Lucene search
K
SusecveRecent

59854 matches found

SUSE CVE
SUSE CVE
•added 2026/02/07 12:26 a.m.•6 views

SUSE CVE-2026-20912

Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users...

9.1CVSS5.4AI score0.00415EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:26 a.m.•8 views

SUSE CVE-2026-21696

Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Starting in version 1.7.0 and prior to version 1.12.0, Wings does not consider SQLite max parameter limit when processing activity log entries allowing for low privileged user to trigger a conditi...

8.3CVSS5.6AI score0.00475EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:25 a.m.•7 views

SUSE CVE-2026-22808

fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an unauthenticated attacker can exploit this XSS vulnerability to steal a Fleet administrator's authentication token FLEET::authtoken from localStorage...

5.5CVSS5.3AI score0.00209EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:25 a.m.•5 views

SUSE CVE-2026-22822

External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Starting in version 0.20.2 and prior to version 1.2.0, the getSecretKey template function, while introduced for senhasegura Devops Secrets Management DSM provider, ha...

9.3CVSS5.3AI score0.00175EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:25 a.m.•11 views

SUSE CVE-2026-23518

Fleet is open source device management software. In versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, a vulnerability in Fleet's Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because JWT signatures were not...

9.8CVSS5.5AI score0.00226EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:24 a.m.•6 views

SUSE CVE-2026-23645

SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting XSS vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file e.g., imported from an...

6.1CVSS5.6AI score0.00251EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:24 a.m.•7 views

SUSE CVE-2026-23742

Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The...

8.8CVSS5.4AI score0.00473EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:24 a.m.•4 views

SUSE CVE-2026-23829

Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate RCPT TO and MAIL FROM addresses. An attacker can inject arbitrary SMTP headers or corrupt existing...

5.3CVSS5.7AI score0.01441EPSS
Exploits4References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:24 a.m.•5 views

SUSE CVE-2026-23845

Mailpit is an email testing tool and API for developers. Versions prior to 1.28.3 are vulnerable to Server-Side Request Forgery SSRF via HTML Check CSS Download. The HTML Check feature /api/v1/message/ID/html-check is designed to analyze HTML emails for compatibility. During this process, the...

7.5CVSS5.3AI score0.00396EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:24 a.m.•4 views

SUSE CVE-2026-23847

SiYuan is a personal knowledge management system. Versions prior to 3.5.4 are vulnerable to reflected cross-site scripting in /api/icon/getDynamicIcon due to unsanitized SVG input. The endpoint generates SVG images for text icons type=8. The content query parameter is inserted directly into the S...

6.1CVSS5AI score0.00263EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:24 a.m.•5 views

SUSE CVE-2026-23849

File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuri...

5.3CVSS5.7AI score0.00417EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:24 a.m.•6 views

SUSE CVE-2026-23850

SiYuan is a personal knowledge management system. In versions prior to 3.5.4, the markdown feature allows unrestricted server side html-rendering which allows arbitrary file read LFD. Version 3.5.4 fixes the issue...

8.8CVSS5.4AI score0.00522EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:24 a.m.•7 views

SUSE CVE-2026-23851

SiYuan is a personal knowledge management system. Versions prior to 3.5.4 contain a logic vulnerability in the /api/file/globalCopyFiles endpoint. The function allows authenticated users to copy files from any location on the server's filesystem into the application's workspace without proper pat...

8.3CVSS5.4AI score0.00436EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:24 a.m.•7 views

SUSE CVE-2026-23960

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user's browser under the Argo...

7.3CVSS5.6AI score0.00337EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:24 a.m.•6 views

SUSE CVE-2026-23990

The Flux Operator is a Kubernetes CRD controller that manages the lifecycle of CNCF Flux CD and the ControlPlane enterprise distribution. Starting in version 0.36.0 and prior to version 0.40.0, a privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows...

5.3CVSS5.6AI score0.00303EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:24 a.m.•6 views

SUSE CVE-2026-24058

Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an attacker to impersonate any user including admin by "offering" the victim's public key during the SSH handshake before authenticating with...

9.8CVSS5.5AI score0.00532EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:24 a.m.•4 views

SUSE CVE-2026-24124

Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints /api/v1/jobs lack JWT authentication middleware and RBAC authorization checks in the routing configuration. This allows any unauthenticated user with acce...

9.8CVSS5.3AI score0.00713EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:24 a.m.•4 views

SUSE CVE-2026-24470

Skipper is an HTTP router and reverse proxy for service composition. Prior to version 0.24.0, when running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable them to use Skipper's network access to reach...

