Security update for govulncheck-vulndb SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:0292-1 Final 1 1 2026-01-26T11:11:49Z current 2026-01-26T11:11:49Z 2026-01-26T11:11:49Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for govulncheck-vulndb This update for govulncheck-vulndb fixes the following issues: Update to version 0.0.20260123T022811 2026-01-23T02:28:11Z (jsc#PED-11136). Go CVE Numbering Authority IDs added or updated with aliases: * GO-2025-3764 CVE-2024-44905 GHSA-6xp3-p59p-q4fj * GO-2025-4188 CVE-2025-65637 GHSA-4f99-4q7p-p3gh * GO-2025-4252 CVE-2025-68383 GHSA-2mj3-6grc-px38 * GO-2025-4253 CVE-2025-68388 GHSA-fj69-23m4-ccvv * GO-2026-4310 CVE-2026-22689 GHSA-524m-q5m7-79mm * GO-2026-4311 CVE-2026-22772 GHSA-59jp-pj84-45mr * GO-2026-4312 CVE-2026-22771 GHSA-xrwg-mqj6-6m22 * GO-2026-4313 CVE-2026-22786 GHSA-3558-j79f-vvm6 * GO-2026-4314 CVE-2026-22868 GHSA-mq3p-rrmp-79jg * GO-2026-4315 CVE-2026-22862 GHSA-mr7q-c9w9-wh4h * GO-2026-4316 GHSA-mqqf-5wvp-8fh8 * GO-2026-4317 CVE-2017-18892 GHSA-wj5w-qghh-gvqp * GO-2026-4318 CVE-2025-66292 GHSA-vh2x-fw87-4fxq * GO-2026-4319 CVE-2026-23511 GHSA-pvm5-9frx-264r * GO-2026-4320 CVE-2026-23520 GHSA-gjqq-6r35-w3r8 * GO-2026-4321 CVE-2025-68671 GHSA-f2ph-gc9m-q55f * GO-2026-4322 CVE-2026-22045 GHSA-cwjm-3f7h-9hwq The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2026-292,openSUSE-SLE-15.6-2026-292 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-20260292-1/ Link for SUSE-SU-2026:0292-1 https://lists.suse.com/pipermail/sle-security-updates/2026-January/023916.html E-Mail link for SUSE-SU-2026:0292-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2017-18892/ SUSE CVE CVE-2017-18892 page https://www.suse.com/security/cve/CVE-2024-44905/ SUSE CVE CVE-2024-44905 page https://www.suse.com/security/cve/CVE-2025-65637/ SUSE CVE CVE-2025-65637 page https://www.suse.com/security/cve/CVE-2025-66292/ SUSE CVE CVE-2025-66292 page https://www.suse.com/security/cve/CVE-2025-68383/ SUSE CVE CVE-2025-68383 page https://www.suse.com/security/cve/CVE-2025-68388/ SUSE CVE CVE-2025-68388 page https://www.suse.com/security/cve/CVE-2025-68671/ SUSE CVE CVE-2025-68671 page https://www.suse.com/security/cve/CVE-2026-22045/ SUSE CVE CVE-2026-22045 page https://www.suse.com/security/cve/CVE-2026-22689/ SUSE CVE CVE-2026-22689 page https://www.suse.com/security/cve/CVE-2026-22771/ SUSE CVE CVE-2026-22771 page https://www.suse.com/security/cve/CVE-2026-22772/ SUSE CVE CVE-2026-22772 page https://www.suse.com/security/cve/CVE-2026-22786/ SUSE CVE CVE-2026-22786 page https://www.suse.com/security/cve/CVE-2026-22862/ SUSE CVE CVE-2026-22862 page https://www.suse.com/security/cve/CVE-2026-22868/ SUSE CVE CVE-2026-22868 page https://www.suse.com/security/cve/CVE-2026-23511/ SUSE CVE CVE-2026-23511 page https://www.suse.com/security/cve/CVE-2026-23520/ SUSE CVE CVE-2026-23520 page openSUSE Leap 15.6 An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. E-mail templates can have a field in which HTML content is not neutralized. CVE-2017-18892 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260292-1/ https://www.suse.com/security/cve/CVE-2017-18892.html CVE-2017-18892 go-pg pg v10.13.0 was discovered to contain a SQL injection vulnerability via the component /types/append_value.go. CVE-2024-44905 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260292-1/ https://www.suse.com/security/cve/CVE-2024-44905.html CVE-2024-44905 A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer() to log a single-line payload larger than 64KB without newline characters. Due to limitations in the internal bufio.Scanner, the read fails with "token too long" and the writer pipe is closed, leaving Writer() unusable and causing application unavailability (DoS). This affects versions < 1.8.3, 1.9.0, and 1.9.2. The issue is fixed in 1.8.3, 1.9.1, and 1.9.3+, where the input is chunked and the writer continues to function even if an error is logged. CVE-2025-65637 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260292-1/ https://www.suse.com/security/cve/CVE-2025-65637.html CVE-2025-65637 DPanel is an open source server management panel written in Go. Prior to 1.9.2, DPanel has an arbitrary file deletion vulnerability in the /api/common/attach/delete interface. Authenticated users can delete arbitrary files on the server via path traversal. When a user logs into the administrative backend, this interface can be used to delete files. The vulnerability lies in the Delete function within the app/common/http/controller/attach.go file. The path parameter submitted by the user is directly passed to storage.Local{}.GetSaveRealPath and subsequently to os.Remove without proper sanitization or checking for path traversal characters (../). And the helper function in common/service/storage/local.go uses filepath.Join, which resolves ../ but does not enforce a chroot/jail. This vulnerability is fixed in 1.9.2. CVE-2025-66292 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260292-1/ https://www.suse.com/security/cve/CVE-2025-66292.html CVE-2025-66292 Improper Validation of Specified Index, Position, or Offset in Input (CWE-1285) in Filebeat Syslog parser and the Libbeat Dissect processor can allow a user to trigger a Buffer Overflow (CAPEC-100) and cause a denial of service (panic/crash) of the Filebeat process via either a malformed Syslog message or a malicious tokenizer pattern in the Dissect configuration. CVE-2025-68383 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260292-1/ https://www.suse.com/security/cve/CVE-2025-68383.html CVE-2025-68383 Allocation of resources without