Security update for govulncheck-vulndb SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:0403-1 Final 1 1 2026-02-06T16:58:29Z current 2026-02-06T16:58:29Z 2026-02-06T16:58:29Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for govulncheck-vulndb This update for govulncheck-vulndb fixes the following issues: - Update to version 0.0.20260205T172317 2026-02-05T17:23:17Z. Refs jsc#PED-11136 Go CVE Numbering Authority IDs added or updated with aliases: * GO-2026-4337 CVE-2025-68121 * GO-2026-4357 CVE-2026-23954 GHSA-7f67-crqm-jgh7 * GO-2026-4359 CVE-2026-23953 GHSA-x6jc-phwx-hp32 * GO-2026-4395 CVE-2026-25499 GHSA-gwch-7m8v-7544 * GO-2026-4396 CVE-2026-25059 GHSA-qmj2-8r24-xxcq * GO-2026-4397 CVE-2026-25060 GHSA-wf93-3ghh-h389 * GO-2026-4398 GHSA-grh9-37g7-53mj * GO-2026-4403 CVE-2025-22873 * GO-2026-4404 CVE-2025-70849 GHSA-mw8w-q3f7-2v85 * GO-2026-4405 CVE-2026-25121 GHSA-5g94-c2wx-8pxw * GO-2026-4406 CVE-2026-25122 GHSA-6p9p-q6wh-9j89 * GO-2026-4407 CVE-2026-24843 GHSA-qxx2-7h4c-83f4 * GO-2026-4408 CVE-2026-24844 GHSA-vqqr-rmpc-hhg2 * GO-2026-4409 CVE-2026-25145 GHSA-2w4f-9fgg-q2v9 * GO-2026-4411 CVE-2026-25579 GHSA-hrr4-3wgr-68x3 * GO-2026-4412 CVE-2026-25143 GHSA-rf4g-89h5-crcr * GO-2026-4413 CVE-2026-25578 GHSA-rh3r-8pxm-hg4w * GO-2026-4414 CVE-2026-25160 GHSA-8jmm-3xwx-w974 * GO-2026-4415 CVE-2026-25161 GHSA-x4q4-7phh-42j9 * GO-2026-4416 CVE-2026-25538 GHSA-8wpc-j9q9-j5m2 * GO-2026-4417 CVE-2026-24514 GHSA-2pf9-vr92-6h3v * GO-2026-4418 CVE-2023-43631 GHSA-3mq9-xhgq-r7gj * GO-2026-4419 CVE-2026-24513 GHSA-4g2f-xcph-2335 * GO-2026-4421 CVE-2026-24735 GHSA-5w5r-8xc6-2xhw * GO-2026-4422 CVE-2023-43632 GHSA-6jp5-grgh-jw42 * GO-2026-4423 CVE-2026-1580 GHSA-9h3p-52vh-959w * GO-2026-4425 CVE-2025-62878 GHSA-jr3w-9vfr-c746 * GO-2026-4426 CVE-2026-24512 GHSA-jx8c-56mg-h6vp * GO-2026-4428 CVE-2023-43633 GHSA-4c4v-42hc-72p6 * GO-2026-4430 CVE-2023-43630 GHSA-phcg-h58r-gmcq * GO-2026-4432 CVE-2023-43634 GHSA-wc42-fcjp-v8vq * GO-2026-4433 CVE-2025-61732 * GO-2026-4440 CVE-2025-47911 * GO-2026-4441 CVE-2025-58190 - Update to version 0.0.20260204T190754 2026-02-04T19:07:54Z. Refs jsc#PED-11136 Go CVE Numbering Authority IDs added or updated with aliases: * GO-2026-4324 CVE-2026-23645 GHSA-pcjq-j3mq-jv5j * GO-2026-4327 CVE-2026-23742 GHSA-cc8m-98fm-rc9g * GO-2026-4329 CVE-2026-21696 GHSA-2497-gp99-2m74 * GO-2026-4330 CVE-2026-22822 GHSA-77v3-r3jw-j2v2 * GO-2026-4331 CVE-2025-69199 GHSA-8w7m-w749-rx98 * GO-2026-4333 CVE-2026-23829 GHSA-54wq-72mp-cq7c * GO-2026-4334 CVE-2026-23517 GHSA-4r5r-ccr6-q6f6 * GO-2026-4335 CVE-2026-23518 GHSA-63m5-974w-448v * GO-2026-4336 CVE-2026-22808 GHSA-gfpw-jgvr-cw4j * GO-2026-4343 CVE-2026-23847 GHSA-w836-5gpm-7r93 * GO-2026-4344 CVE-2026-23849 GHSA-43mm-m3h2-3prc * GO-2026-4345 CVE-2026-23845 GHSA-6jxm-fv7w-rw5j * GO-2026-4346 CVE-2026-23851 GHSA-94c7-g2fj-7682 * GO-2026-4347 CVE-2026-23850 GHSA-cv54-7wv7-qxcw * GO-2026-4348 CVE-2026-23991 GHSA-846p-jg2w-w324 * GO-2026-4349 CVE-2026-23992 GHSA-fphv-w9fq-2525 * GO-2026-4350 CVE-2026-23960 GHSA-cv78-6m8q-ph82 * GO-2026-4351 CVE-2026-23990 GHSA-4xh5-jcj2-ch8q * GO-2026-4352 GHSA-r92c-9c7f-3pj8 * GO-2026-4353 CVE-2026-24058 GHSA-pchf-49fh-w34r * GO-2026-4354 CVE-2026-23831 GHSA-273p-m2cw-6833 * GO-2026-4355 CVE-2026-24117 GHSA-4c4x-jm2x-pf9j * GO-2026-4356 CVE-2026-24124 GHSA-j8hf-cp34-g4j7 * GO-2026-4362 CVE-2026-20800 GHSA-2vgv-hgv4-22mh * GO-2026-4363 CVE-2026-20897 GHSA-393c-qgvj-3xph * GO-2026-4364 CVE-2026-20912 GHSA-4xx9-vc8v-87hv * GO-2026-4365 CVE-2026-0798 GHSA-8fwc-qjw5-rvgp * GO-2026-4366 CVE-2026-20888 GHSA-9cgq-wp42-4rpq * GO-2026-4367 CVE-2026-20736 GHSA-hgr3-x44x-33hx * GO-2026-4368 CVE-2026-20883 GHSA-j8xr-c56q-m8jj * GO-2026-4369 CVE-2026-20904 GHSA-qqgv-v353-cv8p * GO-2026-4370 CVE-2026-20750 GHSA-rw22-5hhq-pfpf * GO-2026-4377 CVE-2026-24686 GHSA-jqc5-w2xx-5vq4 * GO-2026-4378 CVE-2026-24470 GHSA-mxxc-p822-2hx9 * GO-2026-4379 CVE-2026-24738 GHSA-j49h-6577-5xwq * GO-2026-4380 CVE-2026-24740 GHSA-m855-r557-5rc5 * GO-2026-4381 CVE-2026-22039 GHSA-8p9x-46gm-qfx2 * GO-2026-4382 CVE-2026-23881 GHSA-r2rj-wwm5-x6mq * GO-2026-4384 CVE-2025-14525 GHSA-25mh-hp8x-cgrv * GO-2026-4385 CVE-2026-24748 GHSA-w5wv-wvrp-v5m5 * GO-2026-4386 GHSA-f72r-2h5j-7639 * GO-2026-4387 GHSA-c4jr-5q7w-f6r9 * GO-2026-4388 CVE-2026-1237 GHSA-j477-6vpg-6c8x * GO-2026-4390 CVE-2025-69820 GHSA-73jg-4qh6-3f4g * GO-2026-4391 CVE-2026-24846 GHSA-923j-vrcg-hxwh * GO-2026-4393 CVE-2025-67601 GHSA-mc24-7m59-4q5p The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2026-403,openSUSE-SLE-15.6-2026-403 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ Link for SUSE-SU-2026:0403-1 https://lists.suse.com/pipermail/sle-security-updates/2026-February/024084.html E-Mail link for SUSE-SU-2026:0403-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2023-43630/ SUSE CVE CVE-2023-43630 page https://www.suse.com/security/cve/CVE-2023-43631/ SUSE CVE CVE-2023-43631 page https://www.suse.com/security/cve/CVE-2023-43632/ SUSE CVE CVE-2023-43632 page https://www.suse.com/security/cve/CVE-2023-43633/ SUSE CVE CVE-2023-43633 page https://www.suse.com/security/cve/CVE-2023-43634/ SUSE CVE CVE-2023-43634 page https://www.suse.com/security/cve/CVE-2025-14525/ SUSE CVE CVE-2025-14525 page https://www.suse.com/security/cve/CVE-2025-22873/ SUSE CVE CVE-2025-22873 page https://www.suse.com/security/cve/CVE-2025-47911/ SUSE CVE CVE-2025-47911 page https://www.suse.com/security/cve/CVE-2025-58190/ SUSE CVE CVE-2025-58190 page https://www.suse.com/security/cve/CVE-2025-61732/ SUSE CVE CVE-2025-61732 page https://www.suse.com/security/cve/CVE-2025-62878/ SUSE CVE CVE-2025-62878 page https://www.suse.com/security/cve/CVE-2025-67601/ SUSE CVE CVE-2025-67601 page https://www.suse.com/security/cve/CVE-2025-68121/ SUSE CVE CVE-2025-68121 page https://www.suse.com/security/cve/CVE-2025-69199/ SUSE CVE CVE-2025-69199 page https://www.suse.com/security/cve/CVE-2025-69820/ SUSE CVE CVE-2025-69820 page https://www.suse.com/security/cve/CVE-2025-70849/ SUSE CVE CVE-2025-70849 page https://www.suse.com/security/cve/CVE-2026-0798/ SUSE CVE CVE-2026-0798 page https://www.suse.com/security/cve/CVE-2026-1237/ SUSE CVE CVE-2026-1237 page https://www.suse.com/security/cve/CVE-2026-1580/ SUSE CVE CVE-2026-1580 page https://www.suse.com/security/cve/CVE-2026-20736/ SUSE CVE CVE-2026-20736 page https://www.suse.com/security/cve/CVE-2026-20750/ SUSE CVE CVE-2026-20750 page https://www.suse.com/security/cve/CVE-2026-20800/ SUSE CVE CVE-2026-20800 page https://www.suse.com/security/cve/CVE-2026-20883/ SUSE CVE CVE-2026-20883 page