rpm package
opensuse/epiphany&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/epiphany&distro=openSUSE%20Tumbleweed
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-3839 | Hig | 8.0 | < 48.1-1.1 | 48.1-1.1 | Jan 23, 2026 | A flaw was found in Epiphany, a tool that allows websites to open external URL handler applications with minimal user interaction. This design can be misused to exploit vulnerabilities within those handlers, making them appear remotely exploitable. The browser fails to properly w | |
| CVE-2023-26081 | — | < 43.1-1.1 | 43.1-1.1 | Feb 20, 2023 | In Epiphany (aka GNOME Web) through 43.0, untrusted web content can trick users into exfiltrating passwords, because autofill occurs in sandboxed contexts. | ||
| CVE-2022-29536 | — | < 42.2-1.1 | 42.2-1.1 | Apr 20, 2022 | In GNOME Epiphany before 41.4 and 42.x before 42.2, an HTML document can trigger a client buffer overflow (in ephy_string_shorten in the UI process) via a long page title. The issue occurs because the number of bytes for a UTF-8 ellipsis character is not properly considered. | ||
| CVE-2021-45088 | — | < 41.2-1.1 | 41.2-1.1 | Dec 16, 2021 | XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 via an error page. | ||
| CVE-2021-45085 | — | < 41.2-1.1 | 41.2-1.1 | Dec 16, 2021 | XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 via an about: page, as demonstrated by ephy-about:overview when a user visits an XSS payload page often enough to place that page on the Most Visited list. | ||
| CVE-2018-11396 | Hig | 7.5 | < 40.3-2.1 | 40.3-2.1 | May 23, 2018 | ephy-session.c in libephymain.so in GNOME Web (aka Epiphany) through 3.28.2.1 allows remote attackers to cause a denial of service (application crash) via JavaScript code that triggers access to a NULL URL, as demonstrated by a crafted window.open call. |
- affected < 48.1-1.1fixed 48.1-1.1
A flaw was found in Epiphany, a tool that allows websites to open external URL handler applications with minimal user interaction. This design can be misused to exploit vulnerabilities within those handlers, making them appear remotely exploitable. The browser fails to properly w
- CVE-2023-26081Feb 20, 2023affected < 43.1-1.1fixed 43.1-1.1
In Epiphany (aka GNOME Web) through 43.0, untrusted web content can trick users into exfiltrating passwords, because autofill occurs in sandboxed contexts.
- CVE-2022-29536Apr 20, 2022affected < 42.2-1.1fixed 42.2-1.1
In GNOME Epiphany before 41.4 and 42.x before 42.2, an HTML document can trigger a client buffer overflow (in ephy_string_shorten in the UI process) via a long page title. The issue occurs because the number of bytes for a UTF-8 ellipsis character is not properly considered.
- CVE-2021-45088Dec 16, 2021affected < 41.2-1.1fixed 41.2-1.1
XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 via an error page.
- CVE-2021-45085Dec 16, 2021affected < 41.2-1.1fixed 41.2-1.1
XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 via an about: page, as demonstrated by ephy-about:overview when a user visits an XSS payload page often enough to place that page on the Most Visited list.
- affected < 40.3-2.1fixed 40.3-2.1
ephy-session.c in libephymain.so in GNOME Web (aka Epiphany) through 3.28.2.1 allows remote attackers to cause a denial of service (application crash) via JavaScript code that triggers access to a NULL URL, as demonstrated by a crafted window.open call.