2026-25075

strongSwan versions 4.5.0 prior to 6.0.5 contain an integer underflow vulnerability in the EAP-TTLS AVP parser that allows unauthenticated remote attackers to cause a denial of service by sending crafted AVP data with invalid length fields during IKEv2 authentication. Attackers can exploit the...

7.5CVSS6AI score0.01013EPSS
Exploits2References9
SUSE CVE
SUSE CVE
•added 2026/03/25 12:28 a.m.•10 views

SUSE CVE-2026-25921

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version 0.14.2...

9.3CVSS6.6AI score0.00327EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:27 a.m.•9 views

SUSE CVE-2026-25963

Fleet is open source device management software. In versions prior to 4.80.1, a broken authorization check in Fleet's certificate template deletion API could allow a team administrator to delete certificate templates belonging to other teams within the same Fleet instance. Fleet supports...

6.5CVSS5.7AI score0.00191EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:27 a.m.•5 views

SUSE CVE-2026-26022

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting XSS vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated users to inject arbitrar...

8.7CVSS6AI score0.00306EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:27 a.m.•4 views

SUSE CVE-2026-26186

Fleet is open source device management software. A SQL injection vulnerability in versions prior to 4.80.1 allowed authenticated users to inject arbitrary SQL expressions via the orderkey query parameter. Due to unsafe use of goqu.I when constructing the ORDER BY clause, specially crafted input...

8.8CVSS6.2AI score0.00301EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:27 a.m.•5 views

SUSE CVE-2026-26194

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, there's a security issue in gogs where deleting a release can fail if a user controlled tag name is passed to git without the right separator, this lets git options get injected and mess with the process. This issue has been...

8.8CVSS5.7AI score0.00433EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:27 a.m.•4 views

SUSE CVE-2026-26195

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, stored xss is still possible through unsafe template rendering that mixes user input with safe plus permissive sanitizer handling of data urls. This issue has been patched in version 0.14.2...

6.9CVSS5.7AI score0.00189EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:27 a.m.•5 views

SUSE CVE-2026-26196

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, gogs api still accepts tokens in url params like token and accesstoken, which can leak through logs, browser history, and referrers. This issue has been patched in version 0.14.2...

6.9CVSS5.7AI score0.00254EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:27 a.m.•6 views

SUSE CVE-2026-26209

cbor2 provides encoding and decoding for the Concise Binary Object Representation CBOR serialization format. Versions prior to 5.9.0 are vulnerable to a Denial of Service DoS attack caused by uncontrolled recursion when decoding deeply nested CBOR structures. This vulnerability affects both the...

7.5CVSS7.1AI score0.00417EPSS
Exploits1References4
SUSE CVE
SUSE CVE
•added 2026/03/25 12:27 a.m.•6 views

SUSE CVE-2026-26276

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, an attacker can store an HTML/JavaScript payload in a repository's Milestone name, and when another user selects that Milestone on the New Issue page /issues/new, a DOM-Based XSS is triggered. This issue has been patched in...

7.3CVSS5.8AI score0.00184EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:27 a.m.•5 views

SUSE CVE-2026-26828

A NULL pointer dereference in the daapreplyplaylists function src/httpddaap.c of owntone-server commit 3d1652d allows attackers to cause a Denial of Service DoS via sending a crafted DAAP request to the server...

7.5CVSS5.9AI score0.00339EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:27 a.m.•4 views

SUSE CVE-2026-26829

A NULL pointer dereference in the safeatou64 function src/misc.c of owntone-server through commit c4d57aa allows attackers to cause a Denial of Service DoS via sending a series of crafted HTTP requests to the server...

7.5CVSS5.9AI score0.00882EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:27 a.m.•5 views

SUSE CVE-2026-27116

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, a reflected HTML injection vulnerability exists in the Projects module where the filter URL parameter is rendered into the DOM without output encoding when the user clicks "Filter." While and are blocked, , ,...

6.1CVSS5.9AI score0.00221EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:27 a.m.•5 views

SUSE CVE-2026-27575

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to set weak passwords e.g., 1234, password without enforcing minimum strength requirements. Additionally, active sessions remain valid after a user changes their password. An...

9.1CVSS5.9AI score0.00428EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:27 a.m.•6 views

SUSE CVE-2026-27616

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to upload SVG files as task attachments. SVG is an XML-based format that supports JavaScript execution through elements such as tags or event handlers like onload. The application...