https://www.suse.com/security/cve/CVE-2026-20888/ SUSE CVE CVE-2026-20888 page https://www.suse.com/security/cve/CVE-2026-20897/ SUSE CVE CVE-2026-20897 page https://www.suse.com/security/cve/CVE-2026-20904/ SUSE CVE CVE-2026-20904 page https://www.suse.com/security/cve/CVE-2026-20912/ SUSE CVE CVE-2026-20912 page https://www.suse.com/security/cve/CVE-2026-21696/ SUSE CVE CVE-2026-21696 page https://www.suse.com/security/cve/CVE-2026-22039/ SUSE CVE CVE-2026-22039 page https://www.suse.com/security/cve/CVE-2026-22808/ SUSE CVE CVE-2026-22808 page https://www.suse.com/security/cve/CVE-2026-22822/ SUSE CVE CVE-2026-22822 page https://www.suse.com/security/cve/CVE-2026-23517/ SUSE CVE CVE-2026-23517 page https://www.suse.com/security/cve/CVE-2026-23518/ SUSE CVE CVE-2026-23518 page https://www.suse.com/security/cve/CVE-2026-23645/ SUSE CVE CVE-2026-23645 page https://www.suse.com/security/cve/CVE-2026-23742/ SUSE CVE CVE-2026-23742 page https://www.suse.com/security/cve/CVE-2026-23829/ SUSE CVE CVE-2026-23829 page https://www.suse.com/security/cve/CVE-2026-23831/ SUSE CVE CVE-2026-23831 page https://www.suse.com/security/cve/CVE-2026-23845/ SUSE CVE CVE-2026-23845 page https://www.suse.com/security/cve/CVE-2026-23847/ SUSE CVE CVE-2026-23847 page https://www.suse.com/security/cve/CVE-2026-23849/ SUSE CVE CVE-2026-23849 page https://www.suse.com/security/cve/CVE-2026-23850/ SUSE CVE CVE-2026-23850 page https://www.suse.com/security/cve/CVE-2026-23851/ SUSE CVE CVE-2026-23851 page https://www.suse.com/security/cve/CVE-2026-23881/ SUSE CVE CVE-2026-23881 page https://www.suse.com/security/cve/CVE-2026-23953/ SUSE CVE CVE-2026-23953 page https://www.suse.com/security/cve/CVE-2026-23954/ SUSE CVE CVE-2026-23954 page https://www.suse.com/security/cve/CVE-2026-23960/ SUSE CVE CVE-2026-23960 page https://www.suse.com/security/cve/CVE-2026-23990/ SUSE CVE CVE-2026-23990 page https://www.suse.com/security/cve/CVE-2026-23991/ SUSE CVE CVE-2026-23991 page https://www.suse.com/security/cve/CVE-2026-23992/ SUSE CVE CVE-2026-23992 page https://www.suse.com/security/cve/CVE-2026-24058/ SUSE CVE CVE-2026-24058 page https://www.suse.com/security/cve/CVE-2026-24117/ SUSE CVE CVE-2026-24117 page https://www.suse.com/security/cve/CVE-2026-24124/ SUSE CVE CVE-2026-24124 page https://www.suse.com/security/cve/CVE-2026-24470/ SUSE CVE CVE-2026-24470 page https://www.suse.com/security/cve/CVE-2026-24512/ SUSE CVE CVE-2026-24512 page https://www.suse.com/security/cve/CVE-2026-24513/ SUSE CVE CVE-2026-24513 page https://www.suse.com/security/cve/CVE-2026-24514/ SUSE CVE CVE-2026-24514 page https://www.suse.com/security/cve/CVE-2026-24686/ SUSE CVE CVE-2026-24686 page https://www.suse.com/security/cve/CVE-2026-24735/ SUSE CVE CVE-2026-24735 page https://www.suse.com/security/cve/CVE-2026-24738/ SUSE CVE CVE-2026-24738 page https://www.suse.com/security/cve/CVE-2026-24740/ SUSE CVE CVE-2026-24740 page https://www.suse.com/security/cve/CVE-2026-24748/ SUSE CVE CVE-2026-24748 page https://www.suse.com/security/cve/CVE-2026-24843/ SUSE CVE CVE-2026-24843 page https://www.suse.com/security/cve/CVE-2026-24844/ SUSE CVE CVE-2026-24844 page https://www.suse.com/security/cve/CVE-2026-24846/ SUSE CVE CVE-2026-24846 page https://www.suse.com/security/cve/CVE-2026-25059/ SUSE CVE CVE-2026-25059 page https://www.suse.com/security/cve/CVE-2026-25060/ SUSE CVE CVE-2026-25060 page https://www.suse.com/security/cve/CVE-2026-25121/ SUSE CVE CVE-2026-25121 page https://www.suse.com/security/cve/CVE-2026-25122/ SUSE CVE CVE-2026-25122 page https://www.suse.com/security/cve/CVE-2026-25143/ SUSE CVE CVE-2026-25143 page https://www.suse.com/security/cve/CVE-2026-25145/ SUSE CVE CVE-2026-25145 page https://www.suse.com/security/cve/CVE-2026-25160/ SUSE CVE CVE-2026-25160 page https://www.suse.com/security/cve/CVE-2026-25161/ SUSE CVE CVE-2026-25161 page https://www.suse.com/security/cve/CVE-2026-25499/ SUSE CVE CVE-2026-25499 page https://www.suse.com/security/cve/CVE-2026-25538/ SUSE CVE CVE-2026-25538 page https://www.suse.com/security/cve/CVE-2026-25578/ SUSE CVE CVE-2026-25578 page https://www.suse.com/security/cve/CVE-2026-25579/ SUSE CVE CVE-2026-25579 page openSUSE Leap 15.6 PCR14 is not in the list of PCRs that seal/unseal the "vault" key, but due to the change that was implemented in commit "7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4", fixing this issue alone would not solve the problem of the config partition not being measured correctly. Also, the "vault" key is sealed/unsealed with SHA1 PCRs instead of SHA256. This issue was somewhat mitigated due to all of the PCR extend functions updating both the values of SHA256 and SHA1 for a given PCR ID. However, due to the change that was implemented in commit "7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4", this is no longer the case for PCR14, as the code in "measurefs.go" explicitly updates only the SHA256 instance of PCR14, which means that even if PCR14 were to be added to the list of PCRs sealing/unsealing the "vault" key, changes to the config partition would still not be measured. An attacker could modify the config partition without triggering the measured boot, this could result in the attacker gaining full control over the device with full access to the contents of the encrypted "vault" CVE-2023-43630 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2023-43630.html CVE-2023-43630 On boot, the Pillar eve container checks for the existence and content of "/config/authorized_keys". If the file is present, and contains a supported public key, the container will go on to open port 22 and enable sshd with the given keys as the authorized keys for root login. An attacker could easily add their own keys and gain full control over the system without triggering the "measured boot" mechanism implemented by EVE OS, and without marking the device as "UUD" ("Unknown Update Detected"). This is because the "/config" partition is not protected by "measured boot", it is mutable, and it is not encrypted in any way. An attacker can gain full control over the device without changing the PCR values, thus not triggering the "measured boot" mechanism, and having full access to the vault. Note: This issue was partially fixed in these commits (after disclosure to Zededa), where the config partition measurement was added to PCR13: • aa3501d6c57206ced222c33aea15a9169d629141 • 5fef4d92e75838cc78010edaed5247dfbdae1889. This issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot. CVE-2023-43631 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2023-43631.html