SUSE CVE-2026-22690

pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for missing /Root object with large /Size values. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for actually invalid files. This can be...

SUSE CVE-2026-22691

pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for malformed startxref. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for invalid startxref entries. When rebuilding the cross-referen...

SUSE CVE-2026-22693

HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hbmalloc returns NULL before using placement new to construct an object at t...

SUSE CVE-2026-22701

filelock is a platform-independent file lock for Python. Prior to version 3.20.3, a TOCTOU race condition vulnerability exists in the SoftFileLock implementation of the filelock package. An attacker with local filesystem access and permission to create symlinks can exploit a race condition betwee...

SUSE CVE-2026-22702

virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU Time-of-Check-Time-of-Use vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a rac...

SUSE CVE-2026-22703

Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor...

SUSE CVE-2025-14338

Polkit authentication dis isabled by default and a race condition in the Polkit authorization check in versions before v0.69.0 can lead to the same issues as in CVE-2025-66005...

SUSE CVE-2025-14525

A flaw was found in kubevirt. A user within a virtual machine VM, if the guest agent is active, can exploit this by causing the agent to report an excessive number of network interfaces. This action can overwhelm the system's ability to store VM configuration updates, effectively blocking changes...

SUSE CVE-2025-56225

fluidsynth-2.4.6 and earlier versions is vulnerable to Null pointer dereference in fluidsynthmonopoly.c, that can be triggered when loading an invalid midi file...

SUSE CVE-2025-66005

Lack of authorization of the InputManager D-Bus interface in InputPlumber versions before v0.63.0 can lead to local Denial-of-Service, information leak or even privilege escalation in the context of the currently active user session...

SUSE CVE-2026-0716

A flaw was found in libsoup's WebSocket frame processing when handling incoming messages. If a non-default configuration is used where the maximum incoming payload size is unset, the library may read memory outside the intended bounds. This can cause unintended memory exposure or a crash...

SUSE CVE-2026-21860

Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.5, Werkzeug's safejoin function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as CON, AUX, etc that are implicitly present...

SUSE CVE-2022-21986

unknown...

SUSE CVE-2023-21913

unknown...

SUSE CVE-2023-21963

unknown...

SUSE CVE-2023-22015

unknown...

SUSE CVE-2023-22026

unknown...

SUSE CVE-2023-22028

unknown...

SUSE CVE-2023-37478

pnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package that appears safe on the npm registry or when installed via...

SUSE CVE-2024-53866

The package manager pnpm prior to version 9.15.0 seems to mishandle overrides and global cache: Overrides from one workspace leak into npm metadata saved in global cache; npm metadata from global cache affects other workspaces; and installs by default don't revalidate the data including on first...

SUSE CVE-2025-13151

Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1expendoctetstring...

SUSE CVE-2025-68151

CoreDNS is a DNS server that chains plugins. Prior to version 1.14.0, multiple CoreDNS server implementations gRPC, HTTPS, and HTTP/3 lack critical resource-limiting controls. An unauthenticated remote attacker can exhaust memory and degrade or crash the server by opening many concurrent...

SUSE CVE-2025-68158

Authlib is a Python library which builds OAuth and OpenID Connect servers. In versions 1.0.0 through 1.6.5, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state easily obtainable via an attacker-initiated...

SUSE CVE-2025-69263

pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies and git-hosted tarballs in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package...

SUSE CVE-2025-69264

pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the...

SUSE CVE-2026-0710

A flaw was found in SIPp. A remote attacker could exploit this by sending specially crafted Session Initiation Protocol SIP messages during an active call. This vulnerability, a NULL pointer dereference, can cause the application to crash, leading to a denial of service. Under specific conditions...

SUSE CVE-2026-0719

A flaw was identified in the NTLM authentication handling of the libsoup HTTP library, used by GNOME and other applications for network communication. When processing extremely long passwords, an internal size calculation can overflow due to improper use of signed integers. This results in...

SUSE CVE-2026-21441

urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP...

