Security update for govulncheck-vulndb SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:0037-1 Final 1 1 2026-01-06T10:24:33Z current 2026-01-06T10:24:33Z 2026-01-06T10:24:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for govulncheck-vulndb This update for govulncheck-vulndb fixes the following issues: - Update to version 0.0.20251230T014957 2025-12-30T01:49:57Z (jsc#PED-11136). Go CVE Numbering Authority IDs added or updated with aliases: * GO-2025-4249 CVE-2025-68120 CVE-2025-68120 * GO-2025-4254 CVE-2025-62190 GHSA-gmx5-frv9-9m9f * GO-2025-4255 CVE-2025-12689 GHSA-j5vq-62gr-8v3r * GO-2025-4256 CVE-2025-13324 GHSA-x3r8-2hmh-89f5 * GO-2025-4257 CVE-2025-68476 GHSA-c4p6-qg4m-9jmr * GO-2025-4258 CVE-2025-68938 GHSA-cm54-pfmc-xrwx * GO-2025-4261 CVE-2025-68939 GHSA-263q-5cv3-xq9g * GO-2025-4262 CVE-2025-68945 GHSA-7xq4-mwcp-q8fx * GO-2025-4263 CVE-2025-68942 GHSA-898p-hh3p-hf9r * GO-2025-4264 CVE-2025-68944 GHSA-f85h-c7m6-cfpm * GO-2025-4265 CVE-2025-68946 GHSA-hq57-c72x-4774 * GO-2025-4266 CVE-2025-68943 GHSA-jhx5-4vr4-f327 * GO-2025-4267 CVE-2025-68940 GHSA-rrcw-5rjv-vj26 * GO-2025-4268 CVE-2025-68941 GHSA-xfq3-qj7j-4565 - Update to version 0.0.20251222T181535 2025-12-22T18:15:35Z (jsc#PED-11136). Go CVE Numbering Authority IDs added or updated with aliases: * GO-2025-4241 CVE-2025-11393 GHSA-cc8c-28gj-px38 * GO-2025-4242 CVE-2025-13888 GHSA-pcqx-8qww-7f4v * GO-2025-4243 GHSA-wh6m-h6f4-rjf4 * GO-2025-4244 CVE-2025-68274 GHSA-c623-f998-8hhv * GO-2025-4245 CVE-2025-68156 GHSA-cfpf-hrx2-8rv6 * GO-2025-4247 CVE-2025-13352 GHSA-jf5h-xfw4-p8gp * GO-2025-4250 CVE-2025-14764 GHSA-3g75-q268-r9r6 - Update to version 0.0.20251216T193914 2025-12-16T19:39:14Z (jsc#PED-11136). Go CVE Numbering Authority IDs added or updated with aliases: * GO-2025-4239 CVE-2025-68113 GHSA-6gvq-jcmp-8959 * GO-2025-4240 CVE-2025-13281 GHSA-r6j8-c6r2-37rr - Update to version 0.0.20251216T162327 2025-12-16T16:23:27Z (jsc#PED-11136). Go CVE Numbering Authority IDs added or updated with aliases: * GO-2024-3036 CVE-2024-41265 GHSA-vw7g-3cc7-7rmh * GO-2024-3057 CVE-2024-41260 GHSA-9v35-4xcr-w9ph * GO-2025-3437 GHSA-274v-mgcv-cm8j * GO-2025-3465 CVE-2025-0426 GHSA-jgfp-53c3-624w * GO-2025-3764 CVE-2024-44905 GHSA-6xp3-p59p-q4fj * GO-2025-3829 CVE-2025-54410 GHSA-4vq8-7jfc-9cvp * GO-2025-4116 CVE-2025-47913 * GO-2025-4122 CVE-2025-11777 GHSA-mqcj-8c2g-h97q * GO-2025-4178 CVE-2025-13870 GHSA-58w6-w55x-6wq8 - Update to version 0.0.20251215T203741 2025-12-15T20:37:41Z (jsc#PED-11136). Go CVE Numbering Authority IDs added or updated with aliases: * GO-2025-4136 CVE-2025-64708 GHSA-ch7q-53v8-73pc * GO-2025-4137 CVE-2025-64521 GHSA-xr73-jq5p-ch8r * GO-2025-4148 CVE-2017-18874 GHSA-8qg8-c7mw-6fj7 * GO-2025-4154 CVE-2025-62155 GHSA-9f46-w24h-69w4 * GO-2025-4161 CVE-2025-65942 GHSA-66jq-2c23-2xh5 * GO-2025-4162 CVE-2025-60633 GHSA-3j9f-7w24-pcqg * GO-2025-4167 CVE-2025-64715 GHSA-38pp-6gcp-rqvm * GO-2025-4168 CVE-2025-12419 GHSA-3x39-62h4-f8j6 * GO-2025-4169 CVE-2025-12559 GHSA-4g87-9x45-cx2h * GO-2025-4170 CVE-2025-12421 GHSA-mp6x-97xj-9x62 * GO-2025-4173 CVE-2025-10543 GHSA-32fw-gq77-f2f2 * GO-2025-4188 CVE-2025-65637 GHSA-4f99-4q7p-p3gh * GO-2025-4191 CVE-2017-18878 GHSA-h564-6gc2-fcc6 * GO-2025-4199 CVE-2017-18887 GHSA-35c4-5qfp-wxj6 * GO-2025-4200 CVE-2017-18885 GHSA-g78f-6xq7-rrhq * GO-2025-4201 CVE-2017-18889 GHSA-jp57-4x34-5v94 * GO-2025-4202 CVE-2017-18890 GHSA-m497-hq5x-6jcv * GO-2025-4203 CVE-2017-18888 GHSA-v2vm-hq26-5jv6 * GO-2025-4204 CVE-2017-18886 GHSA-wvjg-33p9-938h * GO-2025-4205 CVE-2025-66491 GHSA-7vww-mvcr-x6vj * GO-2025-4206 CVE-2025-66490 GHSA-gm3x-23wp-hc2c * GO-2025-4207 CVE-2025-66508 GHSA-7cqv-qcq2-r765 * GO-2025-4208 CVE-2025-66565 GHSA-m98w-cqp3-qcqr * GO-2025-4209 CVE-2025-66507 GHSA-qmg5-v42x-qqhq * GO-2025-4210 CVE-2025-67494 GHSA-7wfc-4796-gmg5 * GO-2025-4211 GHSA-m6wq-66p2-c8pc * GO-2025-4212 GHSA-pfrf-9r5f-73f5 * GO-2025-4213 CVE-2025-67495 GHSA-v959-qxv6-6f8p * GO-2025-4214 GHSA-4rmq-mc2c-r495 * GO-2025-4215 CVE-2025-65796 GHSA-8jcj-g9f4-qx42 * GO-2025-4216 CVE-2025-65798 GHSA-8p44-g572-557h * GO-2025-4217 CVE-2025-65795 GHSA-mg56-wc4q-rw4w * GO-2025-4218 CVE-2025-65799 GHSA-qgjp-5g5x-vhq2 * GO-2025-4219 GHSA-4r66-7rcv-x46x * GO-2025-4220 CVE-2025-65797 GHSA-99m2-qwx6-2w6f * GO-2025-4221 CVE-2025-67488 GHSA-gqfv-g4v7-m366 * GO-2025-4222 CVE-2025-67499 GHSA-jv3w-x3r3-g6rm * GO-2025-4223 CVE-2025-66626 GHSA-xrqc-7xgx-c9vh * GO-2025-4224 GHSA-mjcp-gpgx-ggcg * GO-2025-4225 CVE-2025-8110 GHSA-mq8m-42gh-wq7r * GO-2025-4226 CVE-2025-67713 GHSA-wqv2-4wpg-8hc9 * GO-2025-4227 CVE-2025-67717 GHSA-f4cf-9rvr-2rcx * GO-2025-4228 CVE-2025-65754 GHSA-8jqm-8qm3-qgqm * GO-2025-4229 CVE-2025-34410 GHSA-rpr2-4hqj-hc4q * GO-2025-4230 CVE-2025-34430 GHSA-5xpq-2vmc-5cqp * GO-2025-4231 CVE-2025-34429 GHSA-wrvc-x3wf-j5f5 * GO-2025-4232 CVE-2025-67508 GHSA-fw33-qpx7-rhx2 * GO-2025-4233 CVE-2025-64702 GHSA-g754-hx8w-x2g6 * GO-2025-4235 CVE-2025-66001 GHSA-4jj9-cgqc-x9h5 * GO-2025-4236 GHSA-4jmp-x7mh-rgmr * GO-2025-4237 CVE-2025-67818 GHSA-7v39-2hx7-7c43 * GO-2025-4238 CVE-2025-67819 GHSA-hmmh-292h-3364 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2026-37,openSUSE-SLE-15.6-2026-37 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ Link for SUSE-SU-2026:0037-1 https://lists.suse.com/pipermail/sle-security-updates/2026-January/023691.html E-Mail link for SUSE-SU-2026:0037-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2017-18874/ SUSE CVE CVE-2017-18874 page https://www.suse.com/security/cve/CVE-2017-18878/ SUSE CVE CVE-2017-18878 page https://www.suse.com/security/cve/CVE-2017-18885/ SUSE CVE CVE-2017-18885 page https://www.suse.com/security/cve/CVE-2017-18886/ SUSE CVE CVE-2017-18886 page https://www.suse.com/security/cve/CVE-2017-18887/ SUSE CVE CVE-2017-18887 page https://www.suse.com/security/cve/CVE-2017-18888/ SUSE