7.3CVSS6.1AI score0.00453EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:27 a.m.•8 views

SUSE CVE-2026-27651

When the ngxmailauthhttpmodule module is enabled on NGINX Plus or NGINX Open Source, undisclosed requests can cause worker processes to terminate. This issue may occur when 1 CRAM-MD5 or APOP authentication is enabled, and 2 the authentication server permits retry by returning the Auth-Wait...

7.5CVSS5.9AI score0.00921EPSS
Exploits0References11
SUSE CVE
SUSE CVE
•added 2026/03/25 12:27 a.m.•5 views

SUSE CVE-2026-27654

NGINX Open Source and NGINX Plus have a vulnerability in the ngxhttpdavmodule module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or modification of source or destination file names...

8.2CVSS6.1AI score0.21621EPSS
Exploits0References11
SUSE CVE
SUSE CVE
•added 2026/03/25 12:27 a.m.•7 views

SUSE CVE-2026-27730

esm.sh is a no-build content delivery network CDN for web development. Versions up to and including 137 have an SSRF vulnerability CWE-918 in esm.sh's /https fetch route. The service tries to block localhost/internal targets, but the validation is based on hostname string checks and can be bypass...

8.6CVSS7.2AI score0.00339EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:26 a.m.•5 views

SUSE CVE-2026-27734

Beszel is a server monitoring platform. Prior to version 0.18.2, the hub's authenticated API endpoints GET /api/beszel/containers/logs and GET /api/beszel/containers/info pass the user-supplied "container" query parameter to the agent without validation. The agent constructs Docker Engine API URL...

6.5CVSS6AI score0.00484EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:26 a.m.•5 views

SUSE CVE-2026-27784

The 32-bit implementation of NGINX Open Source has a vulnerability in the ngxhttpmp4module module, which might allow an attacker to over-read or over-write NGINX worker memory resulting in its termination, using a specially crafted MP4 file. The issue only affects 32-bit NGINX Open Source if it i...

7.8CVSS5.9AI score0.01031EPSS
Exploits0References11
SUSE CVE
SUSE CVE
•added 2026/03/25 12:26 a.m.•5 views

SUSE CVE-2026-27808

Mailpit is an email testing tool and API for developers. Prior to version 1.29.2, the Link Check API /api/v1/message/ID/link-check is vulnerable to Server-Side Request Forgery SSRF. The server performs HTTP HEAD requests to every URL found in an email without validating target hosts or filtering...

8.6CVSS6.1AI score0.00468EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:26 a.m.•11 views

SUSE CVE-2026-27819

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the restoreConfig function in vikunja/pkg/modules/dump/restore.go of the go-vikunja/vikunja repository fails to sanitize file paths within the provided ZIP archive. A maliciously crafted ZIP can bypass the...

7.2CVSS5.8AI score0.00739EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:26 a.m.•6 views

SUSE CVE-2026-27840

ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in the v2 format truncated to 80 characters are still considered valid. Zitadel uses a symmetric AES encryption for opaque tokens. The cleartext...

4.3CVSS5.9AI score0.00142EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:26 a.m.•5 views

SUSE CVE-2026-27896

The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in versions prior to 1.3.1. Go's standard library performs case-insensitive matching of JSON keys to struct field tags - a field tagged json:"method" would also match "Method", "METHOD", etc...

7CVSS5.8AI score0.00255EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:26 a.m.•6 views

SUSE CVE-2026-27899

WireGuard Portal or wg-portal is a web-based configuration portal for WireGuard server management. Prior to version 2.1.3, any authenticated non-admin user can become a full administrator by sending a single PUT request to their own user profile endpoint with "IsAdmin": true in the JSON body. Aft...

8.8CVSS5.9AI score0.00306EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:26 a.m.•6 views

SUSE CVE-2026-27900

The Terraform Provider for Linode versions prior to v3.9.0 logged sensitive information including some passwords, StackScript content, and object storage data in debug logs without redaction. Provider debug logging is not enabled by default. This issue is exposed when debug/provider logs are...

7.7CVSS6.1AI score0.00469EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:26 a.m.•4 views

SUSE CVE-2026-27944

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to...

9.8CVSS6.7AI score0.22162EPSS
Exploits13References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:26 a.m.•5 views

SUSE CVE-2026-27945

ZITADEL is an open source identity management platform. Zitadel Action V2 introduced as early preview in 2.59.0, beta in 3.0.0 and GA in 4.0.0 is a webhook based approach to allow developers act on API request to Zitadel and customize flows such the issue of a token. Zitadel's Action target URLs...

