opensuse/govulncheck-vulndb&distro=openSUSE Leap 15.6

Vulnerabilities (869)

• CVE-2026-33990CriApr 1, 2026
  affected < 0.0.20260402T184258-150000.1.158.1fixed 0.0.20260402T184258-150000.1.158.1

  Docker Model Runner (DMR) is software used to manage, run, and deploy AI models using Docker. Prior to version 1.1.25, Docker Model Runner contains an SSRF vulnerability in its OCI registry token exchange flow. When pulling a model, Model Runner follows the realm URL from the reg

• CVE-2026-34204HigMar 31, 2026
  affected < 0.0.20260402T184258-150000.1.158.1fixed 0.0.20260402T184258-150000.1.158.1

  MinIO is a high-performance object storage system. Prior to version RELEASE.2026-03-26T21-24-40Z, a flaw in extractMetadataFromMime() allows any authenticated user with s3:PutObject permission to inject internal server-side encryption metadata into objects by sending crafted X-Mi

• CVE-2026-34042HigMar 31, 2026
  affected < 0.0.20260402T184258-150000.1.158.1fixed 0.0.20260402T184258-150000.1.158.1

  act is a project which allows for local running of github actions. Prior to version 0.2.86, act's built in actions/cache server listens to connections on all interfaces and allows anyone who can connect to it including someone anywhere on the internet to create caches with arbitr

• CVE-2026-34041CriMar 31, 2026
  affected < 0.0.20260402T184258-150000.1.158.1fixed 0.0.20260402T184258-150000.1.158.1

  act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks. When a workflow step echoes untrusted da

• CVE-2026-34040HigMar 31, 2026
  affected < 0.0.20260402T184258-150000.1.158.1fixed 0.0.20260402T184258-150000.1.158.1

  Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1.

• CVE-2026-33997MedMar 31, 2026
  affected < 0.0.20260402T184258-150000.1.158.1fixed 0.0.20260402T184258-150000.1.158.1

  Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the daemon may incorre

• CVE-2026-27018HigMar 30, 2026
  affected < 0.0.20260402T184258-150000.1.158.1fixed 0.0.20260402T184258-150000.1.158.1

  Gotenberg is an API for converting document formats. Prior to version 8.29.0, the fix introduced for CVE-2024-21527 can be bypassed using mixed-case or uppercase URL schemes. This issue has been patched in version 8.29.0.

• CVE-2026-33026CriMar 30, 2026
  affected < 0.0.20260402T184258-150000.1.158.1fixed 0.0.20260402T184258-150000.1.158.1

  Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui backup restore mechanism allows attackers to tamper with encrypted backup archives and inject malicious configuration during restoration. This issue has been patched in version 2.3.4.

• CVE-2026-33032CriMar 30, 2026
  affected < 0.0.20260402T184258-150000.1.158.1fixed 0.0.20260402T184258-150000.1.158.1

  Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /mcp requires both IP whitelisting and authentication (AuthRequired() middleware)

• CVE-2026-33030HigMar 30, 2026
  affected < 0.0.20260402T184258-150000.1.158.1fixed 0.0.20260402T184258-150000.1.158.1

  Nginx UI is a web user interface for the Nginx web server. In versions 2.3.3 and prior, Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application'

• CVE-2026-33029MedMar 30, 2026
  affected < 0.0.20260402T184258-150000.1.158.1fixed 0.0.20260402T184258-150000.1.158.1

  Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, an input validation vulnerability in the logrotate configuration allows an authenticated user to cause a complete Denial of Service (DoS). By submitting a negative integer for the rotation interval

• CVE-2026-33028HigMar 30, 2026
  affected < 0.0.20260402T184258-150000.1.158.1fixed 0.0.20260402T184258-150000.1.158.1

  Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms (Mutex) and non-atomic file writes, concurrent requests lead to the severe corr

• CVE-2026-33027MedMar 30, 2026
  affected < 0.0.20260402T184258-150000.1.158.1fixed 0.0.20260402T184258-150000.1.158.1

  Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui configuration improperly handles URL-encoded traversal sequences. When specially crafted paths are supplied, the backend resolves them to the base Nginx configuration directory and exe

• CVE-2026-33907MedMar 27, 2026
  affected < 0.0.20260402T184258-150000.1.158.1fixed 0.0.20260402T184258-150000.1.158.1

  Ella Core is a 5G core designed for private networks. Versions prior to 1.7.0 panic when processing Authentication Response and Authentication Failure NAS message missing IEs. An attacker able to send crafted NAS messages to Ella Core can crash the process, causing service disrup

• CVE-2026-33906HigMar 27, 2026
  affected < 0.0.20260402T184258-150000.1.158.1fixed 0.0.20260402T184258-150000.1.158.1

  Ella Core is a 5G core designed for private networks. Prior to version 1.7.0, the NetworkManager role was granted backup and restore permission. The restore endpoint accepted any valid SQLite file without verifying its contents. A NetworkManager could replace the production datab

• CVE-2026-33904MedMar 27, 2026
  affected < 0.0.20260402T184258-150000.1.158.1fixed 0.0.20260402T184258-150000.1.158.1

  Ella Core is a 5G core designed for private networks. Prior to version 1.7.0, a deadlock in the AMF's SCTP notification handler causes the entire AMF control plane to hang until the process is restarted. An attacker with access to the N2 interface can cause Ella Core to hang, res

• CVE-2026-33903MedMar 27, 2026
  affected < 0.0.20260402T184258-150000.1.158.1fixed 0.0.20260402T184258-150000.1.158.1

  Ella Core is a 5G core designed for private networks. Versions prior to 1.7.0 panic when processing a specially crafted NGAP LocationReport message. An attacker able to send crafted NGAP messages to Ella Core can crash the process, causing service disruption for all connected sub

• CVE-2026-34389MedMar 27, 2026
  affected < 0.0.20260402T184258-150000.1.158.1fixed 0.0.20260402T184258-150000.1.158.1

  Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a vali

• CVE-2026-34388HigMar 27, 2026
  affected < 0.0.20260402T184258-150000.1.158.1fixed 0.0.20260402T184258-150000.1.158.1

  Fleet is open source device management software. Prior to 4.81.0, a denial-of-service vulnerability in Fleet's gRPC Launcher endpoint allows an authenticated host to crash the entire Fleet server process by sending an unexpected log type value. The server terminates immediately,

• CVE-2026-32241HigMar 27, 2026
  affected < 0.0.20260402T184258-150000.1.158.1fixed 0.0.20260402T184258-150000.1.158.1

  Flannel is a network fabric for containers, designed for Kubernetes. The Flannel project includes an experimental Extension backend that allows users to easily prototype new backend types. In versions of Flannel prior to 0.28.2, this Extension backend is vulnerable to a command i