CVE CVE-2017-18888 page https://www.suse.com/security/cve/CVE-2017-18889/ SUSE CVE CVE-2017-18889 page https://www.suse.com/security/cve/CVE-2017-18890/ SUSE CVE CVE-2017-18890 page https://www.suse.com/security/cve/CVE-2024-41260/ SUSE CVE CVE-2024-41260 page https://www.suse.com/security/cve/CVE-2024-41265/ SUSE CVE CVE-2024-41265 page https://www.suse.com/security/cve/CVE-2024-44905/ SUSE CVE CVE-2024-44905 page https://www.suse.com/security/cve/CVE-2025-0426/ SUSE CVE CVE-2025-0426 page https://www.suse.com/security/cve/CVE-2025-10543/ SUSE CVE CVE-2025-10543 page https://www.suse.com/security/cve/CVE-2025-11393/ SUSE CVE CVE-2025-11393 page https://www.suse.com/security/cve/CVE-2025-11777/ SUSE CVE CVE-2025-11777 page https://www.suse.com/security/cve/CVE-2025-12419/ SUSE CVE CVE-2025-12419 page https://www.suse.com/security/cve/CVE-2025-12421/ SUSE CVE CVE-2025-12421 page https://www.suse.com/security/cve/CVE-2025-12559/ SUSE CVE CVE-2025-12559 page https://www.suse.com/security/cve/CVE-2025-12689/ SUSE CVE CVE-2025-12689 page https://www.suse.com/security/cve/CVE-2025-13281/ SUSE CVE CVE-2025-13281 page https://www.suse.com/security/cve/CVE-2025-13324/ SUSE CVE CVE-2025-13324 page https://www.suse.com/security/cve/CVE-2025-13352/ SUSE CVE CVE-2025-13352 page https://www.suse.com/security/cve/CVE-2025-13870/ SUSE CVE CVE-2025-13870 page https://www.suse.com/security/cve/CVE-2025-13888/ SUSE CVE CVE-2025-13888 page https://www.suse.com/security/cve/CVE-2025-14764/ SUSE CVE CVE-2025-14764 page https://www.suse.com/security/cve/CVE-2025-34410/ SUSE CVE CVE-2025-34410 page https://www.suse.com/security/cve/CVE-2025-34429/ SUSE CVE CVE-2025-34429 page https://www.suse.com/security/cve/CVE-2025-34430/ SUSE CVE CVE-2025-34430 page https://www.suse.com/security/cve/CVE-2025-47913/ SUSE CVE CVE-2025-47913 page https://www.suse.com/security/cve/CVE-2025-54410/ SUSE CVE CVE-2025-54410 page https://www.suse.com/security/cve/CVE-2025-60633/ SUSE CVE CVE-2025-60633 page https://www.suse.com/security/cve/CVE-2025-62155/ SUSE CVE CVE-2025-62155 page https://www.suse.com/security/cve/CVE-2025-62190/ SUSE CVE CVE-2025-62190 page https://www.suse.com/security/cve/CVE-2025-64521/ SUSE CVE CVE-2025-64521 page https://www.suse.com/security/cve/CVE-2025-64702/ SUSE CVE CVE-2025-64702 page https://www.suse.com/security/cve/CVE-2025-64708/ SUSE CVE CVE-2025-64708 page https://www.suse.com/security/cve/CVE-2025-64715/ SUSE CVE CVE-2025-64715 page https://www.suse.com/security/cve/CVE-2025-65637/ SUSE CVE CVE-2025-65637 page https://www.suse.com/security/cve/CVE-2025-65754/ SUSE CVE CVE-2025-65754 page https://www.suse.com/security/cve/CVE-2025-65795/ SUSE CVE CVE-2025-65795 page https://www.suse.com/security/cve/CVE-2025-65796/ SUSE CVE CVE-2025-65796 page https://www.suse.com/security/cve/CVE-2025-65797/ SUSE CVE CVE-2025-65797 page https://www.suse.com/security/cve/CVE-2025-65798/ SUSE CVE CVE-2025-65798 page https://www.suse.com/security/cve/CVE-2025-65799/ SUSE CVE CVE-2025-65799 page https://www.suse.com/security/cve/CVE-2025-65942/ SUSE CVE CVE-2025-65942 page https://www.suse.com/security/cve/CVE-2025-66001/ SUSE CVE CVE-2025-66001 page https://www.suse.com/security/cve/CVE-2025-66490/ SUSE CVE CVE-2025-66490 page https://www.suse.com/security/cve/CVE-2025-66491/ SUSE CVE CVE-2025-66491 page https://www.suse.com/security/cve/CVE-2025-66507/ SUSE CVE CVE-2025-66507 page https://www.suse.com/security/cve/CVE-2025-66508/ SUSE CVE CVE-2025-66508 page https://www.suse.com/security/cve/CVE-2025-66565/ SUSE CVE CVE-2025-66565 page https://www.suse.com/security/cve/CVE-2025-66626/ SUSE CVE CVE-2025-66626 page https://www.suse.com/security/cve/CVE-2025-67488/ SUSE CVE CVE-2025-67488 page https://www.suse.com/security/cve/CVE-2025-67494/ SUSE CVE CVE-2025-67494 page https://www.suse.com/security/cve/CVE-2025-67495/ SUSE CVE CVE-2025-67495 page https://www.suse.com/security/cve/CVE-2025-67499/ SUSE CVE CVE-2025-67499 page https://www.suse.com/security/cve/CVE-2025-67508/ SUSE CVE CVE-2025-67508 page https://www.suse.com/security/cve/CVE-2025-67713/ SUSE CVE CVE-2025-67713 page https://www.suse.com/security/cve/CVE-2025-67717/ SUSE CVE CVE-2025-67717 page https://www.suse.com/security/cve/CVE-2025-67818/ SUSE CVE CVE-2025-67818 page https://www.suse.com/security/cve/CVE-2025-67819/ SUSE CVE CVE-2025-67819 page https://www.suse.com/security/cve/CVE-2025-68113/ SUSE CVE CVE-2025-68113 page https://www.suse.com/security/cve/CVE-2025-68120/ SUSE CVE CVE-2025-68120 page https://www.suse.com/security/cve/CVE-2025-68156/ SUSE CVE CVE-2025-68156 page https://www.suse.com/security/cve/CVE-2025-68274/ SUSE CVE CVE-2025-68274 page https://www.suse.com/security/cve/CVE-2025-68476/ SUSE CVE CVE-2025-68476 page https://www.suse.com/security/cve/CVE-2025-68938/ SUSE CVE CVE-2025-68938 page https://www.suse.com/security/cve/CVE-2025-68939/ SUSE CVE CVE-2025-68939 page https://www.suse.com/security/cve/CVE-2025-68940/ SUSE CVE CVE-2025-68940 page https://www.suse.com/security/cve/CVE-2025-68941/ SUSE CVE CVE-2025-68941 page https://www.suse.com/security/cve/CVE-2025-68942/ SUSE CVE CVE-2025-68942 page https://www.suse.com/security/cve/CVE-2025-68943/ SUSE CVE CVE-2025-68943 page https://www.suse.com/security/cve/CVE-2025-68944/ SUSE CVE CVE-2025-68944 page https://www.suse.com/security/cve/CVE-2025-68945/ SUSE CVE CVE-2025-68945 page https://www.suse.com/security/cve/CVE-2025-68946/ SUSE CVE CVE-2025-68946 page https://www.suse.com/security/cve/CVE-2025-8110/ SUSE CVE CVE-2025-8110 page openSUSE Leap 15.6 An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can achieve directory traversal. CVE-2017-18874 moderate 5.5 AV:N/AC:L/Au:S/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2017-18874.html CVE-2017-18874 An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. Knowledge