8.1CVSS5.3AI score0.00267EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:24 a.m.•5 views

SUSE CVE-2026-24512

A security issue was discovered in ingress-nginx where the rules.http.paths.path Ingress field can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. Note tha...

8.8CVSS6.6AI score0.00501EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:24 a.m.•6 views

SUSE CVE-2026-24513

A security issue was discovered in ingress-nginx where the protection afforded by the auth-url Ingress annotation may not be effective in the presence of a specific misconfiguration. If the ingress-nginx controller is configured with a default custom-errors configuration that includes HTTP errors...

3.1CVSS5.4AI score0.00278EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:24 a.m.•15 views

SUSE CVE-2026-24514

A security issue was discovered in ingress-nginx where the validating admission controller feature is subject to a denial of service condition. By sending large requests to the validating admission controller, an attacker can cause memory consumption, which may result in the ingress-nginx...

6.5CVSS5.4AI score0.0046EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:24 a.m.•4 views

SUSE CVE-2026-24735

Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 1.7.1. An unauthenticated API endpoint incorrectly exposes full revision history for deleted content. This allows unauthorized user to retrieve restricted or...

7.5CVSS5.3AI score0.00619EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:24 a.m.•8 views

SUSE CVE-2026-24738

gmrtd is a Go library for reading Machine Readable Travel Documents MRTDs. Prior to version 0.17.2, ReadFile accepts TLVs with lengths that can range up to 4GB, which can cause unconstrained resource consumption in both memory and cpu cycles. ReadFile can consume an extended TLV with lengths well...

6.5CVSS5.3AI score0.00265EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:24 a.m.•6 views

SUSE CVE-2026-24740

Dozzle is a realtime log viewer for docker containers. Prior to version 9.0.3, a flaw in Dozzle's agent-backed shell endpoints allows a user restricted by label filters for example, label=env=dev to obtain an interactive root shell in out-of-scope containers for example, env=prod on the same agen...

9.9CVSS5.3AI score0.00385EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:24 a.m.•4 views

SUSE CVE-2026-24748

Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the GetConfig API endpoint. This allowed unauthenticated users to access this endpoint by specifying an Authorization header with any non-empty...

7.2CVSS5.3AI score0.00342EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:24 a.m.•5 views

SUSE CVE-2026-24843

melange allows users to build apk packages using declarative pipelines. In version 0.11.3 to before 0.40.3, an attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host. The retrieveWorkspace function extracts tar entries...

8.4CVSS5.3AI score0.00167EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:24 a.m.•6 views

SUSE CVE-2026-24844

melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses $vars. or $inputs. substitutions in...

8.8CVSS5.7AI score0.00176EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:24 a.m.•4 views

SUSE CVE-2026-24846

malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 1.8.0 and prior to version 1.20.3, malcontent could be made to create symlinks outside the intended extraction directory when scanning a specially crafted tar or deb archive. The...

5.5CVSS5.3AI score0.00167EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:24 a.m.•5 views

SUSE CVE-2026-25059

OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, the application contains path traversal vulnerability in multiple file operation handlers in server/handles/fsmanage.go. Filename components in req.Names are directly concatenated with validated directories using stdpath.Join. Thi...

8.8CVSS5.5AI score0.00598EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:24 a.m.•10 views

SUSE CVE-2026-25060

OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, certificate verification is disabled by default for all storage driver communications. The TlsInsecureSkipVerify setting is default to true in the DefaultConfig function in internal/conf/config.go. This vulnerability enables...

8.1CVSS5.3AI score0.00239EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:24 a.m.•4 views

SUSE CVE-2026-25121

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package e.g., via a compromised or typosquatte...

7.5CVSS5.3AI score0.00369EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:24 a.m.•4 views

SUSE CVE-2026-25122

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.0, expandapk.Split drains the first gzip stream of an APK archive via io.Copyio.Discard, gzi without explicit bounds. With an attacker-controlled input stream, this can force lar...

5.5CVSS5.2AI score0.00106EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:24 a.m.•6 views

SUSE CVE-2026-25143

melange allows users to build apk packages using declarative pipelines. From version 0.10.0 to before 0.40.3, an attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in pkg/build/pipelines/patch.yaml embeds...

7.8CVSS6AI score0.00175EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:23 a.m.•5 views

SUSE CVE-2026-25145

melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacker who can influence a melange configuration file e.g., through pull request-driven CI or build-as-a-service scenarios could read arbitrary files from the host system. The...

5.5CVSS5.5AI score0.00168EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:23 a.m.•12 views

SUSE CVE-2026-25160

Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application disables TLS certificate verification by default for all outgoing storage driver communications, making the system vulnerable to Man-in-the-Middle MitM attacks. This...

