VYPR

rpm package

opensuse/govulncheck-vulndb&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed

Vulnerabilities (690)

  • CVE-2025-49011Jun 6, 2025
    affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1

    SpiceDB is an open source database for storing and querying fine-grained authorization data. Prior to version 1.44.2, on schemas involving arrows with caveats on the arrow’ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated

  • CVE-2025-47950Jun 6, 2025
    affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1

    CoreDNS is a DNS server that chains plugins. In versions prior to 1.12.2, a Denial of Service (DoS) vulnerability exists in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any lim

  • CVE-2025-48710MedJun 4, 2025
    affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1

    kro (Kube Resource Orchestrator) 0.1.0 before 0.2.1 allows users (with permission to create or modify ResourceGraphDefinition resources) to supply arbitrary container images. This can lead to a confused-deputy scenario where kro's controllers deploy and run attacker-controlled im

  • CVE-2025-3454MedJun 2, 2025
    affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1

    This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. Th

  • CVE-2025-29785HigJun 2, 2025
    affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1

    quic-go is an implementation of the QUIC protocol in Go. The loss recovery logic for path probe packets that was added in the v0.50.0 release can be used to trigger a nil-pointer dereference by a malicious QUIC client. In order to do so, the attacker first sends valid QUIC packet

  • CVE-2025-48495Jun 2, 2025
    affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1

    Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. By renaming the friendly name of an API key, an authenticated user could inject JS into the API key overview, which would also be executed when another user clicks on his API tab. Prior

  • CVE-2025-48494Jun 2, 2025
    affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1

    Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. When using end-to-end encryption, a stored cross-site scripting vulnerability can be exploited by uploading a file with JavaScript code embedded in the filename. After upload and every t

  • CVE-2025-3260HigJun 2, 2025
    affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1

    A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders regardless

  • CVE-2025-48949May 30, 2025
    affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1

    Navidrome is an open source web-based music collection server and streamer. Versions 0.55.0 through 0.55.2 have a vulnerability due to improper input validation on the `role` parameter within the API endpoint `/api/artist`. Attackers can exploit this flaw to inject arbitrary SQL

  • CVE-2025-48948May 30, 2025
    affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1

    Navidrome is an open source web-based music collection server and streamer. A permission verification flaw in versions prior to 0.56.0 allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, includi

  • CVE-2025-48938May 30, 2025
    affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1

    go-gh is a collection of Go modules to make authoring GitHub CLI extensions easier. A security vulnerability has been identified in versions prior to 2.12.1 where an attacker-controlled GitHub Enterprise Server could result in executing arbitrary commands on a user's machine by r

  • CVE-2025-3611May 30, 2025
    affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1

    Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Manager privileges to view team details they should not have access to via direct API

  • CVE-2025-3230May 30, 2025
    affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1

    Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via contin

  • CVE-2025-2571May 30, 2025
    affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1

    Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to clear Google OAuth credentials when converting user accounts to bot accounts, allowing attackers to gain unauthorized access to bot accounts via the Google OAuth signup flow.

  • CVE-2025-1792May 30, 2025
    affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1

    Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of public channels via the channel members AP

  • CVE-2025-48865May 30, 2025
    affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1

    Fabio is an HTTP(S) and TCP router for deploying applications managed by consul. Prior to version 1.6.6, Fabio allows clients to remove X-Forwarded headers (except X-Forwarded-For) due to a vulnerability in how it processes hop-by-hop headers. Fabio adds HTTP headers like X-Forwa

  • CVE-2025-47952May 30, 2025
    affected < 0.0.20250529T205903-1.1fixed 0.0.20250529T205903-1.1

    Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Prior to versions 2.11.25 and 3.4.1, there is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a b

  • CVE-2020-36846CriMay 30, 2025
    affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1

    A buffer overflow, as described in CVE-2020-8927, exists in the embedded Brotli library.  Versions of IO::Compress::Brotli prior to 0.007 included a version of the brotli library prior to version 1.0.8, where an attacker controlling the input length of a "one-shot" decompression

  • CVE-2025-47933May 29, 2025
    affected < 0.0.20250529T205903-1.1fixed 0.0.20250529T205903-1.1

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL protocols in the repository page, an attacke

  • CVE-2025-3913May 29, 2025
    affected < 0.0.20250612T141001-1.1fixed 0.0.20250612T141001-1.1

    Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly validate permissions when changing team privacy settings, allowing team administrators without the 'invite user' permission to access and modify team invite IDs via the /a

Page 13 of 35