of a session ID allows revoking another user's session. CVE-2017-18878 moderate 4 AV:N/AC:L/Au:S/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2017-18878.html CVE-2017-18878 An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by accessing unintended API endpoints on a user's behalf. CVE-2017-18885 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2017-18885.html CVE-2017-18885 An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows a bypass of restrictions on use of slash commands. CVE-2017-18886 moderate 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2017-18886.html CVE-2017-18886 An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It discloses the team creator's e-mail address to members. CVE-2017-18887 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2017-18887.html CVE-2017-18887 An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows SQL injection during the fetching of multiple posts. CVE-2017-18888 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2017-18888.html CVE-2017-18888 An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. An attacker could create fictive system-message posts via webhooks and slash commands, in the v3 or v4 REST API. CVE-2017-18889 moderate 4 AV:N/AC:L/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2017-18889.html CVE-2017-18889 An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows an attacker to create a button that, when pressed by a user, launches an API request. CVE-2017-18890 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2017-18890.html CVE-2017-18890 A static initialization vector (IV) in the encrypt function of netbird management's service from v0.23.2 to v0.29.1 allows attackers to obtain sensitive information (email addresses) when in possession of the audit events database. CVE-2024-41260 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2024-41260.html CVE-2024-41260 A TLS certificate verification issue discovered in cortex v0.42.1 allows attackers to obtain sensitive information via the makeOperatorRequest function. CVE-2024-41265 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2024-41265.html CVE-2024-41265 go-pg pg v10.13.0 was discovered to contain a SQL injection vulnerability via the component /types/append_value.go. CVE-2024-44905 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2024-44905.html CVE-2024-44905 A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk. CVE-2025-0426 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-0426.html CVE-2025-0426 https://bugzilla.suse.com/1237189 SUSE Bug 1237189 In Eclipse Paho Go MQTT v3.1 library (paho.mqtt.golang) versions <=1.5.0 UTF-8 encoded strings, passed into the library, may be incorrectly encoded if their length exceeds 65535 bytes. This may lead to unexpected content in packets sent to the server (for example, part of an MQTT topic may leak into the message body in a PUBLISH packet). The issue arises because the length of the data passed in was converted from an int64/int32 (depending upon CPU) to an int16 without checks for overflows. The int16 length was then written, followed by the data (e.g. topic). This meant that when the data (e.g. topic) was over 65535 bytes then the amount of data written exceeds what the length field indicates. This could lead to a corrupt packet, or mean that the excess data leaks into another field (e.g. topic leaks into message body). CVE-2025-10543 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-10543.html CVE-2025-10543 https://bugzilla.suse.com/1255452 SUSE Bug 1255452 A flaw was found in runtimes-inventory-rhel8-operator. An internal proxy component is incorrectly configured. Because of this flaw, the proxy attaches the cluster's main administrative credentials to any command it receives, instead of only the specific reports it is supposed to handle. This allows a standard user within the cluster to send unauthorized commands to the management platform, effectively acting with the full permissions of the cluster administrator. This could lead to unauthorized changes to the cluster's configuration or status on the Red Hat platform. CVE-2025-11393 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-11393.html CVE-2025-11393 Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint CVE-2025-11777 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-11777.html CVE-2025-11777 Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account via manipulation of authentication data during the OAuth completion flow. This requires email verification to be disabled (default: disabled), OAuth/OpenID Connect to be enabled, and the attacker to control two users in the SSO system with one of them never having logged into Mattermost. CVE-2025-12419 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-12419.html CVE-2025-12419 Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email address used when switching authentication methods and sending a request to the /users/login/sso/code-exchange endpoint. The vulnerability requires ExperimentalEnableAuthenticationTransfer to be enabled (default: enabled) and RequireEmailVerification to be disabled (default: disabled). CVE-2025-12421 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-12421.html CVE-2025-12421 Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/{channel_id}/common_teams endpoint CVE-2025-12559 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-12559.html CVE-2025-12559 Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 fail to check WebSocket request field for proper UTF-8 format, which allows attacker to crash Calls plug-in via sending malformed request. CVE-2025-12689 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-12689.html CVE-2025-12689 A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane's host