Lucene search
K
SusecveRecent

59854 matches found

SUSE CVE
SUSE CVE
•added 2026/03/25 12:26 a.m.•6 views

SUSE CVE-2026-28753

NGINX Plus and NGINX Open Source have a vulnerability in the ngxmailsmtpmodule module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation...

3.7CVSS6AI score0.00264EPSS
Exploits0References6
SUSE CVE
SUSE CVE
•added 2026/03/25 12:26 a.m.•5 views

SUSE CVE-2026-28755

NGINX Plus and NGINX Open Source have a vulnerability in the ngxstreamsslmodule module due to the improper handling of revoked certificates when configured with the sslverifyclient on and sslocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the...

5.4CVSS5.9AI score0.00133EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:26 a.m.•5 views

SUSE CVE-2026-28789

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated denial-of-service vulnerability exists in OliveTin's OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map,...

7.5CVSS5.8AI score0.00394EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:26 a.m.•6 views

SUSE CVE-2026-28790

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.0, OliveTin allows an unauthenticated guest to terminate running actions through KillAction even when authRequireGuestsToLogin: true is enabled. Guests are correctly blocked from dashboard access, bu...

7.5CVSS5.8AI score0.0065EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:26 a.m.•5 views

SUSE CVE-2026-29042

Nuclio is a "Serverless" framework for Real-Time Events and Data Processing. Prior to version 1.15.20, the Nuclio Shell Runtime component contains a command injection vulnerability in how it processes user-supplied arguments. When a function is invoked via HTTP, the runtime reads the...

9.8CVSS5.8AI score0.02359EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:26 a.m.•5 views

SUSE CVE-2026-29060

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a registered user without privileges to create or modify file requests is able to create a short-lived API key that has the permission to do so. The user must be registered with...

5CVSS5.7AI score0.00137EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:26 a.m.•5 views

SUSE CVE-2026-29061

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a privilege escalation vulnerability in the user rank demotion logic allows a demoted user's existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permission...

5.4CVSS5.8AI score0.00116EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•6 views

SUSE CVE-2026-29064

Zarf is an Airgap Native Packager Manager for Kubernetes. From version 0.54.0 to before version 0.73.1, a path traversal vulnerability in archive extraction allows a specifically crafted Zarf package to create symlinks pointing outside the destination directory, enabling arbitrary file read or...

8.2CVSS6.1AI score0.0022EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•5 views

SUSE CVE-2026-29073

SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a user run sql directly, but it only checks basic auth, not admin rights, any logged-in user, even readers, can run any sql query on the database. This issue has been patched in version 3.6.0...

8.8CVSS5.8AI score0.00323EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•7 views

SUSE CVE-2026-29084

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the login flow accepts credential-bearing requests without CSRF protection mechanisms tied to the browser session context. The handler parses form values directly and creates a...

4.6CVSS5.8AI score0.00076EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•7 views

SUSE CVE-2026-29111

systemd, a system and service manager, as PID 1 hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this i...

5.5CVSS6.1AI score0.00121EPSS
Exploits0References17
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•5 views

SUSE CVE-2026-29183

SiYuan is a personal knowledge management system. Prior to version 3.5.9, an unauthenticated reflected XSS vulnerability exists in the dynamic icon API endpoint "GET /api/icon/getDynamicIcon" when type=8, attacker-controlled content is embedded into SVG output without escaping. Because the endpoi...

9.3CVSS5.7AI score0.00625EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•5 views

SUSE CVE-2026-29188

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.1, a broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create...

9.1CVSS5.8AI score0.00487EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•4 views

SUSE CVE-2026-29191

ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allowed a possible account takeover via XSS in /saml-post Endpoint. This issue has been patched in version 4.12.0...

9.3CVSS5.8AI score0.00402EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•6 views

SUSE CVE-2026-29192

ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allowed a possible account takeover via Default URI Redirect. This issue has been patched in version 4.12.0...

7.7CVSS5.8AI score0.00318EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•7 views

SUSE CVE-2026-29193

ZITADEL is an open source identity management platform. From version 4.0.0 to 4.12.0, a vulnerability in Zitadel's login V2 UI allowed users to bypass login behavior and security policies and self-register new accounts or sign in using password even if corresponding options were disabled in their...

8.2CVSS5.8AI score0.00312EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•17 views

SUSE CVE-2026-29194

Netmaker makes networks with WireGuard. Prior to version 1.5.0, the Authorize middleware in Netmaker incorrectly validates host JWT tokens. When a route permits host authentication hostAllowed=true, a valid host token bypasses all subsequent authorization checks without verifying that the host is...