9.1CVSS5.1AI score0.00234EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:23 a.m.•5 views

SUSE CVE-2026-25161

Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application contains path traversal vulnerability in multiple file operation handlers. An authenticated attacker can bypass directory-level authorisation by injecting traversal...

8.8CVSS5.3AI score0.00721EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:23 a.m.•9 views

SUSE CVE-2026-25499

Terraform / OpenTofu Provider adds support for Proxmox Virtual Environment. Prior to version 0.93.1, in the SSH configuration documentation, the sudoer line suggested is insecure and can result in escaping the folder using ../, allowing any files on the system to be edited. This issue has been...

8.7CVSS5.3AI score0.00431EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:23 a.m.•23 views

SUSE CVE-2026-25538

Devtron is an open source tool integration platform for Kubernetes. In version 2.0.0 and prior, a vulnerability exists in Devtron's Attributes API interface, allowing any authenticated user including low-privileged CI/CD Developers to obtain the global API Token signing key by accessing the...

8.8CVSS5.5AI score0.00393EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:23 a.m.•7 views

SUSE CVE-2026-25547

@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service DoS issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, t...

7.5CVSS5.2AI score0.00481EPSS
Exploits0References32
SUSE CVE
SUSE CVE
•added 2026/02/07 12:23 a.m.•6 views

SUSE CVE-2026-25578

Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched i...

6.1CVSS5.1AI score0.00297EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/02/07 12:23 a.m.•7 views

SUSE CVE-2026-25579

Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-image URL /share/img/. When processing such requests, the...

9.2CVSS5.4AI score0.00455EPSS
Exploits1References3
SUSE CVE
SUSE CVE
•added 2026/02/06 12:34 a.m.•12 views

SUSE CVE-2025-61732

A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary...

9.6CVSS5.3AI score0.00472EPSS
Exploits0References19
SUSE CVE
SUSE CVE
•added 2026/02/06 12:26 a.m.•4 views

SUSE CVE-2026-1707

pgAdmin versions 9.11 are affected by a Restore restriction bypass via key disclosure vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. An attacker with access to the pgAdmin web interface can observe an active restore operation, extract t...

7.4CVSS5.8AI score0.00392EPSS
Exploits0References3
SUSE CVE
SUSE CVE
•added 2026/02/06 12:26 a.m.•5 views

SUSE CVE-2026-21226

unknown...

7.5CVSS5.1AI score0.00776EPSS
Exploits0References8
SUSE CVE
SUSE CVE
•added 2026/02/06 12:26 a.m.•4 views

SUSE CVE-2026-21968

unknown...

6.5CVSS7.2AI score0.00257EPSS
Exploits0References6
SUSE CVE
SUSE CVE
•added 2026/02/05 12:47 a.m.•11 views

SUSE CVE-2025-13473

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The django.contrib.auth.handlers.modwsgi.checkpassword function for authentication via modwsgi allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Django series such as 5.0.x,...

7.5CVSS5.4AI score0.00713EPSS
Exploits0References4
SUSE CVE
SUSE CVE
•added 2026/02/05 12:47 a.m.•7 views

SUSE CVE-2025-14550

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. ASGIRequest allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series such as 5.0.x, 4.1.x, and 3.2.x were not...

7.5CVSS5.4AI score0.00993EPSS
Exploits0References4
SUSE CVE
SUSE CVE
•added 2026/02/05 12:33 a.m.•7 views

SUSE CVE-2025-62878

A malicious user can manipulate the parameters.pathPattern to create PersistentVolumes in arbitrary locations on the host node, potentially overwriting sensitive files or gaining access to unintended directories...

9.9CVSS5.9AI score0.00581EPSS
Exploits1References4
SUSE CVE
SUSE CVE
•added 2026/02/05 12:27 a.m.•8 views

SUSE CVE-2025-71192

In the Linux kernel, the following vulnerability has been resolved: ALSA: ac97: fix a double free in sndac97controllerregister If ac97addadapter fails, putdevice is the correct way to drop the device reference. kfree is not required. Add kfree if idralloc fails and in ac97adapterrelease to do the...

5.3CVSS5.3AI score0.00156EPSS
Exploits0References19
SUSE CVE
SUSE CVE
•added 2026/02/05 12:27 a.m.•9 views

SUSE CVE-2025-71193

In the Linux kernel, the following vulnerability has been resolved: phy: qcom-qusb2: Fix NULL pointer dereference on early suspend Enabling runtime PM before attaching the QPHY instance as driver data can lead to a NULL pointer dereference in runtime PM callbacks that expect valid driver data...

4.7CVSS5.2AI score0.00168EPSS
Exploits0References7
Total number of security vulnerabilities59854