network (including link-local or loopback services). CVE-2025-13281 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-13281.html CVE-2025-13281 https://bugzilla.suse.com/1254405 SUSE Bug 1254405 Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to authenticate as the remote cluster and perform limited actions on shared channels even after the invitation has been legitimately confirmed. CVE-2025-13324 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-13324.html CVE-2025-13324 Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via crafted notification posts. CVE-2025-13352 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-13352.html CVE-2025-13352 Mattermost versions 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate the user permission when accessing the files and subscribing to the block in Boards, which allows an authenticated user to access other board files and was able to subscribe to the block from other boards that the user does not have access to CVE-2025-13870 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-13870.html CVE-2025-13870 A flaw was found in OpenShift GitOps. Namespace admins can create ArgoCD Custom Resources (CRs) that trick the system into granting them elevated permissions in other namespaces, including privileged namespaces. An authenticated attacker can then use these elevated permissions to create privileged workloads that run on master nodes, effectively giving them root access to the entire cluster. CVE-2025-13888 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-13888.html CVE-2025-13888 Missing cryptographic key commitment in the Amazon S3 Encryption Client for Go may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record. To mitigate this issue, upgrade Amazon S3 Encryption Client for Go to version 4.0 or later. CVE-2025-14764 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-14764.html CVE-2025-14764 1Panel versions 1.10.33 - 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the Change Username functionality available from the settings panel (/settings/panel). The endpoint does not implement CSRF protections such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that submits a username-change request; when a victim visits the page while authenticated, the browser includes valid session cookies and the request succeeds. This allows an attacker to change the victim's 1Panel username without consent. After the change, the victim is logged out and unable to log in with the previous username, resulting in account lockout and denial of service. CVE-2025-34410 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-34410.html CVE-2025-34410 1Panel versions 1.10.33 - 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the web port configuration functionality. The port-change endpoint lacks CSRF defenses such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that submits a port-change request; when a victim visits it while authenticated, the browser includes valid session cookies and the request succeeds. This allows an attacker to change the port on which the 1Panel web service listens, causing loss of access on the original port and resulting in service disruption or denial of service, and may unintentionally expose the service on an attacker-chosen port. CVE-2025-34429 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-34429.html CVE-2025-34429 1Panel versions 1.10.33 through 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the panel name management functionality. The affected endpoint does not implement CSRF defenses such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that submits a panel-name change request; if a victim visits the page while authenticated, the browser includes valid session cookies and the request succeeds. This allows a remote attacker to change the victim's panel name to an arbitrary value without consent. CVE-2025-34430 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-34430.html CVE-2025-34430 SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process. CVE-2025-47913 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-47913.html CVE-2025-47913 https://bugzilla.suse.com/1253506 SUSE Bug 1253506 Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. A firewalld vulnerability affects Moby releases before 28.0.0. When firewalld reloads, Docker fails to re-create iptables rules that isolate bridge networks, allowing any container to access all ports on any other container across different bridge networks on the same host. This breaks network segmentation between containers that should be isolated, creating significant risk in multi-tenant environments. Only containers in --internal networks remain protected. Workarounds include reloading firewalld and either restarting the docker daemon, re-creating bridge networks, or using rootless mode. Maintainers anticipate a fix for this issue in version 25.0.13. CVE-2025-54410 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-54410.html CVE-2025-54410 https://bugzilla.suse.com/1247392 SUSE Bug 1247392 An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via the Nudm_SubscriberDataManagement API. CVE-2025-60633 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-60633.html CVE-2025-60633 New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.9.6, a recently patched SSRF vulnerability contains a bypass method that can bypass the existing security fix and still allow SSRF to occur. Because the existing fix only applies security restrictions to the first URL request, a 302 redirect can bypass existing security measures and successfully access the intranet. This issue has been patched in version 0.9.6. CVE-2025-62155 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-62155.html CVE-2025-62155 Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 and