VYPR

rpm package

opensuse/govulncheck-vulndb&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed

Vulnerabilities (690)

  • CVE-2025-54287Oct 2, 2025
    affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1

    Template Injection in instance snapshot creation component in Canonical LXD (>= 4.0) allows an attacker with instance configuration permissions to read arbitrary files on the host system via specially crafted snapshot pattern templates using the Pongo2 template engine.

  • CVE-2025-54286Oct 2, 2025
    affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1

    Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions exploiting client certificate authentication.

  • CVE-2025-59538Oct 1, 2025
    affected < 0.0.20251023T162509-1.1fixed 0.0.20251023T162509-1.1

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6 and 3.0.17, when the webhook.azuredevops.username and webhook.azuredevops.password are not set in the default configuration, the /a

  • CVE-2025-59537Oct 1, 2025
    affected < 0.0.20251023T162509-1.1fixed 0.0.20251023T162509-1.1

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to

  • CVE-2025-59531Oct 1, 2025
    affected < 0.0.20251023T162509-1.1fixed 0.0.20251023T162509-1.1

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to

  • CVE-2025-55191Sep 30, 2025
    affected < 0.0.20251023T162509-1.1fixed 0.0.20251023T162509-1.1

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions between 2.1.0 and 2.14.19, 3.2.0-rc1, 3.1.0-rc1 through 3.1.7, and 3.0.0-rc1 through 3.0.18 contain a race condition in the repository credentials handler that can cause the Argo CD server to panic

  • CVE-2025-59956Sep 29, 2025
    affected < 0.0.20251023T162509-1.1fixed 0.0.20251023T162509-1.1

    AgentAPI is an HTTP API for Claude Code, Goose, Aider, Gemini, Amp, and Codex. Versions 0.3.3 and below are susceptible to a client-side DNS rebinding attack when hosted over plain HTTP on localhost. An attacker can gain access to the /messages endpoint served by the Agent API. T

  • CVE-2025-59942Sep 29, 2025
    affected < 0.0.20251023T162509-1.1fixed 0.0.20251023T162509-1.1

    go-f3 is a Golang implementation of Fast Finality for Filecoin (F3). In versions 0.8.6 and below, go-f3 panics when it validates a "poison" messages causing Filecoin nodes consuming F3 messages to become vulnerable. A "poison" message can can cause integer overflow in the signer

  • CVE-2025-59941Sep 29, 2025
    affected < 0.0.20251023T162509-1.1fixed 0.0.20251023T162509-1.1

    go-f3 is a Golang implementation of Fast Finality for Filecoin (F3). In versions 0.8.8 and below, go-f3's justification verification caching mechanism has a vulnerability where verification results are cached without properly considering the context of the message. An attacker ca

  • CVE-2025-59937Sep 29, 2025
    affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1

    go-mail is a comprehensive library for sending mails with Go. In versions 0.7.0 and below, due to incorrect handling of the mail.Address values when a sender- or recipient address is passed to the corresponding MAIL FROM or RCPT TO commands of the SMTP client, there is a possibil

  • CVE-2025-59163LowSep 29, 2025
    affected < 0.0.20251023T162509-1.1fixed 0.0.20251023T162509-1.1

    vet is an open source software supply chain security tool. Versions 1.12.4 and below are vulnerable to a DNS rebinding attack due to lack of HTTP Host and Origin header validation. Data from the vet scan sqlite3 database may be exposed to remote attackers when vet is used as an M

  • CVE-2025-10954Sep 27, 2025
    affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1

    Versions of the package github.com/nyaruka/phonenumbers before 1.2.2 are vulnerable to Improper Validation of Syntactic Correctness of Input in the phonenumbers.Parse() function. An attacker can cause a panic by providing crafted input causing a "runtime error: slice bounds out o

  • CVE-2025-59823CriSep 25, 2025
    affected < 0.0.20251023T162509-1.1fixed 0.0.20251023T162509-1.1

    Project Gardener implements the automated management and operation of Kubernetes clusters as a service. Code injection may be possible in Gardener Extensions for AWS providers prior to version 1.64.0, Azure providers prior to version 1.55.0, OpenStack providers prior to version 1

  • CVE-2025-59824Sep 24, 2025
    affected < 0.0.20251023T162509-1.1fixed 0.0.20251023T162509-1.1

    Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to version 0.48.0, Omni Wireguard SideroLink has the potential to escape. Omni and each Talos machine establish a peer-to-peer (P2P) SideroLink connection using WireGuard to mutually authenticate and au

  • CVE-2025-47910MedSep 22, 2025
    affected < 0.0.20250922T204835-1.1fixed 0.0.20250922T204835-1.1

    When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended sec

  • CVE-2025-9081Sep 19, 2025
    affected < 0.0.20250924T192141-1.1fixed 0.0.20250924T192141-1.1

    Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration

  • CVE-2025-9079Sep 19, 2025
    affected < 0.0.20250924T192141-1.1fixed 0.0.20250924T192141-1.1

    Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to prepackaged plugins directory

  • CVE-2025-10630MedSep 19, 2025
    affected < 0.0.20250924T192141-1.1fixed 0.0.20250924T192141-1.1

    Grafana is an open-source platform for monitoring and observability. Grafana-Zabbix is a plugin for Grafana allowing to visualize monitoring data from Zabbix and create dashboards for analyzing metrics and realtime monitoring.  Versions 5.2.1 and below contained a ReDoS vulner

  • CVE-2025-47906Sep 18, 2025
    affected < 0.0.20250918T182144-1.1fixed 0.0.20250918T182144-1.1

    If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.

  • CVE-2025-59410Sep 17, 2025
    affected < 0.0.20250924T192141-1.1fixed 0.0.20250924T192141-1.1

    Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the code in the scheduler for downloading a tiny file is hard coded to use the HTTP protocol, rather than HTTPS. This means that an attacker could perform a Man-in-the-Middle at

Page 4 of 35