8.6CVSS5.8AI score0.00366EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•5 views

SUSE CVE-2026-29195

Netmaker makes networks with WireGuard. Prior to version 1.5.0, the user update handler PUT /api/users/username lacks validation to prevent an admin-role user from assigning the super-admin role during account updates. While the code correctly blocks an admin from assigning the admin role to...

6.9CVSS5.8AI score0.0023EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•4 views

SUSE CVE-2026-29196

Netmaker makes networks with WireGuard. Prior to version 1.5.0, a user assigned the platform-user role can retrieve WireGuard private keys of all wireguard configs in a network by calling GET /api/extclients/network or GET /api/nodes/network. While the Netmaker UI restricts visibility, the API...

8.7CVSS5.8AI score0.00252EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•4 views

SUSE CVE-2026-29771

Netmaker makes networks with WireGuard. Prior to version 1.2.0, the /api/server/shutdown endpoint allows termination of the Netmaker server process via syscall.SIGINT. This allows any user to repeatedly shut down the server, causing cyclic denial of service with approximately 3-second restart...

8.7CVSS5.7AI score0.00331EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•5 views

SUSE CVE-2026-29773

Kubewarden is a policy engine for Kubernetes. Kubewarden cluster operators can grant permissions to users to deploy namespaced AdmissionPolicies and AdmissionPolicyGroups in their Namespaces. One of Kubewarden promises is that configured users can deploy namespaced policies in a safe manner,...

4.3CVSS5.9AI score0.00185EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•3 views

SUSE CVE-2026-29781

Sliver is a command and control framework that uses a custom Wireguard netstack. In versions from 1.7.3 and prior, a vulnerability exists in the Sliver C2 server's Protobuf unmarshalling logic due to a systemic lack of nil-pointer validation. By extracting valid implant credentials and omitting...

6.5CVSS5.9AI score0.00504EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•4 views

SUSE CVE-2026-30223

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, when JWT authentication is configured using either "authJwtPubKeyPath" local RSA public key or "authJwtHmacSecret" HMAC secret, the configured audience value authJwtAud is not enforced during toke...

8.8CVSS5.8AI score0.00301EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•8 views

SUSE CVE-2026-30224

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry default 1 year. A...

5.4CVSS5.8AI score0.00302EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•7 views

SUSE CVE-2026-30225

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authentication context confusion vulnerability in RestartAction allows a low-privileged authenticated user to execute actions they are not permitted to run. RestartAction constructs a new...

5.3CVSS6.1AI score0.00414EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•10 views

SUSE CVE-2026-30233

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authorization flaw in OliveTin allows authenticated users with view: false permission to enumerate action bindings and metadata via dashboard and API endpoints. Although execution exec may be...

6.5CVSS5.9AI score0.00417EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•9 views

SUSE CVE-2026-30247

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.12, the application's "Import document via URL" feature is vulnerable to Server-Side Request Forgery SSRF through HTTP redirects. While the backend implements comprehensive UR...

7.5CVSS5.8AI score0.00388EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•5 views

SUSE CVE-2026-30832

Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.4, an authenticated SSH user can force the server to make HTTP requests to internal/private IP addresses by running repo import with a crafted --lfs-endpoint URL. The initial batch request is...

9.1CVSS5.8AI score0.00328EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•4 views

SUSE CVE-2026-30834

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. Prior to version 0.7.7, a Server-Side Request Forgery SSRF vulnerability in the /download endpoint allows any user with API access to induce the PinchTab server to make requests to arbitrary URLs,...

7.5CVSS5.9AI score0.00423EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•5 views

SUSE CVE-2026-30855

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.3.2, an authorization bypass in tenant management endpoints of WeKnora application allows any authenticated user to read, modify, or delete any tenant by ID. Since account...

8.8CVSS5.8AI score0.00328EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•6 views

SUSE CVE-2026-30856

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.3.0, a vulnerability involving tool name collision and indirect prompt injection allows a malicious remote MCP server to hijack tool execution. By exploiting an ambiguous naming...

7.6CVSS6.1AI score0.00255EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•5 views

SUSE CVE-2026-30857

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.3.0, a cross-tenant authorization bypass in the knowledge base copy endpoint allows any authenticated user to clone duplicate another tenant's knowledge base into their own tena...

5.3CVSS5.7AI score0.00222EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•6 views

SUSE CVE-2026-30858

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.3.0, a DNS rebinding vulnerability in the webfetch tool allows an unauthenticated attacker to bypass URL validation and access internal resources on the server, including privat...

7.5CVSS5.8AI score0.00355EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•10 views

SUSE CVE-2026-30859

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.12, a broken access control vulnerability in the database query tool allows any authenticated tenant to read sensitive data belonging to other tenants, including API keys, mod...