Mattermost Calls versions <=1.10.0 fail to implement CSRF protection on the Calls widget page which allows an authenticated attacker to initiate calls and inject messages into channels or direct messages via a malicious webpage or crafted link CVE-2025-62190 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-62190.html CVE-2025-62190 authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, when authenticating with client_id and client_secret to an OAuth provider, authentik creates a service account for the provider. In previous authentik versions, authentication for this account was possible even when the account was deactivated. Other permissions are correctly applied and federation with other providers still take assigned policies correctly into account. authentik versions 2025.8.5 and 2025.10.2 fix this issue. A workaround involves adding a policy to the application that explicitly checks if the service account is still valid, and deny access if not. CVE-2025-64521 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-64521.html CVE-2025-64521 quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an http.Header (used on the http.Request and http.Response, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion. This issue is fixed in version 0.57.0. CVE-2025-64702 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-64702.html CVE-2025-64702 https://bugzilla.suse.com/1255365 SUSE Bug 1255365 authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, in previous authentik versions, invitations were considered valid regardless if they are expired or not, thus relying on background tasks to clean up expired ones. In a normal scenario this can take up to 5 minutes because the cleanup of expired objects is scheduled to run every 5 minutes. However, with a large amount of tasks in the backlog, this might take longer. authentik versions 2025.8.5 and 2025.10.2 fix this issue. A workaround involves creating a policy that explicitly checks whether the invitation is still valid, and then bind it to the invitation stage on the invitation flow, and denying access if the invitation is not valid. CVE-2025-64708 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-64708.html CVE-2025-64708 Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.16.17, 1.17.10, and 1.18.4, CiliumNetworkPolicys which use egress.toGroups.aws.securityGroupsIds to reference AWS security group IDs that do not exist or are not attached to any network interface may unintentionally allow broader outbound access than intended by the policy authors. In such cases, the toCIDRset section of the derived policy is not generated, which means outbound traffic may be permitted to more destinations than originally intended. This issue has been patched in versions 1.16.17, 1.17.10, and 1.18.4. There are no workarounds for this issue. CVE-2025-64715 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-64715.html CVE-2025-64715 A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer() to log a single-line payload larger than 64KB without newline characters. Due to limitations in the internal bufio.Scanner, the read fails with "token too long" and the writer pipe is closed, leaving Writer() unusable and causing application unavailability (DoS). This affects versions < 1.8.3, 1.9.0, and 1.9.2. The issue is fixed in 1.8.3, 1.9.1, and 1.9.3+, where the input is chunked and the writer continues to function even if an error is logged. CVE-2025-65637 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-65637.html CVE-2025-65637 Cross Site Scripting vulnerability in Algernon v1.17.4 allows attackers to execute arbitrary code via injecting a crafted payload into a filename. CVE-2025-65754 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-65754.html CVE-2025-65754 Incorrect access control in the /api/v1/user endpoint of usememos memos v0.25.2 allows unauthorized attackers to create arbitrary accounts via a crafted request. CVE-2025-65795 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-65795.html CVE-2025-65795 Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily delete reactions made to other users' Memos. CVE-2025-65796 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-65796.html CVE-2025-65796 Incorrect access control in the Identity Provider service of usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete registered identity providers, leading to an account takeover or Denial of Service (DoS). CVE-2025-65797 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-65797.html CVE-2025-65797 Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete attachments made by other users. CVE-2025-65798 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-65798.html CVE-2025-65798 A lack of file name validation or verification in the Attachment service of usememos memos v0.25.2 allows attackers to execute a path traversal. CVE-2025-65799 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-65799.html CVE-2025-65799 VictoriaMetrics is a scalable solution for monitoring and managing time series data. In versions from 1.0.0 to before 1.110.23, from 1.111.0 to before 1.122.8, and from 1.123.0 to before 1.129.1, affected versions are vulnerable to DoS attacks because the snappy decoder ignored VictoriaMetrics request size limits allowing malformed blocks to trigger excessive memory use. This could lead to OOM errors and service instability. The fix enforces block-size checks based on MaxRequest limits. This issue has been patched in versions 1.110.23, 1.122.8, and 1.129.1. CVE-2025-65942 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-65942.html CVE-2025-65942 unknown CVE-2025-66001 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-66001.html CVE-2025-66001 https://bugzilla.suse.com/1254249 SUSE Bug 1254249 Traefik is an HTTP reverse proxy and