6.5CVSS5.9AI score0.00226EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:26 a.m.•4 views

SUSE CVE-2026-27946

ZITADEL is an open source identity management platform. Prior to versions 4.11.1 and 3.4.7, a vulnerability in Zitadel's self-management capability allowed users to mark their email and phone as verified without going through an actual verification process. The patch in versions 4.11.1 and 3.4.7...

8.2CVSS5.9AI score0.00176EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:26 a.m.•4 views

SUSE CVE-2026-27965

Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup storage location e.g. an S3 bucket can manipulate backup manifest files so that arbitrary code is later executed when that backup is restored...

9.9CVSS6AI score0.00417EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:26 a.m.•5 views

SUSE CVE-2026-27969

Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup storage location e.g. an S3 bucket can manipulate backup manifest files so that files in the manifest - which may be files that they have also...

9.3CVSS6AI score0.00402EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:26 a.m.•4 views

SUSE CVE-2026-28229

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to 4.0.2 and 3.7.11, Workflow templates endpoints allow any client to retrieve WorkflowTemplates and ClusterWorkflowTemplates. Any request with a Authorization: Bearer nothing...

9.8CVSS5.9AI score0.00652EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:26 a.m.•6 views

SUSE CVE-2026-28268

Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a...

9.8CVSS5.9AI score0.00673EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:26 a.m.•7 views

SUSE CVE-2026-28279

osctrl is an osquery management solution. Prior to version 0.5.0, an OS command injection vulnerability exists in the osctrl-admin environment configuration. An authenticated administrator can inject arbitrary shell commands via the hostname parameter when creating or editing environments. These...

8.4CVSS6.7AI score0.009EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:26 a.m.•4 views

SUSE CVE-2026-28280

osctrl is an osquery management solution. Prior to version 0.5.0, a stored cross-site scripting XSS vulnerability exists in the osctrl-admin on-demand query list. A user with query-level permissions can inject arbitrary JavaScript via the query parameter when running an on-demand query. The paylo...

8.7CVSS6AI score0.00227EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:26 a.m.•5 views

SUSE CVE-2026-28342

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.2, the PasswordHash API endpoint allows unauthenticated users to trigger excessive memory allocation by sending concurrent password hashing requests. By issuing multiple parallel requests, an attacke...

7.5CVSS5.8AI score0.00645EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:26 a.m.•8 views

SUSE CVE-2026-28406

kaniko is a tool to build container images from a Dockerfile, inside a container or Kubernetes cluster. Starting in version 1.25.4 and prior to version 1.25.10, kaniko unpacks build context archives using filepath.Joindest, cleanedName without enforcing that the final path stays within dest. A ta...

8.2CVSS6.3AI score0.00613EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:26 a.m.•5 views

SUSE CVE-2026-28407

malcontent is software for discovering supply-chain compromises through context, differential analysis, and YARA. Prior to version 1.21.0, malcontent would remove nested archives which failed to extract which could potentially leave malicious content. A better approach is to preserve these archiv...

6.9CVSS5.9AI score0.00222EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:26 a.m.•5 views

SUSE CVE-2026-28492

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.0, when a user creates a public share link for a directory, the withHashFile middleware in http/public.go uses...

7.1CVSS5.7AI score0.00322EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:26 a.m.•4 views

SUSE CVE-2026-28512

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. From 2.0.0 to before 2.4.0, a flaw in callback URL validation allowed crafted redirecturi values containing URL userinfo @ to bypass legitimate callback pattern checks. If an attacker can trick a...

7.1CVSS5.9AI score0.00204EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:26 a.m.•3 views

SUSE CVE-2026-28513

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse...

8.5CVSS5.9AI score0.00257EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:26 a.m.•5 views

SUSE CVE-2026-28682

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the upload status SSE implementation on /uploadStatus publishes global upload state to any authenticated listener and includes fileid values that are not scoped to the requesting...

6.4CVSS5.8AI score0.00133EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:26 a.m.•5 views

SUSE CVE-2026-28683

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, if a malicious authenticated user uploads SVG and creates a hotlink for it, they can achieve stored XSS. This issue has been patched in version 2.2.3...

8.7CVSS5.7AI score0.00189EPSS
Exploits0References3
Total number of security vulnerabilities59854