CVE-2023-43631 As noted in the "VTPM.md" file in the eve documentation, "VTPM is a server listening on port 8877 in EVE, exposing limited functionality of the TPM to the clients. VTPM allows clients to execute tpm2-tools binaries from a list of hardcoded options" The communication with this server is done using protobuf, and the data is comprised of 2 parts: 1. Header 2. Data When a connection is made, the server is waiting for 4 bytes of data, which will be the header, and these 4 bytes would be parsed as uint32 size of the actual data to come. Then, in the function "handleRequest" this size is then used in order to allocate a payload on the stack for the incoming data. As this payload is allocated on the stack, this will allow overflowing the stack size allocated for the relevant process with freely controlled data. * An attacker can crash the system. * An attacker can gain control over the system, specifically on the "vtpm_server" process which has very high privileges. CVE-2023-43632 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2023-43632.html CVE-2023-43632 On boot, the Pillar eve container checks for the existence and content of "/config/GlobalConfig/global.json". If the file exists, it overrides the existing configuration on the device on boot. This allows an attacker to change the system's configuration, which also includes some debug functions. This could be used to unlock the ssh with custom "authorized_keys" via the "debug.enable.ssh" key, similar to the "authorized_keys" finding that was noted before. Other usages include unlocking the usb to enable the keyboard via the "debug.enable.usb" key, allowing VNC access via the "app.allow.vnc" key, and more. An attacker could easily enable these debug functionalities without triggering the "measured boot" mechanism implemented by EVE OS, and without marking the device as "UUD" ("Unknown Update Detected"). This is because the "/config" partition is not protected by "measured boot", it is mutable and it is not encrypted in any way. An attacker can gain full control over the device without changing the PCR values, thereby not triggering the "measured boot" mechanism, and having full access to the vault. Note: This issue was partially fixed in these commits (after disclosure to Zededa), where the config partition measurement was added to PCR13: • aa3501d6c57206ced222c33aea15a9169d629141 • 5fef4d92e75838cc78010edaed5247dfbdae1889. This issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot. CVE-2023-43633 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2023-43633.html CVE-2023-43633 When sealing/unsealing the "vault" key, a list of PCRs is used, which defines which PCRs are used. In a previous project, CYMOTIVE found that the configuration is not protected by the secure boot, and in response Zededa implemented measurements on the config partition that was mapped to PCR 13. In that process, PCR 13 was added to the list of PCRs that seal/unseal the key. In commit "56e589749c6ff58ded862d39535d43253b249acf", the config partition measurement moved from PCR 13 to PCR 14, but PCR 14 was not added to the list of PCRs that seal/unseal the key. This change makes the measurement of PCR 14 effectively redundant as it would not affect the sealing/unsealing of the key. An attacker could modify the config partition without triggering the measured boot, this could result in the attacker gaining full control over the device with full access to the contents of the encrypted "vault" CVE-2023-43634 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2023-43634.html CVE-2023-43634 A flaw was found in kubevirt. A user within a virtual machine (VM), if the guest agent is active, can exploit this by causing the agent to report an excessive number of network interfaces. This action can overwhelm the system's ability to store VM configuration updates, effectively blocking changes to the Virtual Machine Instance (VMI). This allows the VM user to restrict the VM administrator's ability to manage the VM, leading to a denial of service for administrative operations. CVE-2025-14525 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2025-14525.html CVE-2025-14525 https://bugzilla.suse.com/1256434 SUSE Bug 1256434 It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent. CVE-2025-22873 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2025-22873.html CVE-2025-22873 https://bugzilla.suse.com/1242715 SUSE Bug 1242715 The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content. CVE-2025-47911 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2025-47911.html CVE-2025-47911 https://bugzilla.suse.com/1251308 SUSE Bug 1251308 The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content. CVE-2025-58190 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2025-58190.html CVE-2025-58190 https://bugzilla.suse.com/1251309 SUSE Bug 1251309 A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. CVE-2025-61732 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2025-61732.html CVE-2025-61732 https://bugzilla.suse.com/1257692 SUSE Bug 1257692 unknown CVE-2025-62878 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2025-62878.html CVE-2025-62878 https://bugzilla.suse.com/1253317 SUSE Bug 1253317 unknown CVE-2025-67601 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2025-67601.html CVE-2025-67601 https://bugzilla.suse.com/1254803 SUSE Bug 1254803 During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake. CVE-2025-68121 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2025-68121.html CVE-2025-68121 https://bugzilla.suse.com/1256818 SUSE Bug 1256818 Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.0, websockets within wings lack proper rate limiting and throttling. As a result a malicious user can open a large number of connections and then request data through these sockets, causing an excessive volume of data over the network and overloading the host system memory and cpu. Additionally, there is not a limit applied to the total size of messages being sent or received, allowing a malicious user to open thousands of websocket connections and then send massive volumes of information over the socket, overloading the host network, and causing increased CPU and memory load within Wings. Version 1.12.0 patches the issue. CVE-2025-69199 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2025-69199.html CVE-2025-69199 Directory Traversal vulnerability in Beam beta9 v.0.1.521 allows a remote attacker to obtain sensitive information via the joinCleanPath function. CVE-2025-69820 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2025-69820.html CVE-2025-69820 Arbitrary File Upload in podinfo thru 6.9.0 allows unauthenticated attackers to upload arbitrary files via crafted POST request to the /store endpoint. The application renders uploaded content without a restrictive Content-Security-Policy (CSP) or adequate Content-Type validation, leading to Stored Cross-Site Scripting (XSS). CVE-2025-70849 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2025-70849.html CVE-2025-70849 Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing release titles, tags, and content. CVE-2026-0798 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-0798.html CVE-2026-0798 Vulnerable cross-model authorization in juju. If a charm's cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is incorrectly validated by the juju controller, enabling a charm to maintain otherwise revoked or expired permissions. This allows a charm to continue relating to another charm in a cross-model relation, and use their workload without their permission. No fix is available as of the time of writing. CVE-2026-1237 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-1237.html CVE-2026-1237 A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-method` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.) CVE-2026-1580 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-1580.html CVE-2026-1580 Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access. CVE-2026-20736 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-20736.html CVE-2026-20736 Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization. CVE-2026-20750 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-20750.html CVE-2026-20750 Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications. CVE-2026-20800 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-20800.html CVE-2026-20800 Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches. CVE-2026-20883 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-20883.html CVE-2026-20883 Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users. CVE-2026-20888 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-20888.html CVE-2026-20888 Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories. CVE-2026-20897 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-20897.html CVE-2026-20897 Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities. CVE-2026-20904 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-20904.html CVE-2026-20904 Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users. CVE-2026-20912 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-20912.html CVE-2026-20912 Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Starting in version 1.7.0 and prior to version 1.12.0, Wings does not consider SQLite max parameter limit when processing activity log entries allowing for low privileged user to trigger a condition that floods the panel with activity records. After Wings sends activity logs to the panel it deletes the processed activity entries from the wings SQLite database. However, it does not consider the max parameter limit of SQLite, 32766 as of SQLite 3.32.0. If wings attempts to delete more than 32766 entries from the SQLite database in one query, it triggers an error (SQL logic error: too many SQL variables (1)) and does not remove any entries from the database. These entries are then indefinitely re-processed and resent to the panel each time the cron runs. By successfully exploiting this vulnerability, an attacker can trigger a situation where wings will keep uploading the same activity data to the panel repeatedly (growing each time to include new activity) until the panels' database server runs out of disk space. Version 1.12.0 fixes the issue. CVE-2026-21696 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-21696.html CVE-2026-21696 Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have a critical authorization boundary bypass in namespaced Kyverno Policy apiCall. The resolved `urlPath` is executed using the Kyverno admission controller ServiceAccount, with no enforcement that the request is limited to the policy's namespace. As a result, any authenticated user with permission to create a namespaced Policy can cause Kyverno to perform Kubernetes API requests using Kyverno's admission controller identity, targeting any API path allowed by that ServiceAccount's RBAC. This breaks namespace isolation by enabling cross-namespace reads (for example, ConfigMaps and, where permitted, Secrets) and allows cluster-scoped or cross-namespace writes (for example, creating ClusterPolicies) by controlling the urlPath through context variable substitution. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability. CVE-2026-22039 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-22039.html CVE-2026-22039 https://bugzilla.suse.com/1257379 SUSE Bug 1257379 fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an unauthenticated attacker can exploit this XSS vulnerability to steal a Fleet administrator's authentication token (FLEET::auth_token) from localStorage. This could allow unauthorized access to Fleet, including administrative access, visibility into device data, and modification of configuration. Versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM. CVE-2026-22808 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-22808.html CVE-2026-22808 External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Starting in version 0.20.2 and prior to version 1.2.0, the `getSecretKey` template function, while introduced for senhasegura Devops Secrets Management (DSM) provider, has the ability to fetch secrets cross-namespaces with the roleBinding of the external-secrets controller, bypassing our security mechanisms. This function was completely removed in version 1.2.0, as everything done with that templating function can be done in a different way while respecting External Secrets Operator's safeguards As a workaround, use a policy engine such as Kubernetes, Kyverno, Kubewarden, or OPA to prevent the usage of `getSecretKey` in any ExternalSecret resource. CVE-2026-22822 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-22822.html CVE-2026-22822 Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server diagnostics and trigger resource-intensive profiling operations. Fleet's debug/pprof endpoints are accessible to any authenticated user regardless of role, including the lowest-privilege "Observer" role. This allows low-privilege users to access sensitive server internals, including runtime profiling data and in-memory application state, and to trigger CPU-intensive profiling operations that could lead to denial of service. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, users should put the debug/pprof endpoints behind an IP allowlist as a workaround. CVE-2026-23517 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-23517.html CVE-2026-23517 Fleet is open source device management software. In versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, a vulnerability in Fleet's Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because JWT signatures were not verified, Fleet could accept attacker-controlled identity claims, enabling enrollment of unauthorized devices under arbitrary Azure AD user identities. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM. CVE-2026-23518 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-23518.html CVE-2026-23518 SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session. This vulnerability is fixed in 3.5.4-dev2. CVE-2026-23645 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-23645.html CVE-2026-23645 Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. This vulnerability is fixed in 0.23.0. CVE-2026-23742 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-23742.html CVE-2026-23742 Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\r` and `\n` when used inside a character class. Version 1.28.3 fixes this issue. CVE-2026-23829 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-23829.html CVE-2026-23829 Rekor is a software supply chain transparency log. In versions 1.4.3 and below, the entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message, causing nil Pointer Dereference. Function validate() returns nil (success) when message is empty, leaving sign1Msg uninitialized, and Canonicalize() later dereferences v.sign1Msg.Payload. A malformed proposed entry of the cose/v0.0.1 type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal. This issue has been fixed in version 1.5.0. CVE-2026-23831 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-23831.html CVE-2026-23831 https://bugzilla.suse.com/1257132 SUSE Bug 1257132 Mailpit is an email testing tool and API for developers. Versions prior to 1.28.3 are vulnerable to Server-Side Request Forgery (SSRF) via HTML Check CSS Download. The HTML Check feature (`/api/v1/message/{ID}/html-check`) is designed to analyze HTML emails for compatibility. During this process, the `inlineRemoteCSS()` function automatically downloads CSS files from external `<link rel="stylesheet" href="...">` tags to inline them for testing. Version 1.28.3 fixes the issue. CVE-2026-23845 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-23845.html CVE-2026-23845 SiYuan is a personal knowledge management system. Versions prior to 3.5.4 are vulnerable to reflected cross-site scripting in /api/icon/getDynamicIcon due to unsanitized SVG input. The endpoint generates SVG images for text icons (type=8). The content query parameter is inserted directly into the SVG <text> tag without XML escaping. Since the response Content-Type is image/svg+xml, injecting unescaped tags allows breaking the XML structure and executing JavaScript. Version 3.5.4 patches the issue.] CVE-2026-23847 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-23847.html CVE-2026-23847 File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint. The vulnerability exists due to a "short-circuit" evaluation in the authentication logic. When a username is not found in the database, the function returns immediately. However, if the username does exist, the code proceeds to verify the password using bcrypt (users.CheckPwd), which is a computationally expensive operation designed to be slow. This difference in execution path creates a measurable timing discrepancy. Version 2.55.0 contains a patch for the issue. CVE-2026-23849 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-23849.html CVE-2026-23849 SiYuan is a personal knowledge management system. In versions prior to 3.5.4, the markdown feature allows unrestricted server side html-rendering which allows arbitrary file read (LFD). Version 3.5.4 fixes the issue. CVE-2026-23850 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-23850.html CVE-2026-23850 SiYuan is a personal knowledge management system. Versions prior to 3.5.4 contain a logic vulnerability in the /api/file/globalCopyFiles endpoint. The function allows authenticated users to copy files from any location on the server's filesystem into the application's workspace without proper path validation. The vulnerability exists in the api/file.go source code. The function globalCopyFiles accepts a list of source paths (srcs) from the JSON request body. While the code checks if the source file exists using filelock.IsExist(src), it fails to validate whether the source path resides within the authorized workspace directory. Version 3.5.4 patches the issue. CVE-2026-23851 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-23851.html CVE-2026-23851 Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in Kyverno's policy engine that allows users with policy creation privileges to cause denial of service by crafting policies that exponentially amplify string data through context variables. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability. CVE-2026-23881 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-23881.html CVE-2026-23881 https://bugzilla.suse.com/1257380 SUSE Bug 1257380 Incus is a system container and virtual machine manager. In versions 6.20.0 and below, a user with the ability to launch a container with a custom YAML configuration (e.g a member of the 'incus' group) can create an environment variable containing newlines, which can be used to add additional configuration items in the container's lxc.conf due to newline injection. This can allow adding arbitrary lifecycle hooks, ultimately resulting in arbitrary command execution on the host. Exploiting this issue on IncusOS requires a slight modification of the payload to change to a different writable directory for the validation step (e.g /tmp). This can be confirmed with a second container with /tmp mounted from the host (A privileged action for validation only). A fix is planned for versions 6.0.6 and 6.21.0, but they have not been released at the time of publication. CVE-2026-23953 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-23953.html CVE-2026-23953 https://bugzilla.suse.com/1257141 SUSE Bug 1257141 Incus is a system container and virtual machine manager. Versions 6.21.0 and below allow a user with the ability to launch a container with a custom image (e.g a member of the 'incus' group) to use directory traversal or symbolic links in the templating functionality to achieve host arbitrary file read, and host arbitrary file write. This ultimately results in arbitrary command execution on the host. When using an image with a metadata.yaml containing templates, both the source and target paths are not checked for symbolic links or directory traversal. This can also be exploited in IncusOS. A fix is planned for versions 6.0.6 and 6.21.0, but they have not been released at the time of publication. CVE-2026-23954 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-23954.html CVE-2026-23954 https://bugzilla.suse.com/1257146 SUSE Bug 1257146 Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user's browser under the Argo Server origin, enabling API actions with the victim's privileges. Versions 3.6.17 and 3.7.8 fix the issue. CVE-2026-23960 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-23960.html CVE-2026-23960 The Flux Operator is a Kubernetes CRD controller that manages the lifecycle of CNCF Flux CD and the ControlPlane enterprise distribution. Starting in version 0.36.0 and prior to version 0.40.0, a privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows an attacker to bypass Kubernetes RBAC impersonation and execute API requests with the operator's service account privileges. In order to be vulnerable, cluster admins must configure the Flux Operator with an OIDC provider that issues tokens lacking the expected claims (e.g., `email`, `groups`), or configure custom CEL expressions that can evaluate to empty values. After OIDC token claims are processed through CEL expressions, there is no validation that the resulting `username` and `groups` values are non-empty. When both values are empty, the Kubernetes client-go library does not add impersonation headers to API requests, causing them to be executed with the flux-operator service account's credentials instead of the authenticated user's limited permissions. This can result in privilege escalation, data exposure, and/or information disclosure. Version 0.40.0 patches the issue. CVE-2026-23990 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-23990.html CVE-2026-23990 go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available. CVE-2026-23991 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-23991.html CVE-2026-23991 https://bugzilla.suse.com/1257079 SUSE Bug 1257079 go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. This can lead to unauthorized modification to TUF metadata files is possible at rest, or during transit as no integrity checks are made. Version 2.3.1 fixes the issue. As a workaround, always make sure that the TUF metadata roles are configured with a threshold of at least 1. CVE-2026-23992 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-23992.html CVE-2026-23992 https://bugzilla.suse.com/1257084 SUSE Bug 1257084 Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an attacker to impersonate any user (including admin) by "offering" the victim's public key during the SSH handshake before authenticating with their own valid key. This occurs because the user identity is stored in the session context during the "offer" phase and is not cleared if that specific authentication attempt fails. This issue has been fixed in version 0.11.3. CVE-2026-24058 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-24058.html CVE-2026-24058 Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF. The issue has been fixed in version 1.5.0. To workaround this issue, disable the search endpoint with --enable_retrieve_api=false. CVE-2026-24117 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-24117.html CVE-2026-24117 https://bugzilla.suse.com/1257135 SUSE Bug 1257135 Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints (/api/v1/jobs) lack JWT authentication middleware and RBAC authorization checks in the routing configuration. This allows any unauthenticated user with access to the Manager API to view, update and delete jobs. The issue is fixed in version 2.4.1-rc.1. CVE-2026-24124 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-24124.html CVE-2026-24124 Skipper is an HTTP router and reverse proxy for service composition. Prior to version 0.24.0, when running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable them to use Skipper's network access to reach internal services. Version 0.24.0 disables Kubernetes ExternalName by default. As a workaround, developers can allow list targets of an ExternalName and allow list via regular expressions. CVE-2026-24470 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-24470.html CVE-2026-24470 A security issue was discovered in ingress-nginx cthe `rules.http.paths.path` Ingress field can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.) CVE-2026-24512 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-24512.html CVE-2026-24512 A security issue was discovered in ingress-nginx where the protection afforded by the `auth-url` Ingress annotation may not be effective in the presence of a specific misconfiguration. If the ingress-nginx controller is configured with a default custom-errors configuration that includes HTTP errors 401 or 403, and if the configured default custom-errors backend is defective and fails to respect the X-Code HTTP header, then an Ingress with the `auth-url` annotation may be accessed even when authentication fails. Note that the built-in custom-errors backend works correctly. To trigger this issue requires an administrator to specifically configure ingress-nginx with a broken external component. CVE-2026-24513 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-24513.html CVE-2026-24513 A security issue was discovered in ingress-nginx where the validating admission controller feature is subject to a denial of service condition. By sending large requests to the validating admission controller, an attacker can cause memory consumption, which may result in the ingress-nginx controller pod being killed or the node running out of memory. CVE-2026-24514 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-24514.html CVE-2026-24514 go-tuf is a Go implementation of The Update Framework (TUF). go-tuf's TAP 4 Multirepo Client uses the map file repository name string (`repoName`) as a filesystem path component when selecting the local metadata cache directory. Starting in version 2.0.0 and prior to version 2.4.1, if an application accepts a map file from an untrusted source, an attacker can supply a `repoName` containing traversal (e.g., `../escaped-repo`) and cause go-tuf to create directories and write the root metadata file outside the intended `LocalMetadataDir` cache base, within the running process's filesystem permissions. Version 2.4.1 contains a patch. CVE-2026-24686 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-24686.html CVE-2026-24686 https://bugzilla.suse.com/1257350 SUSE Bug 1257350 Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 1.7.1. An unauthenticated API endpoint incorrectly exposes full revision history for deleted content. This allows unauthorized user to retrieve restricted or sensitive information. Users are recommended to upgrade to version 2.0.0, which fixes the issue. CVE-2026-24735 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-24735.html CVE-2026-24735 gmrtd is a Go library for reading Machine Readable Travel Documents (MRTDs). Prior to version 0.17.2, ReadFile accepts TLVs with lengths that can range up to 4GB, which can cause unconstrained resource consumption in both memory and cpu cycles. ReadFile can consume an extended TLV with lengths well outside what would be available in ICs. It can accept something all the way up to 4GB which would take too many iterations in 256 byte chunks, and would also try to allocate memory that might not be available in constrained environments like phones. Or if an API sends data to ReadFile, the same problem applies. The very small chunked read also locks the goroutine in accepting data for a very large number of iterations. projects using the gmrtd library to read files from NFCs can experience extreme slowdowns or memory consumption. A malicious NFC can just behave like the mock transceiver described above and by just sending dummy bytes as each chunk to be read, can make the receiving thread unresponsive and fill up memory on the host system. Version 0.17.2 patches the issue. CVE-2026-24738 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-24738.html CVE-2026-24738 Dozzle is a realtime log viewer for docker containers. Prior to version 9.0.3, a flaw in Dozzle's agent-backed shell endpoints allows a user restricted by label filters (for example, `label=env=dev`) to obtain an interactive root shell in out-of-scope containers (for example, `env=prod`) on the same agent host by directly targeting their container IDs. Version 9.0.3 contains a patch for the issue. CVE-2026-24740 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-24740.html CVE-2026-24740 Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the `GetConfig()` API endpoint. This allowed unauthenticated users to access this endpoint by specifying an `Authorization` header with any non-empty `Bearer` token value, regardless of validity. This vulnerability did allow for exfiltration of configuration data such as endpoints for connected Argo CD clusters. This data could allow an attacker to enumerate cluster URLs and namespaces for use in subsequent attacks. Additionally, the same bug affected the `RefreshResource` endpoint. This endpoint does not lead to any information disclosure, but could be used by an unauthenticated attacker to perform a denial-of-service style attack against the Kargo API. `RefreshResource` sets an annotation on specific Kubernetes resources to trigger reconciliations. If run on a constant loop, this could also slow down legitimate requests to the Kubernetes API server. This problem has been patched in Kargo versiosn 1.8.7, 1.7.7, and 1.6.3. There are no workarounds for this issue. CVE-2026-24748 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-24748.html CVE-2026-24748 melange allows users to build apk packages using declarative pipelines. In version 0.11.3 to before 0.40.3, an attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host. The retrieveWorkspace function extracts tar entries without validating that paths stay within the workspace, allowing path traversal via ../ sequences. This issue has been patched in version 0.40.3. CVE-2026-24843 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-24843.html CVE-2026-24843 melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses ${{vars.*}} or ${{inputs.*}} substitutions in working-directory. The field is embedded into shell scripts without proper quote escaping. This issue has been patched in version 0.40.3. CVE-2026-24844 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-24844.html CVE-2026-24844 malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 1.8.0 and prior to version 1.20.3, malcontent could be made to create symlinks outside the intended extraction directory when scanning a specially crafted tar or deb archive. The `handleSymlink` function received arguments in the wrong order, causing the symlink target to be used as the symlink location. Additionally, symlink targets were not validated to ensure they resolved within the extraction directory. Version 1.20.3 introduces fixes that swap handleSymlink arguments, validate symlink location, and validate symlink targets that resolve within an extraction directory. CVE-2026-24846 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-24846.html CVE-2026-24846 OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, the application contains path traversal vulnerability in multiple file operation handlers in server/handles/fsmanage.go. Filename components in req.Names are directly concatenated with validated directories using stdpath.Join. This allows ".." sequences to bypass path restrictions, enabling users to access other users' files within the same storage mount and perform unauthorized actions such as deletion, renaming, or copying of files. An authenticated attacker can bypass directory-level authorisation by injecting traversal sequences into filename components, enabling unauthorised file removal and copying across user boundaries within the same storage mount. This vulnerability is fixed in 4.1.10. CVE-2026-25059 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-25059.html CVE-2026-25059 OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, certificate verification is disabled by default for all storage driver communications. The TlsInsecureSkipVerify setting is default to true in the DefaultConfig() function in internal/conf/config.go. This vulnerability enables Man-in-the-Middle (MitM) attacks by disabling TLS certificate verification, allowing attackers to intercept and manipulate all storage communications. Attackers can exploit this through network-level attacks like ARP spoofing, rogue Wi-Fi access points, or compromised internal network equipment to redirect traffic to malicious endpoints. Since certificate validation is skipped, the system will unknowingly establish encrypted connections with attacker-controlled servers, enabling full decryption, data theft, and manipulation of all storage operations without triggering any security warnings. This vulnerability is fixed in 4.1.10. CVE-2026-25060 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-25060.html CVE-2026-25060 apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a compromised or typosquatted repository) could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink methods in pkg/apk/fs/rwosfs.go use filepath.Join() without validating that the resulting path stays within the base directory. This issue has been patched in version 1.1.1. CVE-2026-25121 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-25121.html CVE-2026-25121 apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.0, expandapk.Split drains the first gzip stream of an APK archive via io.Copy(io.Discard, gzi) without explicit bounds. With an attacker-controlled input stream, this can force large gzip inflation work and lead to resource exhaustion (availability impact). The Split function reads the first tar header, then drains the remainder of the gzip stream by reading from the gzip reader directly without any maximum uncompressed byte limit or inflate-ratio cap. A caller that parses attacker-controlled APK streams may be forced to spend excessive CPU time inflating gzip data, leading to timeouts or process slowdown. This issue has been patched in version 1.1.0. CVE-2026-25122 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-25122.html CVE-2026-25122 melange allows users to build apk packages using declarative pipelines. From version 0.10.0 to before 0.40.3, an attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in pkg/build/pipelines/patch.yaml embeds input-derived values (series paths, patch filenames, and numeric parameters) into shell scripts without proper quoting or validation, allowing shell metacharacters to break out of their intended context. The vulnerability affects the built-in patch pipeline which can be invoked through melange build and melange license-check operations. An attacker who can control patch-related inputs (e.g., through pull request-driven CI, build-as-a-service, or by influencing melange configurations) can inject shell metacharacters such as backticks, command substitutions $(...), semicolons, pipes, or redirections to execute arbitrary commands with the privileges of the melange build process. This issue has been patched in version 0.40.3. CVE-2026-25143 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-25143.html CVE-2026-25143 melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacker who can influence a melange configuration file (e.g., through pull request-driven CI or build-as-a-service scenarios) could read arbitrary files from the host system. The LicensingInfos function in pkg/config/config.go reads license files specified in copyright[].license-path without validating that paths remain within the workspace directory, allowing path traversal via ../ sequences. The contents of the traversed file are embedded into the generated SBOM as license text, enabling exfiltration of sensitive data through build artifacts. This issue has been patched in version 0.40.3. CVE-2026-25145 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-25145.html CVE-2026-25145 Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application disables TLS certificate verification by default for all outgoing storage driver communications, making the system vulnerable to Man-in-the-Middle (MitM) attacks. This enables the complete decryption, theft, and manipulation of all data transmitted during storage operations, severely compromising the confidentiality and integrity of user data. This issue has been patched in version 3.57.0. CVE-2026-25160 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-25160.html CVE-2026-25160 Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application contains path traversal vulnerability in multiple file operation handlers. An authenticated attacker can bypass directory-level authorisation by injecting traversal sequences into filename components, enabling unauthorised file removal, movement and copying across user boundaries within the same storage mount. This issue has been patched in version 3.57.0. CVE-2026-25161 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-25161.html CVE-2026-25161 Terraform / OpenTofu Provider adds support for Proxmox Virtual Environment. Prior to version 0.93.1, in the SSH configuration documentation, the sudoer line suggested is insecure and can result in escaping the folder using ../, allowing any files on the system to be edited. This issue has been patched in version 0.93.1. CVE-2026-25499 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-25499.html CVE-2026-25499 Devtron is an open source tool integration platform for Kubernetes. In version 2.0.0 and prior, a vulnerability exists in Devtron's Attributes API interface, allowing any authenticated user (including low-privileged CI/CD Developers) to obtain the global API Token signing key by accessing the /orchestrator/attributes?key=apiTokenSecret endpoint. After obtaining the key, attackers can forge JWT tokens for arbitrary user identities offline, thereby gaining complete control over the Devtron platform and laterally moving to the underlying Kubernetes cluster. This issue has been patched via commit d2b0d26. CVE-2026-25538 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-25538.html CVE-2026-25538 Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched in version 0.60.0. CVE-2026-25578 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-25578.html CVE-2026-25578 Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-image URL (/share/img/<token>). When processing such requests, the server attempts to create an extremely large resized image, causing uncontrolled memory growth. This triggers the Linux OOM killer, terminates the Navidrome process, and results in a full service outage. If the system has sufficient memory and survives the allocation, Navidrome then writes these extremely large resized images into its cache directory, allowing an attacker to rapidly exhaust server disk space as well. This issue has been patched in version 0.60.0. CVE-2026-25579 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260403-1/ https://www.suse.com/security/cve/CVE-2026-25579.html CVE-2026-25579