govulncheck-vulndb-0.0.20251105T184115-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:15710-1 Final 1 1 2025-11-07T00:00:00Z current 2025-11-07T00:00:00Z 2025-11-07T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z govulncheck-vulndb-0.0.20251105T184115-1.1 on GA media These are all security issues fixed in the govulncheck-vulndb-0.0.20251105T184115-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-15710 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2016-11063/ SUSE CVE CVE-2016-11063 page https://www.suse.com/security/cve/CVE-2016-11066/ SUSE CVE CVE-2016-11066 page https://www.suse.com/security/cve/CVE-2016-11067/ SUSE CVE CVE-2016-11067 page https://www.suse.com/security/cve/CVE-2016-11068/ SUSE CVE CVE-2016-11068 page https://www.suse.com/security/cve/CVE-2016-11069/ SUSE CVE CVE-2016-11069 page https://www.suse.com/security/cve/CVE-2016-11070/ SUSE CVE CVE-2016-11070 page https://www.suse.com/security/cve/CVE-2016-11071/ SUSE CVE CVE-2016-11071 page https://www.suse.com/security/cve/CVE-2016-11072/ SUSE CVE CVE-2016-11072 page https://www.suse.com/security/cve/CVE-2016-11073/ SUSE CVE CVE-2016-11073 page https://www.suse.com/security/cve/CVE-2016-11074/ SUSE CVE CVE-2016-11074 page https://www.suse.com/security/cve/CVE-2016-11075/ SUSE CVE CVE-2016-11075 page https://www.suse.com/security/cve/CVE-2016-11076/ SUSE CVE CVE-2016-11076 page https://www.suse.com/security/cve/CVE-2016-11077/ SUSE CVE CVE-2016-11077 page https://www.suse.com/security/cve/CVE-2016-11078/ SUSE CVE CVE-2016-11078 page https://www.suse.com/security/cve/CVE-2016-11079/ SUSE CVE CVE-2016-11079 page https://www.suse.com/security/cve/CVE-2016-11080/ SUSE CVE CVE-2016-11080 page https://www.suse.com/security/cve/CVE-2016-11081/ SUSE CVE CVE-2016-11081 page https://www.suse.com/security/cve/CVE-2016-11082/ SUSE CVE CVE-2016-11082 page https://www.suse.com/security/cve/CVE-2016-11083/ SUSE CVE CVE-2016-11083 page https://www.suse.com/security/cve/CVE-2016-11084/ SUSE CVE CVE-2016-11084 page https://www.suse.com/security/cve/CVE-2017-18872/ SUSE CVE CVE-2017-18872 page https://www.suse.com/security/cve/CVE-2023-32199/ SUSE CVE CVE-2023-32199 page https://www.suse.com/security/cve/CVE-2024-58269/ SUSE CVE CVE-2024-58269 page https://www.suse.com/security/cve/CVE-2025-10545/ SUSE CVE CVE-2025-10545 page https://www.suse.com/security/cve/CVE-2025-10678/ SUSE CVE CVE-2025-10678 page https://www.suse.com/security/cve/CVE-2025-10954/ SUSE CVE CVE-2025-10954 page https://www.suse.com/security/cve/CVE-2025-11374/ SUSE CVE CVE-2025-11374 page https://www.suse.com/security/cve/CVE-2025-11375/ SUSE CVE CVE-2025-11375 page https://www.suse.com/security/cve/CVE-2025-11579/ SUSE CVE CVE-2025-11579 page https://www.suse.com/security/cve/CVE-2025-11621/ SUSE CVE CVE-2025-11621 page https://www.suse.com/security/cve/CVE-2025-12044/ SUSE CVE CVE-2025-12044 page https://www.suse.com/security/cve/CVE-2025-26625/ SUSE CVE CVE-2025-26625 page https://www.suse.com/security/cve/CVE-2025-27093/ SUSE CVE CVE-2025-27093 page https://www.suse.com/security/cve/CVE-2025-41410/ SUSE CVE CVE-2025-41410 page https://www.suse.com/security/cve/CVE-2025-41443/ SUSE CVE CVE-2025-41443 page https://www.suse.com/security/cve/CVE-2025-54286/ SUSE CVE CVE-2025-54286 page https://www.suse.com/security/cve/CVE-2025-54287/ SUSE CVE CVE-2025-54287 page https://www.suse.com/security/cve/CVE-2025-54288/ SUSE CVE CVE-2025-54288 page https://www.suse.com/security/cve/CVE-2025-54289/ SUSE CVE CVE-2025-54289 page https://www.suse.com/security/cve/CVE-2025-54290/ SUSE CVE CVE-2025-54290 page https://www.suse.com/security/cve/CVE-2025-54291/ SUSE CVE CVE-2025-54291 page https://www.suse.com/security/cve/CVE-2025-54293/ SUSE CVE CVE-2025-54293 page https://www.suse.com/security/cve/CVE-2025-54469/ SUSE CVE CVE-2025-54469 page https://www.suse.com/security/cve/CVE-2025-54470/ SUSE CVE CVE-2025-54470 page https://www.suse.com/security/cve/CVE-2025-54471/ SUSE CVE CVE-2025-54471 page https://www.suse.com/security/cve/CVE-2025-54499/ SUSE CVE CVE-2025-54499 page https://www.suse.com/security/cve/CVE-2025-58073/ SUSE CVE CVE-2025-58073 page https://www.suse.com/security/cve/CVE-2025-58075/ SUSE CVE CVE-2025-58075 page https://www.suse.com/security/cve/CVE-2025-58356/ SUSE CVE CVE-2025-58356 page https://www.suse.com/security/cve/CVE-2025-59043/ SUSE CVE CVE-2025-59043 page https://www.suse.com/security/cve/CVE-2025-59048/ SUSE CVE CVE-2025-59048 page https://www.suse.com/security/cve/CVE-2025-59530/ SUSE CVE CVE-2025-59530 page https://www.suse.com/security/cve/CVE-2025-59836/ SUSE CVE CVE-2025-59836 page https://www.suse.com/security/cve/CVE-2025-59937/ SUSE CVE CVE-2025-59937 page https://www.suse.com/security/cve/CVE-2025-61141/ SUSE CVE CVE-2025-61141 page https://www.suse.com/security/cve/CVE-2025-61524/ SUSE CVE CVE-2025-61524 page https://www.suse.com/security/cve/CVE-2025-61581/ SUSE CVE CVE-2025-61581 page https://www.suse.com/security/cve/CVE-2025-61688/ SUSE CVE CVE-2025-61688 page https://www.suse.com/security/cve/CVE-2025-62156/ SUSE CVE CVE-2025-62156 page https://www.suse.com/security/cve/CVE-2025-62157/ SUSE CVE CVE-2025-62157 page https://www.suse.com/security/cve/CVE-2025-62375/ SUSE CVE CVE-2025-62375 page https://www.suse.com/security/cve/CVE-2025-62506/ SUSE CVE CVE-2025-62506 page https://www.suse.com/security/cve/CVE-2025-62513/ SUSE CVE CVE-2025-62513 page https://www.suse.com/security/cve/CVE-2025-62705/ SUSE CVE CVE-2025-62705 page https://www.suse.com/security/cve/CVE-2025-62714/ SUSE CVE CVE-2025-62714 page https://www.suse.com/security/cve/CVE-2025-62725/ SUSE CVE CVE-2025-62725 page https://www.suse.com/security/cve/CVE-2025-62820/ SUSE CVE CVE-2025-62820 page https://www.suse.com/security/cve/CVE-2025-64101/ SUSE CVE CVE-2025-64101 page https://www.suse.com/security/cve/CVE-2025-64102/ SUSE CVE CVE-2025-64102 page https://www.suse.com/security/cve/CVE-2025-64103/ SUSE CVE CVE-2025-64103 page openSUSE Tumbleweed govulncheck-vulndb-0.0.20251105T184115-1.1 govulncheck-vulndb-0.0.20251105T184115-1.1 as a component of openSUSE Tumbleweed An issue was discovered in Mattermost Server before 3.5.1. XSS can occur via file preview. CVE-2016-11063 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-11063.html CVE-2016-11063 An issue was discovered in Mattermost Server before 3.2.0. The initial_load API disclosed unnecessary personal information. CVE-2016-11066 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-11066.html CVE-2016-11066 An issue was discovered in Mattermost Server before 3.2.0. It allowed crafted posts that could cause a web browser to hang. CVE-2016-11067 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-11067.html CVE-2016-11067 An issue was discovered in Mattermost Server before 3.2.0. Attackers could read LDAP fields via injection. CVE-2016-11068 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-11068.html CVE-2016-11068 An issue was discovered in Mattermost Server before 3.2.0. It mishandles brute-force attempts at password change. CVE-2016-11069 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-11069.html CVE-2016-11069 An issue was discovered in Mattermost Server before 3.1.0. It allows XSS via theme color-code values. CVE-2016-11070 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-11070.html CVE-2016-11070 An issue was discovered in Mattermost Server before 3.1.0. It allows XSS because the noreferrer and noopener protection mechanisms were not in place. CVE-2016-11071 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-11071.html CVE-2016-11071 An issue was discovered in Mattermost Server before 3.0.2. The purposes of a session ID and a Session Token were mishandled. CVE-2016-11072 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-11072.html CVE-2016-11072 An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a Legal or Support setting. CVE-2016-11073 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-11073.html CVE-2016-11073 An issue was discovered in Mattermost Server before 3.0.0. A password-reset link could be reused. CVE-2016-11074 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-11074.html CVE-2016-11074 An issue was discovered in Mattermost Server before 3.0.0. It allows attackers to obtain sensitive information about team URLs via an API. CVE-2016-11075 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-11075.html CVE-2016-11075 An issue was discovered in Mattermost Server before 3.0.0. It does not ensure that a cookie is used over SSL. CVE-2016-11076 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-11076.html CVE-2016-11076 An issue was discovered in Mattermost Server before 3.0.0. It has a superfluous API in which the System Admin can change the account name and e-mail address of an LDAP account. CVE-2016-11077 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate 4 AV:N/AC:L/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-11077.html CVE-2016-11077 An issue was discovered in Mattermost Server before 3.0.0. It potentially allows attackers to obtain sensitive information (credential fields within config.json) via the System Console UI. CVE-2016-11078 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-11078.html CVE-2016-11078 An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a redirect URL. CVE-2016-11079 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-11079.html CVE-2016-11079 An issue was discovered in Mattermost Server before 3.0.0. It offers superfluous APIs for a Team Administrator to view account details. CVE-2016-11080 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-11080.html