limits or throttling (CWE-770) allows an unauthenticated remote attacker to cause excessive allocation (CAPEC-130) of memory and CPU via the integration of malicious IPv4 fragments, leading to a degradation in Packetbeat. CVE-2025-68388 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260292-1/ https://www.suse.com/security/cve/CVE-2025-68388.html CVE-2025-68388 lakeFS is an open-source tool that transforms object storage into a Git-like repositories. LakeFS's S3 gateway does not validate timestamps in authenticated requests, allowing replay attacks. Prior to 1.75.0, an attacker who captures a valid signed request (e.g., through network interception, logs, or compromised systems) can replay that request until credentials are rotated, even after the request is intended to expire. This vulnerability is fixed in 1.75.0. CVE-2025-68671 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260292-1/ https://www.suse.com/security/cve/CVE-2025-68671.html CVE-2025-68671 Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entry point. The vulnerability is fixed in 2.11.35 and 3.6.7. CVE-2026-22045 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260292-1/ https://www.suse.com/security/cve/CVE-2026-22045.html CVE-2026-22045 https://bugzilla.suse.com/1256815 SUSE Bug 1256815 Mailpit is an email testing tool and API for developers. Prior to version 1.28.2, the Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability. An attacker can host a malicious website that, when visited by a developer running Mailpit locally, establishes a WebSocket connection to the victim's Mailpit instance (default ws://localhost:8025). This allows the attacker to intercept sensitive data such as email contents, headers, and server statistics in real-time. This issue has been patched in version 1.28.2. CVE-2026-22689 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260292-1/ https://www.suse.com/security/cve/CVE-2026-22689.html CVE-2026-22689 Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. Prior to 1.5.7 and 1.6.2, EnvoyExtensionPolicy Lua scripts executed by Envoy proxy can be used to leak the proxy's credentials. These credentials can then be used to communicate with the control plane and gain access to all secrets that are used by Envoy proxy, e.g. TLS private keys and credentials used for downstream and upstream communication. This vulnerability is fixed in 1.5.7 and 1.6.2. CVE-2026-22771 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260292-1/ https://www.suse.com/security/cve/CVE-2026-22771.html CVE-2026-22771 Fulcio is a certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.5, Fulcio's metaRegex() function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal services. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF. This vulnerability is fixed in 1.8.5. CVE-2026-22772 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260292-1/ https://www.suse.com/security/cve/CVE-2026-22772.html CVE-2026-22772 https://bugzilla.suse.com/1256532 SUSE Bug 1256532 Gin-vue-admin is a backstage management system based on vue and gin. Gin-vue-admin <= v2.8.7 has a path traversal vulnerability in the breakpoint resume upload functionality. Attacker can upload any files on any directory. In the breakpoint_continue.go file, the MakeFile function accepts a fileName parameter through the /fileUploadAndDownload/breakpointContinueFinish API endpoint and directly concatenates it with the base directory path (./fileDir/) using os.OpenFile() without any validation for directory traversal sequences (e.g., ../). An attacker with file upload privileges could exploit this vulnerability. CVE-2026-22786 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260292-1/ https://www.suse.com/security/cve/CVE-2026-22786.html CVE-2026-22786 go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.16.8. CVE-2026-22862 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260292-1/ https://www.suse.com/security/cve/CVE-2026-22862.html CVE-2026-22862 go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.16.8. CVE-2026-22868 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260292-1/ https://www.suse.com/security/cve/CVE-2026-22868.html CVE-2026-22868 ZITADEL is an open source identity management platform. Prior to 4.9.1 and 3.4.6, a user enumeration vulnerability has been discovered in Zitadel's login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating through usernames and userIDs. This vulnerability is fixed in 4.9.1 and 3.4.6. CVE-2026-23511 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260292-1/ https://www.suse.com/security/cve/CVE-2026-23511.html CVE-2026-23511 Arcane provides modern docker management. Prior to 1.13.0, Arcane has a command injection in the updater service. Arcane's updater service supported lifecycle labels com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update that allowed defining a command to run before or after a container update. The label value is passed directly to /bin/sh -c without sanitization or validation. Because any authenticated user (not limited to administrators) can create projects through the API, an attacker can create a project that specifies one of these lifecycle labels with a malicious command. When an administrator later triggers a container update (either manually or via scheduled update checks), Arcane reads the lifecycle label and executes its value as a shell command inside the container. This vulnerability is fixed in 1.13.0. CVE-2026-23520 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260292-1/ https://www.suse.com/security/cve/CVE-2026-23520.html CVE-2026-23520