load balancer. For versions prior to 2.11.32 and 2.11.31 through 3.6.2, requests using PathPrefix, Path or PathRegex matchers can bypass path normalization. When Traefik uses path-based routing, requests containing URL-encoded restricted characters (/, \, Null, ;, ?, #) can bypass the middleware chain and reach unintended backends. For example, a request to http://mydomain.example.com/admin%2F could reach service-a without triggering my-security-middleware, bypassing security controls for the /admin/ path. This issue is fixed in versions 2.11.32 and 3.6.3. CVE-2025-66490 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-66490.html CVE-2025-66490 https://bugzilla.suse.com/1254879 SUSE Bug 1254879 Traefik is an HTTP reverse proxy and load balancer. Versions 3.5.0 through 3.6.2 have inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to "on" (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected. This issue is fixed in version 3.6.3. CVE-2025-66491 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-66491.html CVE-2025-66491 https://bugzilla.suse.com/1254880 SUSE Bug 1254880 1Panel is an open-source, web-based control panel for Linux server management. Versions 2.0.13 and below allow an unauthenticated attacker to disable CAPTCHA verification by abusing a client-controlled parameter. Because the server previously trusted this value without proper validation, CAPTCHA protections can be bypassed, enabling automated login attempts and significantly increasing the risk of account takeover (ATO). This issue is fixed in version 2.0.14. CVE-2025-66507 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-66507.html CVE-2025-66507 1Panel is an open-source, web-based control panel for Linux server management. Versions 2.0.14 and below use Gin's default configuration which trusts all IP addresses as proxies (TrustedProxies = 0.0.0.0/0), allowing any client to spoof the X-Forwarded-For header. Since all IP-based access controls (AllowIPs, API whitelists, localhost-only checks) rely on ClientIP(), attackers can bypass these protections by simply sending X-Forwarded-For: 127.0.0.1 or any whitelisted IP. This renders all IP-based security controls ineffective. This issue is fixed in version 2.0.14. CVE-2025-66508 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-66508.html CVE-2025-66508 Fiber Utils is a collection of common functions created for Fiber. In versions 2.0.0-rc.3 and below, when the system's cryptographic random number generator (crypto/rand) fails, both functions silently fall back to returning predictable UUID values, including the zero UUID "00000000-0000-0000-0000-000000000000". The vulnerability occurs through two related but distinct failure paths, both ultimately caused by crypto/rand.Read() failures, compromising the security of all Fiber applications using these functions for security-critical operations. This issue is fixed in version 2.0.0-rc.4. CVE-2025-66565 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-66565.html CVE-2025-66565 Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions 3.6.13 and below and versions 3.7.0 through 3.7.4, contain unsafe untar code that handles symbolic links in archives. Concretely, the computation of a link's target and the subsequent check are flawed. An attacker can overwrite the file /var/run/argo/argoexec with a script of their choice, which would be executed at the pod's start. The patch deployed against CVE-2025-62156 is ineffective against malicious archives containing symbolic links. This issue is fixed in versions 3.6.14 and 3.7.5. CVE-2025-66626 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-66626.html CVE-2025-66626 SiYuan is self-hosted, open source personal knowledge management software. Versions 0.0.0-20251202123337-6ef83b42c7ce and below contain function importZipMd which is vulnerable to ZipSlips, allowing an authenticated user to overwrite files on the system. An authenticated user with access to the import functionality in notes is able to overwrite any file on the system, and can escalate to full code execution under some circumstances. A fix is planned for version 3.5.0. CVE-2025-67488 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-67488.html CVE-2025-67488 ZITADEL is an open-source identity infrastructure tool. Versions 4.7.0 and below are vulnerable to an unauthenticated, full-read SSRF vulnerability. The ZITADEL Login UI (V2) treats the x-zitadel-forward-host header as a trusted fallback for all deployments, including self-hosted instances. This allows an unauthenticated attacker to force the server to make HTTP requests to arbitrary domains, such as internal addresses, and read the responses, enabling data exfiltration and bypassing network-segmentation controls. This issue is fixed in version 4.7.1. CVE-2025-67494 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-67494.html CVE-2025-67494 ZITADEL is an open-source identity infrastructure tool. Versions 4.0.0-rc.1 through 4.7.0 are vulnerable to DOM-Based XSS through the Zitadel V2 logout endpoint. The /logout endpoint insecurely routes to a value that is supplied in the post_logout_redirect GET parameter. As a result, unauthenticated remote attacker can execute malicious JS code on Zitadel users' browsers. To carry out an attack, multiple user sessions need to be active in the same browser, however, account takeover is mitigated when using Multi-Factor Authentication (MFA) or Passwordless authentication. This issue is fixed in version 4.7.1. CVE-2025-67495 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-67495.html CVE-2025-67495 The CNI portmap plugin allows containers to emulate opening a host port, forwarding that traffic to the container. Versions 1.6.0 through 1.8.0 inadvertently forward all traffic with the same destination port as the host