CVE-2016-11080 An issue was discovered in Mattermost Server before 2.2.0. It allows unintended access to information stored by a web browser. CVE-2016-11081 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-11081.html CVE-2016-11081 An issue was discovered in Mattermost Server before 2.2.0. It allows XSS via a crafted link. CVE-2016-11082 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-11082.html CVE-2016-11082 An issue was discovered in Mattermost Server before 2.2.0. It allows XSS because it configures files to be opened in a browser window. CVE-2016-11083 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-11083.html CVE-2016-11083 An issue was discovered in Mattermost Server before 2.1.0. It allows XSS via CSRF. CVE-2016-11084 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-11084.html CVE-2016-11084 An issue was discovered in Mattermost Server before 4.4.3 and 4.3.3. Attackers could reconfigure an OAuth app in some cases where Mattermost is an OAuth 2.0 service provider. CVE-2017-18872 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-18872.html CVE-2017-18872 A vulnerability has been identified within Rancher Manager, where after removing a custom GlobalRole that gives administrative access or the corresponding binding, the user still retains access to clusters. This only affects custom Global Roles that have a * on * in * rule for resources or have a * on * rule for non-resource URLs CVE-2023-32199 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-32199.html CVE-2023-32199 https://bugzilla.suse.com/1249102 SUSE Bug 1249102 A vulnerability has been identified in Rancher Manager, where sensitive information, including secret data, cluster import URLs, and registration tokens, is exposed to any entity with access to Rancher audit logs. CVE-2024-58269 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-58269.html CVE-2024-58269 https://bugzilla.suse.com/1251532 SUSE Bug 1251532 Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the `/api/v4/channels/{channel_id}/members` endpoint CVE-2025-10545 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-10545.html CVE-2025-10545 NetBird VPN when installed using vendor's provided script failed to remove or change default password of an admin account created by ZITADEL. This issue affects instances installed using vendor's provided script. This issue may affect instances created with Docker if the default password was not changed nor the user was removed. This issue has been fixed in version 0.57.0 CVE-2025-10678 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-10678.html CVE-2025-10678 https://bugzilla.suse.com/1252329 SUSE Bug 1252329 Versions of the package github.com/nyaruka/phonenumbers before 1.2.2 are vulnerable to Improper Validation of Syntactic Correctness of Input in the phonenumbers.Parse() function. An attacker can cause a panic by providing crafted input causing a "runtime error: slice bounds out of range". CVE-2025-10954 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-10954.html CVE-2025-10954 Consul and Consul Enterprise's ("Consul") key/value endpoint is vulnerable to denial of service (DoS) due to incorrect Content Length header validation. This vulnerability, CVE-2025-11374, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12. CVE-2025-11374 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-11374.html CVE-2025-11374 Consul and Consul Enterprise's ("Consul") event endpoint is vulnerable to denial of service (DoS) due to lack of maximum value on the Content Length header. This vulnerability, CVE-2025-11375, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12. CVE-2025-11375 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-11375.html CVE-2025-11375 github.com/nwaples/rardecode versions <=2.1.1 fail to restrict the dictionary size when reading large RAR dictionary sizes, which allows an attacker to provide a specially crafted RAR file and cause Denial of Service via an Out Of Memory Crash. CVE-2025-11579 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-11579.html CVE-2025-11579 https://bugzilla.suse.com/1251871 SUSE Bug 1251871 Vault and Vault Enterprise's ("Vault") AWS Auth method may be susceptible to authentication bypass if the role of the configured bound_principal_iam is the same across AWS accounts, or uses a wildcard. This vulnerability, CVE-2025-11621, is fixed in Vault Community Edition 1.21.0 and Vault Enterprise 1.21.0, 1.20.5, 1.19.11, and 1.16.27 CVE-2025-11621 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-11621.html CVE-2025-11621 Vault and Vault Enterprise ("Vault") are vulnerable to an unauthenticated denial of service when processing JSON payloads. This occurs due to a regression from a previous fix for [+HCSEC-2025-24+|https://discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex-json-payloads/76393] which