opensuse/govulncheck-vulndb&distro=openSUSE Leap 15.6

Vulnerabilities (869)

• CVE-2025-15558Mar 4, 2026
  affected < 0.0.20260317T205859-150000.1.152.1fixed 0.0.20260317T205859-150000.1.152.1

  Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are

• CVE-2025-62879Mar 4, 2026
  affected < 0.0.20260317T205859-150000.1.152.1fixed 0.0.20260317T205859-150000.1.152.1

  A vulnerability has been identified within the Rancher Backup Operator, resulting in the leakage of S3 tokens (both accessKey and secretKey) into the rancher-backup-operator pod's logs.

• CVE-2026-3351Mar 3, 2026
  affected < 0.0.20260317T205859-150000.1.152.1fixed 0.0.20260317T205859-150000.1.152.1

  Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the lxd server.

• CVE-2026-28407Feb 27, 2026
  affected < 0.0.20260317T205859-150000.1.152.1fixed 0.0.20260317T205859-150000.1.152.1

  malcontent is software for discovering supply-chain compromises through context, differential analysis, and YARA. Prior to version 1.21.0, malcontent would remove nested archives which failed to extract which could potentially leave malicious content. A better approach is to pres

• CVE-2026-28406Feb 27, 2026
  affected < 0.0.20260317T205859-150000.1.152.1fixed 0.0.20260317T205859-150000.1.152.1

  kaniko is a tool to build container images from a Dockerfile, inside a container or Kubernetes cluster. Starting in version 1.25.4 and prior to version 1.25.10, kaniko unpacks build context archives using `filepath.Join(dest, cleanedName)` without enforcing that the final path st

• CVE-2026-28268Feb 27, 2026
  affected < 0.0.20260317T205859-150000.1.152.1fixed 0.0.20260317T205859-150000.1.152.1

  Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upo

• CVE-2026-27734Feb 27, 2026
  affected < 0.0.20260317T205859-150000.1.152.1fixed 0.0.20260317T205859-150000.1.152.1

  Beszel is a server monitoring platform. Prior to version 0.18.2, the hub's authenticated API endpoints GET /api/beszel/containers/logs and GET /api/beszel/containers/info pass the user-supplied "container" query parameter to the agent without validation. The agent constructs Dock

• CVE-2026-28280Feb 26, 2026
  affected < 0.0.20260317T205859-150000.1.152.1fixed 0.0.20260317T205859-150000.1.152.1

  osctrl is an osquery management solution. Prior to version 0.5.0, a stored cross-site scripting (XSS) vulnerability exists in the `osctrl-admin` on-demand query list. A user with query-level permissions can inject arbitrary JavaScript via the query parameter when running an on-de

• CVE-2026-28279Feb 26, 2026
  affected < 0.0.20260317T205859-150000.1.152.1fixed 0.0.20260317T205859-150000.1.152.1

  osctrl is an osquery management solution. Prior to version 0.5.0, an OS command injection vulnerability exists in the `osctrl-admin` environment configuration. An authenticated administrator can inject arbitrary shell commands via the hostname parameter when creating or editing e

• CVE-2026-27141HigFeb 26, 2026
  affected < 0.0.20260226T182644-150000.1.149.1fixed 0.0.20260226T182644-150000.1.149.1

  Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic

• CVE-2026-27465Feb 26, 2026
  affected < 0.0.20260317T205859-150000.1.152.1fixed 0.0.20260317T205859-150000.1.152.1

  Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s configuration API could expose Google Calendar service account credentials to authenticated users with low-privilege roles. This may allow unauthorized access to Google Calend

• CVE-2026-25963Feb 26, 2026
  affected < 0.0.20260317T205859-150000.1.152.1fixed 0.0.20260317T205859-150000.1.152.1

  Fleet is open source device management software. In versions prior to 4.80.1, a broken authorization check in Fleet’s certificate template deletion API could allow a team administrator to delete certificate templates belonging to other teams within the same Fleet instance. Fleet

• CVE-2026-23999Feb 26, 2026
  affected < 0.0.20260317T205859-150000.1.152.1fixed 0.0.20260317T205859-150000.1.152.1

  Fleet is open source device management software. In versions prior to 4.80.1, Fleet generated device lock and wipe PINs using a predictable algorithm based solely on the current Unix timestamp. Because no secret key or additional entropy was used, the resulting PIN could potentia

• CVE-2026-24004Feb 26, 2026
  affected < 0.0.20260317T205859-150000.1.152.1fixed 0.0.20260317T205859-150000.1.152.1

  Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s Android MDM Pub/Sub handling could allow unauthenticated requests to trigger device unenrollment events. This may result in unauthorized removal of individual Android devices

• CVE-2026-22728MedFeb 26, 2026
  affected < 0.0.20260317T205859-150000.1.152.1fixed 0.0.20260317T205859-150000.1.152.1

  Bitnami Sealed Secrets is vulnerable to a scope-widening attack during the secret rotation (/v1/rotate) flow. The rotation handler derives the sealing scope for the newly encrypted output from untrusted spec.template.metadata.annotations present in the input SealedSecret. By subm

• CVE-2026-27969Feb 26, 2026
  affected < 0.0.20260317T205859-150000.1.152.1fixed 0.0.20260317T205859-150000.1.152.1

  Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that files in the manifest — which may be files th

• CVE-2026-27965Feb 26, 2026
  affected < 0.0.20260317T205859-150000.1.152.1fixed 0.0.20260317T205859-150000.1.152.1

  Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that arbitrary code is later executed when that ba

• CVE-2026-27896HigFeb 26, 2026
  affected < 0.0.20260317T205859-150000.1.152.1fixed 0.0.20260317T205859-150000.1.152.1

  The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in versions prior to 1.3.1. Go's standard library performs case-insensitive matching of JSON keys to struct field tags — a field tagged json:"method" would also match "Method",

• CVE-2026-27900Feb 26, 2026
  affected < 0.0.20260317T205859-150000.1.152.1fixed 0.0.20260317T205859-150000.1.152.1

  The Terraform Provider for Linode versions prior to v3.9.0 logged sensitive information including some passwords, StackScript content, and object storage data in debug logs without redaction. Provider debug logging is not enabled by default. This issue is exposed when debug/provi

• CVE-2026-27899Feb 26, 2026
  affected < 0.0.20260317T205859-150000.1.152.1fixed 0.0.20260317T205859-150000.1.152.1

  WireGuard Portal (or wg-portal) is a web-based configuration portal for WireGuard server management. Prior to version 2.1.3, any authenticated non-admin user can become a full administrator by sending a single PUT request to their own user profile endpoint with `"IsAdmin": true`