6.5CVSS5.8AI score0.00213EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•7 views

SUSE CVE-2026-30860

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.12, a remote code execution RCE vulnerability exists in the application's database query functionality. The validation system fails to recursively inspect child nodes within...

9.9CVSS6.6AI score0.00539EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•10 views

SUSE CVE-2026-30861

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. From version 0.2.5 to before version 0.2.10, an unauthenticated remote code execution RCE vulnerability exists in the MCP stdio configuration validation. The application allows unrestricted user...

9.9CVSS6.6AI score0.02054EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•3 views

SUSE CVE-2026-30869

SiYuan is a personal knowledge management system. Prior to 3.5.10, a path traversal vulnerability in the /export endpoint allows an attacker to read arbitrary files from the server filesystem. By exploiting double-encoded traversal sequences, an attacker can access sensitive files such as...

9.8CVSS7.8AI score0.01028EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•6 views

SUSE CVE-2026-30914

SFTPGo is an open source, event-driven file transfer solution. In SFTPGo versions prior to 2.7.1, a path normalization discrepancy between the protocol handlers and the internal Virtual Filesystem routing can lead to an authorization bypass. An authenticated attacker can craft specific file paths...

8.1CVSS5.9AI score0.00521EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•2 views

SUSE CVE-2026-30915

SFTPGo is an open source, event-driven file transfer solution. SFTPGo versions before v2.7.1 contain an input validation issue in the handling of dynamic group paths, for example, home directories or key prefixes. When a group is configured with a dynamic home directory or key prefix using...

5.3CVSS5.9AI score0.00309EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•6 views

SUSE CVE-2026-30926

SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts RoleReader to modify notebook content via the /api/block/appendHeadingChildren API endpoint. The endpoint...

7.1CVSS5.9AI score0.00311EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•4 views

SUSE CVE-2026-30933

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and...

7.5CVSS5.8AI score0.00544EPSS
Exploits2References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•6 views

SUSE CVE-2026-30934

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, Stored XSS is possible via share metadata fields e.g., title, description that are rendered into HTML for /public/share/ without context-aware escaping. The server uses text/template instead ...

8.9CVSS6AI score0.00347EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•10 views

SUSE CVE-2026-30943

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An insufficient authorization check in the file replace API allows a user with only list visibility permission UserPermListOtherUploads to delete another user's file by abusing the...

4.1CVSS5.9AI score0.00179EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•6 views

SUSE CVE-2026-30955

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An API endpoint accepts unbounded request bodies without any size limit. An authenticated user can cause an OOM kill and complete service disruption for all users. This vulnerability is...

6.5CVSS5.9AI score0.00248EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•4 views

SUSE CVE-2026-30961

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, the chunked upload completion path for file requests does not validate the total file size against the per-request MaxSize limit. An attacker with a public file request link can split an...

4.3CVSS5.8AI score0.00253EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:25 a.m.•12 views

SUSE CVE-2026-31788

In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: restrict usage in unprivileged domU The Xen privcmd driver allows to issue arbitrary hypercalls from user space processes. This is normally no problem, as access is usually limited to root and the hypervisor will den...

8.2CVSS5.8AI score0.00154EPSS
Exploits0References16
SUSE CVE
SUSE CVE
•added 2026/03/25 12:24 a.m.•11 views

SUSE CVE-2026-31807

SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer SanitizeSVG blocks dangerous elements , , and removes on event handlers and javascript: in href attributes. However, it does NOT block SVG animation elements , which can dynamically set attributes to dangero...

6.4CVSS5.9AI score0.00445EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:24 a.m.•6 views

SUSE CVE-2026-31809

SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer SanitizeSVG checks href attributes for the javascript: prefix using strings.HasPrefix. However, inserting ASCII tab , newline , or carriage return characters inside the javascript: string bypasses this prefi...

6.4CVSS5.9AI score0.00505EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:24 a.m.•7 views

SUSE CVE-2026-31817

OliveTin gives access to predefined shell commands from a web interface. Prior to 3000.11.2, when the saveLogs feature is enabled, OliveTin persists execution log entries to disk. The filename used for these log files is constructed in part from the user-supplied UniqueTrackingId field in the...

8.5CVSS6.2AI score0.00712EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/03/25 12:24 a.m.•5 views

SUSE CVE-2026-31863

Anytype Heart is the middleware library for Anytype. The challenge-based authentication for the local gRPC client API can be bypassed, allowing an attacker to gain access without the 4-digit code. This vulnerability is fixed in anytype-heart 0.48.4, anytype-cli 0.1.11, and Anytype Desktop 0.54.5...

4.4CVSS5.9AI score0.00107EPSS
Exploits0References3
Total number of security vulnerabilities59854