allowed for processing JSON payloads before applying rate limits. This vulnerability, CVE-2025-12044, is fixed in Vault Community Edition 1.21.0 and Vault Enterprise 1.16.27, 1.19.11, 1.20.5, and 1.21.0. CVE-2025-12044 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-12044.html CVE-2025-12044 Git LFS is a Git extension for versioning large files. In Git LFS versions 0.5.2 through 3.7.0, when populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbolic or hard links exist which collide with the paths of files tracked by Git LFS. The git lfs checkout and git lfs pull commands do not check for symbolic links before writing to files in the working tree, allowing an attacker to craft a repository containing symbolic or hard links that cause Git LFS to write to arbitrary file system locations accessible to the user running these commands. As well, when the git lfs checkout and git lfs pull commands are run in a bare repository, they could write to files visible outside the repository. The vulnerability is fixed in version 3.7.1. As a workaround, support for symlinks in Git may be disabled by setting the core.symlinks configuration option to false, after which further clones and fetches will not create symbolic links. However, any symbolic or hard links in existing repositories will still provide the opportunity for Git LFS to write to their targets. CVE-2025-26625 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-26625.html CVE-2025-26625 https://bugzilla.suse.com/1252259 SUSE Bug 1252259 Sliver is a command and control framework that uses a custom Wireguard netstack. In versions 1.5.43 and earlier, and in development version 1.6.0-dev, the netstack does not limit traffic between Wireguard clients. This allows clients to communicate with each other unrestrictedly, potentially enabling leaked or recovered keypairs to be used to attack operators or allowing port forwardings to be accessible from other implants. CVE-2025-27093 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-27093.html CVE-2025-27093 Mattermost versions 10.10.x <= 10.10.2, 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to validate email ownership during Slack import process which allows attackers to create verified user accounts with arbitrary email domains via malicious Slack import data to bypass email-based team access restrictions CVE-2025-41410 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-41410.html CVE-2025-41410 Mattermost versions 10.5.x <= 10.5.12, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when accessing channel information which allows guest users to discover active public channels and their metadata via the `/api/v4/teams/{team_id}/channels/ids` endpoint CVE-2025-41443 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-41443.html CVE-2025-41443 Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions exploiting client certificate authentication. CVE-2025-54286 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-54286.html CVE-2025-54286 https://bugzilla.suse.com/1250945 SUSE Bug 1250945 Template Injection in instance snapshot creation component in Canonical LXD (>= 4.0) allows an attacker with instance configuration permissions to read arbitrary files on the host system via specially crafted snapshot pattern templates using the Pongo2 template engine. CVE-2025-54287 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-54287.html CVE-2025-54287 https://bugzilla.suse.com/1250943 SUSE Bug 1250943 Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attackers with root privileges within any container to impersonate other containers and obtain their metadata, configuration, and device information via spoofed process names in the command line. CVE-2025-54288 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-54288.html CVE-2025-54288 https://bugzilla.suse.com/1250939 SUSE Bug 1250939 Privilege Escalation in operations API in Canonical LXD <6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking format CVE-2025-54289 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-54289.html CVE-2025-54289 https://bugzilla.suse.com/1250933 SUSE Bug 1250933 Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints. CVE-2025-54290 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-54290.html CVE-2025-54290 https://bugzilla.suse.com/1250934 SUSE Bug 1250934 Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses. CVE-2025-54291 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-54291.html CVE-2025-54291 https://bugzilla.suse.com/1250935 SUSE Bug 1250935 Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attackers to read arbitrary files on the host system via crafted log file names or symbolic links. CVE-2025-54293 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-54293.html