opensuse/govulncheck-vulndb&distro=openSUSE Leap 15.6

Vulnerabilities (869)

• CVE-2026-34386HigMar 27, 2026
  affected < 0.0.20260402T184258-150000.1.158.1fixed 0.0.20260402T184258-150000.1.158.1

  Fleet is open source device management software. Prior to 4.81.0, a SQL injection vulnerability in Fleet's MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive dat

• CVE-2026-34385HigMar 27, 2026
  affected < 0.0.20260402T184258-150000.1.158.1fixed 0.0.20260402T184258-150000.1.158.1

  Fleet is open source device management software. Prior to 4.81.0, a second-order SQL injection vulnerability in Fleet's Apple MDM profile delivery pipeline could allow an attacker with a valid MDM enrollment certificate to exfiltrate or modify the contents of the Fleet database,

• CVE-2026-29180HigMar 27, 2026
  affected < 0.0.20260402T184258-150000.1.158.1fixed 0.0.20260402T184258-150000.1.158.1

  Fleet is open source device management software. Prior to 4.81.1, a broken access control vulnerability in Fleet's host transfer API allows a team maintainer to transfer hosts from any team into their own team, bypassing team isolation boundaries. Once transferred, the attacker g

• CVE-2026-26061HigMar 27, 2026
  affected < 0.0.20260402T184258-150000.1.158.1fixed 0.0.20260402T184258-150000.1.158.1

  Fleet is open source device management software. Prior to 4.81.0, Fleet contained multiple unauthenticated HTTP endpoints that read request bodies without enforcing a size limit. An unauthenticated attacker could exploit this behavior by sending large or repeated HTTP payloads, c

• CVE-2026-26060HigMar 27, 2026
  affected < 0.0.20260402T184258-150000.1.158.1fixed 0.0.20260402T184258-150000.1.158.1

  Fleet is open source device management software. Prior to 4.81.0, a vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reuse

• CVE-2026-33748HigMar 27, 2026
  affected < 0.0.20260402T184258-150000.1.158.1fixed 0.0.20260402T184258-150000.1.158.1

  BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, insufficient validation of Git URL fragment subdir components may allow access to files outside the checked-out Git repository root. Pos

• CVE-2026-33433HigMar 27, 2026
  affected < 0.0.20260402T184258-150000.1.158.1fixed 0.0.20260402T184258-150000.1.158.1

  Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.42, 3.6.11, and 3.7.0-ea.3, when `headerField` is configured with a non-canonical HTTP header name (e.g., `x-auth-user` instead of `X-Auth-User`), an authenticated attacker can inject their own canonical v

• CVE-2026-32695HigMar 27, 2026
  affected < 0.0.20260402T184258-150000.1.158.1fixed 0.0.20260402T184258-150000.1.158.1

  Traefik is an HTTP reverse proxy and load balancer. Prior to versions 3.6.11 and 3.7.0-ea.2, Traefik's Knative provider builds router rules by interpolating user-controlled values into backtick-delimited rule expressions without escaping. In live cluster validation, Knative `rule

• CVE-2026-33758Mar 27, 2026
  affected < 0.0.20260326T203309-150000.1.155.2fixed 0.0.20260326T203309-150000.1.155.2

  OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role with `callback_mode=direct` configured are vulnerable to XSS via the `error_description` parameter on

• CVE-2026-33757Mar 27, 2026
  affected < 0.0.20260326T203309-150000.1.155.2fixed 0.0.20260326T203309-150000.1.155.2

  OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` set to `direct`. This allows an attacker to start an authentication request and p

• CVE-2026-33747HigMar 27, 2026
  affected < 0.0.20260402T184258-150000.1.158.1fixed 0.0.20260402T184258-150000.1.158.1

  BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit sta

• CVE-2026-33729CriMar 27, 2026
  affected < 0.0.20260326T203309-150000.1.155.2fixed 0.0.20260326T203309-150000.1.155.2

  OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. In versions prior to 1.13.1, under specific conditions, models using conditions with caching enabled can result in two different check requests produci

• CVE-2026-33726MedMar 27, 2026
  affected < 0.0.20260326T203309-150000.1.155.2fixed 0.0.20260326T203309-150000.1.155.2

  Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.17.14, 1.18.8, and 1.19.2, Ingress Network Policies are not enforced for traffic from pods to L7 Services (Envoy, GAMMA) with a local backend on the same node, when Per-

• CVE-2026-33638MedMar 26, 2026
  affected < 0.0.20260326T203309-150000.1.155.2fixed 0.0.20260326T203309-150000.1.155.2

  Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to version 4.2.0, `GET /api/allusers` is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user

• CVE-2026-33623MedMar 26, 2026
  affected < 0.0.20260326T203309-150000.1.155.2fixed 0.0.20260326T203309-150000.1.155.2

  PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.4` contains a Windows-only command injection issue in the orphaned Chrome cleanup path. When an instance is stopped, the Windows cleanup routine builds a PowerShell `-Co

• CVE-2026-33622HigMar 26, 2026
  affected < 0.0.20260326T203309-150000.1.155.2fixed 0.0.20260326T203309-150000.1.155.2

  PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.3` through `v0.8.5` allow arbitrary JavaScript execution through `POST /wait` and `POST /tabs/{id}/wait` when the request uses `fn` mode, even if `security.allowEvaluate

• CVE-2026-33621MedMar 26, 2026
  affected < 0.0.20260326T203309-150000.1.155.2fixed 0.0.20260326T203309-150000.1.155.2

  PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.7.7` through `v0.8.4` contain incomplete request-throttling protections for auth-checkable endpoints. In `v0.7.7` through `v0.8.3`, a fully implemented `RateLimitMiddlewar

• CVE-2026-33620MedMar 26, 2026
  affected < 0.0.20260326T203309-150000.1.155.2fixed 0.0.20260326T203309-150000.1.155.2

  PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.7.8` through `v0.8.3` accepted the API token from a `token` URL query parameter in addition to the `Authorization` header. When a valid API credential is sent in the URL,

• CVE-2026-33619MedMar 26, 2026
  affected < 0.0.20260326T203309-150000.1.155.2fixed 0.0.20260326T203309-150000.1.155.2

  PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.8.3 contains a server-side request forgery issue in the optional scheduler's webhook delivery path. When a task is submitted to `POST /tasks` with a user-controlled `callba

• CVE-2026-33670Mar 26, 2026
  affected < 0.0.20260326T203309-150000.1.155.2fixed 0.0.20260326T203309-150000.1.155.2

  SiYuan is a personal knowledge management system. Prior to version 3.6.2, the /api/file/readDir interface was used to traverse and retrieve the file names of all documents under a notebook. Version 3.6.2 patches the issue.