port when the portmap plugin is configured with the nftables backend, thus ignoring the destination IP. This includes traffic not intended for the node itself, i.e. traffic to containers hosted on the node. Containers that request HostPort forwarding can intercept all traffic destined for that port. This requires that the portmap plugin be explicitly configured to use the nftables backend. This issue is fixed in version 1.9.0. To workaround, configure the portmap plugin to use the iptables backend. It does not have this vulnerability. CVE-2025-67499 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-67499.html CVE-2025-67499 https://bugzilla.suse.com/1255499 SUSE Bug 1255499 gardenctl is a command-line client for the Gardener which configures access to clusters and cloud provider CLI tools. When using non-POSIX shells such as Fish and PowerShell, versions 2.11.0 and below of gardenctl allow an attacker with administrative privileges for a Gardener project to craft malicious credential values. The forged credential values are used in infrastructure Secret objects that break out of the intended string context when evaluated in Fish or PowerShell environments used by the Gardener service operators. This issue is fixed in version 2.12.0. CVE-2025-67508 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-67508.html CVE-2025-67508 Miniflux 2 is an open source feed reader. Versions 2.2.14 and below treat redirect_url as safe when url.Parse(...).IsAbs() is false, enabling phishing flows after login. Protocol-relative URLs like //ikotaslabs.com have an empty scheme and pass that check, allowing post-login redirects to attacker-controlled sites. This issue is fixed in version 2.2.15. CVE-2025-67713 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-67713.html CVE-2025-67713 ZITADEL is an open-source identity infrastructure tool. Versions 2.44.0 through 3.4.4 and 4.0.0-rc.1 through 4.7.1 disclose the total number of instance users to authenticated users, regardless of their specific permissions. While this does not leak individual user data or PII, disclosing the total user count via the totalResult field constitutes an information disclosure vulnerability that may be sensitive in certain contexts. This issue is fixed in versions 3.4.5 and 4.7.2. CVE-2025-67717 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-67717.html CVE-2025-67717 An issue was discovered in Weaviate OSS before 1.33.4. An attacker with access to insert data into the database can craft an entry name with an absolute path (e.g., /etc/...) or use parent directory traversal (../../..) to escape the restore root when a backup is restored, potentially creating or overwriting files in arbitrary locations within the application's privilege scope. CVE-2025-67818 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-67818.html CVE-2025-67818 An issue was discovered in Weaviate OSS before 1.33.4. Due to a lack of validation of the fileName field in the transfer logic, an attacker who can call the GetFile method while a shard is in the "Pause file activity" state and the FileReplicationService is reachable can read arbitrary files accessible to the service process. CVE-2025-67819 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-67819.html CVE-2025-67819 ALTCHA is privacy-first software for captcha and bot protection. A cryptographic semantic binding flaw in ALTCHA libraries allows challenge payload splicing, which may enable replay attacks. The HMAC signature does not unambiguously bind challenge parameters to the nonce, allowing an attacker to reinterpret a valid proof-of-work submission with a modified expiration value. This may allow previously solved challenges to be reused beyond their intended lifetime, depending on server-side replay handling and deployment assumptions. The vulnerability primarily impacts abuse-prevention mechanisms such as rate limiting and bot mitigation. It does not directly affect data confidentiality or integrity. This issue has been addressed by enforcing explicit semantic separation between challenge parameters and the nonce during HMAC computation. Users are advised to upgrade to patched versions, which include version 1.0.0 of the altcha Golang package, version 1.0.0 of the altcha Rubygem, version 1.0.0 of the altcha pip package, version 1.0.0 of the altcha Erlang package, version 1.4.1 of the altcha-lib npm package, version 1.3.1 of the altcha-org/altcha Composer package, and version 1.3.0 of the org.altcha:altcha Maven package. As a mitigation, implementations may append a delimiter to the end of the `salt` value prior to HMAC computation (for example, `<salt>?expires=<time>&`). This prevents ambiguity between parameters and the nonce and is backward-compatible with existing implementations, as the delimiter is treated as a standard URL parameter separator. CVE-2025-68113 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-68113.html CVE-2025-68113 To prevent unexpected untrusted code execution, the Visual Studio Code Go extension is now disabled in Restricted Mode. CVE-2025-68120 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-68120.html CVE-2025-68120 Expr is an expression language and expression evaluation for Go. Prior to version 1.17.7, several builtin functions in Expr, including `flatten`, `min`, `max`, `mean`, and `median`, perform recursive traversal over user-provided data structures without enforcing a maximum recursion depth. If the evaluation environment contains deeply nested or cyclic data structures, these functions may recurse indefinitely until exceed the Go runtime stack limit. This results in a stack overflow panic, causing the host application to crash. While exploitability depends on whether an attacker can influence or inject cyclic or pathologically deep data into the evaluation environment, this behavior represents a denial-of-service (DoS) risk and affects overall library robustness. Instead of returning a recoverable evaluation error, the process may terminate unexpectedly. In affected versions, evaluation of expressions that invoke certain builtin functions on untrusted or insufficiently validated data structures can lead to a process-level crash due to stack exhaustion. This issue is most relevant in scenarios where Expr is used to evaluate expressions against externally supplied or dynamically constructed environments; cyclic references (directly or indirectly) can be introduced into arrays, maps, or structs; and there are no application-level safeguards preventing deeply nested input data. In typical use cases with controlled, acyclic data, the issue may not manifest. However, when present, the resulting panic can be used to reliably crash the application, constituting a denial of service. The issue has been fixed in the v1.17.7 versions of Expr. The patch introduces a maximum recursion depth limit for affected builtin functions. When this limit is exceeded, evaluation aborts gracefully and returns a descriptive error instead of panicking. Additionally, the maximum depth can be customized by users via `builtin.MaxDepth`, allowing applications with legitimate deep structures to raise the limit in a controlled manner. Users are strongly encouraged to upgrade to the patched release, which includes both the recursion guard and comprehensive test coverage to prevent regressions. For users who cannot immediately upgrade, some mitigations are recommended. Ensure that evaluation environments cannot contain cyclic references, validate or sanitize externally supplied data structures before passing them to Expr, and/or wrap expression evaluation with panic recovery to prevent a full process crash (as a last-resort defensive measure). These workarounds reduce risk but do not fully eliminate the issue without the patch. CVE-2025-68156 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-68156.html CVE-2025-68156 https://bugzilla.suse.com/1255330 SUSE Bug 1255330 SIPGO is a library for writing SIP services in the GO language. Starting in version 0.3.0 and prior to version 1.0.0-alpha-1, a nil pointer dereference vulnerability is in the SIPGO library's `NewResponseFromRequest` function that affects all normal SIP operations. The vulnerability allows remote attackers to crash any SIP application by sending a single malformed SIP request without a To header. The vulnerability occurs when SIP message parsing succeeds for a request missing the To header, but the response creation code assumes the To header exists without proper nil checks. This affects routine operations like call setup, authentication, and message handling - not just error cases. This vulnerability affects all SIP applications using the sipgo library, not just specific configurations or edge cases, as long as they make use of the `NewResponseFromRequest` function. Version 1.0.0-alpha-1 contains a patch for the issue. CVE-2025-68274 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-68274.html CVE-2025-68274 KEDA is a Kubernetes-based Event Driven Autoscaling component. Prior to versions 2.17.3 and 2.18.3, an Arbitrary File Read vulnerability has been identified in KEDA, potentially affecting any KEDA resource that uses TriggerAuthentication to configure HashiCorp Vault authentication. The vulnerability stems from an incorrect or insufficient path validation when loading the Service Account Token specified in spec.hashiCorpVault.credential.serviceAccount. An attacker with permissions to create or modify a TriggerAuthentication resource can exfiltrate the content of any file from the node's filesystem (where the KEDA pod resides) by directing the file's content to a server under their control, as part of the Vault authentication request. The potential impact includes the exfiltration of sensitive system information, such as secrets, keys, or the content of files like /etc/passwd. This issue has been patched in versions 2.17.3 and 2.18.3. CVE-2025-68476 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-68476.html CVE-2025-68476 Gitea before 1.25.2 mishandles authorization for deletion of releases. CVE-2025-68938 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-68938.html CVE-2025-68938 Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API. CVE-2025-68939 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-68939.html CVE-2025-68939 In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request. CVE-2025-68940 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-68940.html CVE-2025-68940 Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources. CVE-2025-68941 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-68941.html CVE-2025-68941 Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text. CVE-2025-68942 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-68942.html CVE-2025-68942 Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order. CVE-2025-68943 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-68943.html CVE-2025-68943 Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries. CVE-2025-68944 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-68944.html CVE-2025-68944 In Gitea before 1.21.2, an anonymous user can visit a private user's project. CVE-2025-68945 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-68945.html CVE-2025-68945 In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS. CVE-2025-68946 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-68946.html CVE-2025-68946 Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code. CVE-2025-8110 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260037-1/ https://www.suse.com/security/cve/CVE-2025-8110.html CVE-2025-8110