CVE-2025-54293 https://bugzilla.suse.com/1250936 SUSE Bug 1250936 A vulnerability was identified in NeuVector, where the enforcer used environment variables CLUSTER_RPC_PORT and CLUSTER_LAN_PORT to generate a command to be executed via popen, without first sanitising their values. The entry process of the enforcer container is the monitor process. When the enforcer container stops, the monitor process checks whether the consul subprocess has exited. To perform this check, the monitor process uses the popen function to execute a shell command that determines whether the ports used by the consul subprocess are still active. The values of environment variables CLUSTER_RPC_PORT and CLUSTER_LAN_PORT are used directly to compose shell commands via popen without validation or sanitization. This behavior could allow a malicious user to inject malicious commands through these variables within the enforcer container. CVE-2025-54469 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-54469.html CVE-2025-54469 https://bugzilla.suse.com/1249340 SUSE Bug 1249340 This vulnerability affects NeuVector deployments only when the Report anonymous cluster data option is enabled. When this option is enabled, NeuVector sends anonymous telemetry data to the telemetry server. In affected versions, NeuVector does not enforce TLS certificate verification when transmitting anonymous cluster data to the telemetry server. As a result, the communication channel is susceptible to man-in-the-middle (MITM) attacks, where an attacker could intercept or modify the transmitted data. Additionally, NeuVector loads the response of the telemetry server is loaded into memory without size limitation, which makes it vulnerable to a Denial of Service(DoS) attack CVE-2025-54470 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-54470.html CVE-2025-54470 https://bugzilla.suse.com/1249341 SUSE Bug 1249341 NeuVector used a hard-coded cryptographic key embedded in the source code. At compilation time, the key value was replaced with the secret key value and used to encrypt sensitive configurations when NeuVector stores the data. CVE-2025-54471 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-54471.html CVE-2025-54471 https://bugzilla.suse.com/1249376 SUSE Bug 1249376 Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on Cloud API keys and OAuth client secrets CVE-2025-54499 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-54499.html CVE-2025-54499 Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the OAuth state. CVE-2025-58073 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-58073.html CVE-2025-58073 Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the RelayState CVE-2025-58075 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-58075.html CVE-2025-58075 Constellation is the first Confidential Kubernetes. The Constellation CVM image uses LUKS2-encrypted volumes for persistent storage. When opening an encrypted storage device, the CVM uses the libcryptsetup function crypt_activate_by_passhrase. If the VM is successful in opening the partition with the disk encryption key, it treats the volume as confidential. However, due to the unsafe handling of null keyslot algorithms in the cryptsetup 2.8.1, it is possible that the opened volume is not encrypted at all. Cryptsetup prior to version 2.8.1 does not report an error when processing LUKS2-formatted disks that use the cipher_null-ecb algorithm in the keyslot encryption field. This vulnerability is fixed in 2.24.0. CVE-2025-58356 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-58356.html CVE-2025-58356 OpenBao is an open source identity-based secrets management system. In OpenBao versions prior to 2.4.1, JSON objects after decoding may use significantly more memory than their serialized version. It is possible to craft a JSON payload to maximize the factor between serialized memory usage and deserialized memory usage, similar to a zip bomb, with factors reaching approximately 35. This can be used to circumvent the max_request_size configuration parameter which is intended to protect against denial of service attacks. The request body is parsed into a map very early in the request handling chain before authentication, which means an unauthenticated attacker can send a specifically crafted JSON object and cause an out-of-memory crash. Additionally, for requests with large numbers of strings, the audit subsystem can consume large quantities of CPU. The vulnerability is fixed in version 2.4.1. CVE-2025-59043 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-59043.html CVE-2025-59043 https://bugzilla.suse.com/1252280 SUSE Bug 1252280 OpenBao's AWS Plugin generates AWS access credentials based on IAM policies. Prior to version 0.1.1, the AWS Plugin is vulnerable to cross-account