SUSE CVE-2026-21869

llama.cpp is an inference of several LLM models in C/C++. In commits 55d4206c8 and prior, the ndiscard parameter is parsed directly from JSON input in the llama.cpp server's completion endpoints without validation to ensure it's non-negative. When a negative value is supplied and the context fill...

SUSE CVE-2026-21883

Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist e.g., dashboard.corp, an attacker can register a domain like dashboard.corp.attacker.com or use a subdomain if applicable and lure a victim to visit it. The...

SUSE CVE-2026-21895

The rsa crate is an RSA implementation written in rust. Prior to version 0.9.10, when creating a RSA private key from its components, the construction panics instead of returning an error when one of the primes is 1. Version 0.9.10 fixes the issue...

SUSE CVE-2026-22028

Preact, a lightweight web development framework, JSON serialization protection to prevent Virtual DOM elements from being constructed from arbitrary JSON. A regression introduced in Preact 10.26.5 caused this protection to be softened. In applications where values from JSON payloads are assumed t...

SUSE CVE-2026-22184

zlib versions up to and including 1.3.1.2 include a global buffer overflow in the untgz utility located under contrib/untgz. The vulnerability is limited to the standalone demonstration utility and does not affect the core zlib compression library. The flaw occurs when a user executes the untgz...

SUSE CVE-2026-22185

OpenLDAP Lightning Memory-Mapped Database LMDB versions up to and including 0.9.14, prior to commit 8e1fda8, contain a heap buffer underflow in the readline function of mdbload. When processing malformed input containing an embedded NUL byte, an unsigned offset calculation can underflow and cause...

SUSE CVE-2026-38264

unknown...

SUSE CVE-2025-8556

A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange...

SUSE CVE-2025-13034

When using CURLOPTPINNEDPUBLICKEY option with libcurl or --pinnedpubkey with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper chec...

SUSE CVE-2025-14017

When doing multi-threaded LDAPS transfers LDAP over TLS with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally...

SUSE CVE-2025-14524

When an OAuth2 bearer token is used for an HTTPS transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host...

SUSE CVE-2025-14819

When doing TLS related transfers with reused easy or multi handles and altering the CURLSSLOPTNOPARTIALCHAIN option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcur...

SUSE CVE-2025-15079

When doing SSH-based transfers using either SCP or SFTP, and setting the knownhosts file, libcurl could still mistakenly accept connecting to hosts not present in the specified file if they were added as recognized in the libssh global knownhosts file...

SUSE CVE-2025-15224

When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent...

SUSE CVE-2025-15444

Crypt::Sodium::XS module versions prior to 0.000042, for Perl, include a vulnerable version of libsodium libsodium = 1.0.20 or a version of libsodium released before December 30, 2025 contains a vulnerability documented as CVE-2025-69277 https://vulners.com/cve/CVE-2025-69277 . The libsodium...

SUSE CVE-2025-67603

A Improper Authorization vulnerability in Foomuuri llows arbitrary users to influence the firewall configuration.This issue affects Foomuuri: from ? before 0.31...

SUSE CVE-2025-67858

A Improper Neutralization of Argument Delimiters vulnerability in Foomuuri can lead to integrity loss of the firewall configuration or further unspecified impact by manipulating the JSON configuration passed to nft. This issue affects Foomuuri: from ? before 0.31...

SUSE CVE-2025-67859

A Improper Authentication vulnerability in TLP allows local users to arbitrarily control the power profile in use as well as the daemon's log settings.This issue affects TLP: from 1.9 before 1.9.1...

SUSE CVE-2026-0628

Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. Chromium security severity: High...

SUSE CVE-2026-21428

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the writeheaders function does not check for CR & LF characters in user supplied headers, allowing untrusted header value to escape header lines. This vulnerability allows attackers to add...

SUSE CVE-2025-15269

FontForge SFD File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or...

SUSE CVE-2025-15270

FontForge SFD File Parsing Improper Validation of Array Index Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit ...