rpm package
opensuse/agama-web-ui&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/agama-web-ui&distro=openSUSE%20Tumbleweed
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-9277 | Hig | 8.1 | < 21+360.16caae772-44.1 | 21+360.16caae772-44.1 | May 22, 2026 | shell-quote's `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which in JavaScript does not match line terminators (\n, \r, U+2028, U+2029). A line te | |
| CVE-2026-6402 | Med | 5.3 | < 21+360.16caae772-44.1 | 21+360.16caae772-44.1 | May 12, 2026 | webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when serving over a non-potentially trustworthy origin such as plain HTTP. The previous fix relied on the Sec-Fetch-Mode and Sec-Fetch-Site request headers, which browsers om | |
| CVE-2023-28154 | — | < 9+52-1.1 | 9+52-1.1 | Mar 13, 2023 | Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object. |
- affected < 21+360.16caae772-44.1fixed 21+360.16caae772-44.1
shell-quote's `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which in JavaScript does not match line terminators (\n, \r, U+2028, U+2029). A line te
- affected < 21+360.16caae772-44.1fixed 21+360.16caae772-44.1
webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when serving over a non-potentially trustworthy origin such as plain HTTP. The previous fix relied on the Sec-Fetch-Mode and Sec-Fetch-Site request headers, which browsers om
- CVE-2023-28154Mar 13, 2023affected < 9+52-1.1fixed 9+52-1.1
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.