IAM role Impersonation in the AWS auth method. The vulnerability allows an IAM role from an untrusted AWS account to authenticate by impersonating a role with the same name in a trusted account, leading to unauthorized access. This impacts all users of the auth-aws plugin who operate in a multi-account AWS environment where IAM role names may not be unique across accounts. This vulnerability has been patched in version 0.1.1 of the auth-aws plugin. A workaround for this issue involves guaranteeing that IAM role names are unique across all AWS accounts that could potentially interact with your OpenBao environment, and to audit for any duplicate IAM roles. CVE-2025-59048 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-59048.html CVE-2025-59048 quic-go is an implementation of the QUIC protocol in Go. In versions prior to 0.49.0, 0.54.1, and 0.55.0, a misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This requires no authentication and can be exploited during the handshake phase. This was observed in the wild with certain server implementations. quic-go needs to be able to handle misbehaving server implementations, including those that prematurely send a HANDSHAKE_DONE frame. Versions 0.49.0, 0.54.1, and 0.55.0 discard Initial keys when receiving a HANDSHAKE_DONE frame, thereby correctly handling premature HANDSHAKE_DONE frames. CVE-2025-59530 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-59530.html CVE-2025-59530 Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to 1.1.5 and 1.0.2, there is a nil pointer dereference vulnerability in the Omni Resource Service allows unauthenticated users to cause a server panic and denial of service by sending empty create/update resource requests through the API endpoints. The vulnerability exists in the isSensitiveSpec function which calls grpcomni.CreateResource without checking if the resource's metadata field is nil. When a resource is created with an empty Metadata field, the CreateResource function attempts to access resource.Metadata.Version causing a segmentation fault. This vulnerability is fixed in 1.1.5 and 1.0.2. CVE-2025-59836 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-59836.html CVE-2025-59836 go-mail is a comprehensive library for sending mails with Go. In versions 0.7.0 and below, due to incorrect handling of the mail.Address values when a sender- or recipient address is passed to the corresponding MAIL FROM or RCPT TO commands of the SMTP client, there is a possibility of wrong address routing or even ESMTP parameter smuggling. For successful exploitation, it is required that the user's code allows for arbitrary mail address input (i. e. through a web form or similar). If only static mail addresses are used (i. e. in a config file) and the mail addresses in use do not consist of quoted local parts, this should not affect users. This issue is fixed in version 0.7.1 CVE-2025-59937 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-59937.html CVE-2025-59937 sqls-server/sqls 0.2.28 is vulnerable to command injection in the config command because the openEditor function passes the EDITOR environment variable and config file path to sh -c without sanitization, allowing attackers to execute arbitrary commands. CVE-2025-61141 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-61141.html CVE-2025-61141 An issue in the permission verification module and organization/application editing interface in Casdoor v2.26.0 and before, and fixed in v.2.63.0, allows remote authenticated administrators of any organization within the system to bypass the system's permission verification mechanism by directly concatenating URLs after login CVE-2025-61524 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-61524.html CVE-2025-61524 ** UNSUPPORTED WHEN ASSIGNED ** Inefficient Regular Expression Complexity vulnerability in Apache Traffic Control. This issue affects Apache Traffic Control: all versions. People with access to the management interface of the Traffic Router component could specify malicious patterns and cause unavailability. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. CVE-2025-61581 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-61581.html CVE-2025-61581 Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to 1.1.5 and 1.0.2, Omni might leak sensitive information via an API. CVE-2025-61688 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-61688.html CVE-2025-61688 Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions prior to 3.6.12 and versions 3.7.0 through 3.7.2 contain a Zip Slip path traversal vulnerability in artifact extraction. During artifact extraction the unpack/untar logic (workflow/executor/executor.go) uses filepath.Join(dest, filepath.Clean(header.Name)) without validating that header.Name stays within the intended extraction directory. A malicious archive entry can supply a traversal or absolute path that, after cleaning, overrides the destination directory and causes files to be written outside the /work/tmp extraction path and into system directories such as /etc inside the container. The vulnerability enables arbitrary file creation or overwrite in system configuration locations (for example /etc/passwd, /etc/hosts, /etc/crontab), which can lead to privilege escalation or persistence within the affected container. Update to 3.6.12 or 3.7.3 to remediate the issue. CVE-2025-62156 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-62156.html CVE-2025-62156 Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Argo Workflows versions prior to 3.6.12 and versions 3.7.0 through 3.7.2 expose artifact repository credentials in plaintext in workflow-controller pod logs. An attacker with permissions to read pod logs in a namespace running Argo Workflows can read the workflow-controller logs and obtain credentials to the artifact repository. Update to versions 3.6.12 or 3.7.3 to remediate the vulnerability. No known workarounds exist. CVE-2025-62157 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-62157.html CVE-2025-62157 go-witness and witness are Go modules for generating attestations. In go-witness versions 0.8.6 and earlier and witness versions 0.9.2 and earlier the AWS attestor improperly verifies AWS EC2 instance identity documents. Verification can incorrectly succeed when a signature is not present or is empty, and when RSA signature verification fails. The attestor also embeds a single legacy global AWS public certificate and does not account for newer region specific certificates issued in 2024, making detection of forged documents difficult without additional trusted region data. An attacker able to supply or intercept instance identity document data (such as through Instance Metadata Service impersonation) can cause a forged identity document to be accepted, leading to incorrect trust decisions based on the attestation. This is fixed in go-witness 0.9.1 and witness 0.10.1. As a workaround, manually verify the included identity document, signature, and public key with standard tools (for example openssl) following AWS's verification guidance, or disable use of the AWS attestor until upgraded. CVE-2025-62375 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-62375.html CVE-2025-62375 MinIO is a high-performance object storage system. In all versions prior to RELEASE.2025-10-15T17-29-55Z, a privilege escalation vulnerability allows service accounts and STS (Security Token Service) accounts with restricted session policies to bypass their inline policy restrictions when performing operations on their own account, specifically when creating new service accounts for the same user. The vulnerability exists in the IAM policy validation logic where the code incorrectly relied on the DenyOnly argument when validating session policies for restricted accounts. When a session policy is present, the system should validate that the action is allowed by the session policy, not just that it is not denied. An attacker with valid credentials for a restricted service or STS account can create a new service account for itself without policy restrictions, resulting in a new service account with full parent privileges instead of being restricted by the inline policy. This allows the attacker to access buckets and objects beyond their intended restrictions and modify, delete, or create objects outside their authorized scope. The vulnerability is fixed in version RELEASE.2025-10-15T17-29-55Z. CVE-2025-62506 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-62506.html CVE-2025-62506 OpenBao is an open source identity-based secrets management system. In versions 2.2.0 to 2.4.1, OpenBao's audit log experienced a regression wherein raw HTTP bodies used by few endpoints were not correctly redacted (HMAC'd). This impacts those using the ACME functionality of PKI, resulting in short-lived ACME verification challenge codes being leaked in the audit logs. Additionally, this impacts those using the OIDC issuer functionality of the identity subsystem, auth and token response codes along with claims could be leaked in the audit logs. ACME verification codes are not usable after verification or challenge expiry so are of limited long-term use. This issue has been patched in OpenBao 2.4.2. CVE-2025-62513 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-62513.html CVE-2025-62513 https://bugzilla.suse.com/1252506 SUSE Bug 1252506 OpenBao is an open source identity-based secrets management system. Prior to version 2.4.2, OpenBao's audit log did not appropriately redact fields when relevant subsystems sent []byte response parameters rather than strings. This includes, but is not limited to sys/raw with use of encoding=base64, all data would be emitted unredacted to the audit log, and Transit, when performing a signing operation with a derived Ed25519 key, would emit public keys to the audit log. This issue has been patched in OpenBao 2.4.2. CVE-2025-62705 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-62705.html CVE-2025-62705 https://bugzilla.suse.com/1252505 SUSE Bug 1252505 Karmada Dashboard is a general-purpose, web-based control panel for Karmada which is a multi-cluster management project. Prior to version 0.2.0, there is an authentication bypass vulnerability in the Karmada Dashboard API. The backend API endpoints (e.g., /api/v1/secret, /api/v1/service) did not enforce authentication, allowing unauthenticated users to access sensitive cluster information such as Secrets and Services directly. Although the web UI required a valid JWT for access, the API itself remained exposed to direct requests without any authentication checks. Any user or entity with network access to the Karmada Dashboard service could exploit this vulnerability to retrieve sensitive data. CVE-2025-62714 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-62714.html CVE-2025-62714 Docker Compose trusts the path information embedded in remote OCI compose artifacts. When a layer includes the annotations com.docker.compose.extends or com.docker.compose.envfile, Compose joins the attacker-supplied value from com.docker.compose.file/com.docker.compose.envfile with its local cache directory and writes the file there. This affects any platform or workflow that resolves remote OCI compose artifacts, Docker Desktop, standalone Compose binaries on Linux, CI/CD runners, cloud dev environments is affected. An attacker can escape the cache directory and overwrite arbitrary files on the machine running docker compose, even if the user only runs read-only commands such as docker compose config or docker compose ps. This issue is fixed in v2.40.2. CVE-2025-62725 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-62725.html CVE-2025-62725 https://bugzilla.suse.com/1252752 SUSE Bug 1252752 Slack Nebula before 1.9.7 mishandles CIDR in some configurations and thus accepts arbitrary source IP addresses within the Nebula network. CVE-2025-62820 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-62820.html CVE-2025-62820 Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, a potential vulnerability exists in ZITADEL's password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user. If an attacker can manipulate these headers (e.g., via host header injection), they could cause ZITADEL to generate a password reset link pointing to a malicious domain controlled by the attacker. If the user clicks this manipulated link in the email, the secret reset code embedded in the URL can be captured by the attacker. This captured code could then be used to reset the user's password and gain unauthorized access to their account. It's important to note that this specific attack vector is mitigated for accounts that have Multi-Factor Authentication (MFA) or Passwordless authentication enabled. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18. CVE-2025-64101 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-64101.html CVE-2025-64101 Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, an attacker can perform an online brute-force attack on OTP, TOTP, and passwords. While Zitadel allows preventing online brute force attacks in scenarios like TOTP, Email OTP, or passwords using a lockout mechanism. The mechanism is not enabled by default and can cause a denial of service for the corresponding user if enabled. Additionally, the mitigation strategies were not fully implemented in the more recent resource-based APIs. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18. CVE-2025-64102 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-64102.html CVE-2025-64102 Starting from 2.53.6, 2.54.3, and 2.55.0, Zitadel only required multi factor authentication in case the login policy has either enabled requireMFA or requireMFAForLocalUsers. If a user has set up MFA without this requirement, Zitadel would consider single factor auhtenticated sessions as valid as well and not require multiple factors. Bypassing second authentication factors weakens multifactor authentication and enables attackers to bypass the more secure factor. An attacker can target the TOTP code alone, only six digits, bypassing password verification entirely and potentially compromising accounts with 2FA enabled. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18. CVE-2025-64103 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251105T184115-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-64103.html CVE-2025-64103