rpm package
opensuse/govulncheck-vulndb&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
Vulnerabilities (690)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-54287 | — | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 2, 2025 | Template Injection in instance snapshot creation component in Canonical LXD (>= 4.0) allows an attacker with instance configuration permissions to read arbitrary files on the host system via specially crafted snapshot pattern templates using the Pongo2 template engine. | ||
| CVE-2025-54286 | — | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Oct 2, 2025 | Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions exploiting client certificate authentication. | ||
| CVE-2025-59538 | — | < 0.0.20251023T162509-1.1 | 0.0.20251023T162509-1.1 | Oct 1, 2025 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6 and 3.0.17, when the webhook.azuredevops.username and webhook.azuredevops.password are not set in the default configuration, the /a | ||
| CVE-2025-59537 | — | < 0.0.20251023T162509-1.1 | 0.0.20251023T162509-1.1 | Oct 1, 2025 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to | ||
| CVE-2025-59531 | — | < 0.0.20251023T162509-1.1 | 0.0.20251023T162509-1.1 | Oct 1, 2025 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to | ||
| CVE-2025-55191 | — | < 0.0.20251023T162509-1.1 | 0.0.20251023T162509-1.1 | Sep 30, 2025 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions between 2.1.0 and 2.14.19, 3.2.0-rc1, 3.1.0-rc1 through 3.1.7, and 3.0.0-rc1 through 3.0.18 contain a race condition in the repository credentials handler that can cause the Argo CD server to panic | ||
| CVE-2025-59956 | — | < 0.0.20251023T162509-1.1 | 0.0.20251023T162509-1.1 | Sep 29, 2025 | AgentAPI is an HTTP API for Claude Code, Goose, Aider, Gemini, Amp, and Codex. Versions 0.3.3 and below are susceptible to a client-side DNS rebinding attack when hosted over plain HTTP on localhost. An attacker can gain access to the /messages endpoint served by the Agent API. T | ||
| CVE-2025-59942 | — | < 0.0.20251023T162509-1.1 | 0.0.20251023T162509-1.1 | Sep 29, 2025 | go-f3 is a Golang implementation of Fast Finality for Filecoin (F3). In versions 0.8.6 and below, go-f3 panics when it validates a "poison" messages causing Filecoin nodes consuming F3 messages to become vulnerable. A "poison" message can can cause integer overflow in the signer | ||
| CVE-2025-59941 | — | < 0.0.20251023T162509-1.1 | 0.0.20251023T162509-1.1 | Sep 29, 2025 | go-f3 is a Golang implementation of Fast Finality for Filecoin (F3). In versions 0.8.8 and below, go-f3's justification verification caching mechanism has a vulnerability where verification results are cached without properly considering the context of the message. An attacker ca | ||
| CVE-2025-59937 | — | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Sep 29, 2025 | go-mail is a comprehensive library for sending mails with Go. In versions 0.7.0 and below, due to incorrect handling of the mail.Address values when a sender- or recipient address is passed to the corresponding MAIL FROM or RCPT TO commands of the SMTP client, there is a possibil | ||
| CVE-2025-59163 | Low | — | < 0.0.20251023T162509-1.1 | 0.0.20251023T162509-1.1 | Sep 29, 2025 | vet is an open source software supply chain security tool. Versions 1.12.4 and below are vulnerable to a DNS rebinding attack due to lack of HTTP Host and Origin header validation. Data from the vet scan sqlite3 database may be exposed to remote attackers when vet is used as an M | |
| CVE-2025-10954 | — | < 0.0.20251105T184115-1.1 | 0.0.20251105T184115-1.1 | Sep 27, 2025 | Versions of the package github.com/nyaruka/phonenumbers before 1.2.2 are vulnerable to Improper Validation of Syntactic Correctness of Input in the phonenumbers.Parse() function. An attacker can cause a panic by providing crafted input causing a "runtime error: slice bounds out o | ||
| CVE-2025-59823 | Cri | 9.9 | < 0.0.20251023T162509-1.1 | 0.0.20251023T162509-1.1 | Sep 25, 2025 | Project Gardener implements the automated management and operation of Kubernetes clusters as a service. Code injection may be possible in Gardener Extensions for AWS providers prior to version 1.64.0, Azure providers prior to version 1.55.0, OpenStack providers prior to version 1 | |
| CVE-2025-59824 | — | < 0.0.20251023T162509-1.1 | 0.0.20251023T162509-1.1 | Sep 24, 2025 | Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to version 0.48.0, Omni Wireguard SideroLink has the potential to escape. Omni and each Talos machine establish a peer-to-peer (P2P) SideroLink connection using WireGuard to mutually authenticate and au | ||
| CVE-2025-47910 | Med | 5.4 | < 0.0.20250922T204835-1.1 | 0.0.20250922T204835-1.1 | Sep 22, 2025 | When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended sec | |
| CVE-2025-9081 | — | < 0.0.20250924T192141-1.1 | 0.0.20250924T192141-1.1 | Sep 19, 2025 | Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration | ||
| CVE-2025-9079 | — | < 0.0.20250924T192141-1.1 | 0.0.20250924T192141-1.1 | Sep 19, 2025 | Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to prepackaged plugins directory | ||
| CVE-2025-10630 | Med | 4.3 | < 0.0.20250924T192141-1.1 | 0.0.20250924T192141-1.1 | Sep 19, 2025 | Grafana is an open-source platform for monitoring and observability. Grafana-Zabbix is a plugin for Grafana allowing to visualize monitoring data from Zabbix and create dashboards for analyzing metrics and realtime monitoring. Versions 5.2.1 and below contained a ReDoS vulner | |
| CVE-2025-47906 | — | < 0.0.20250918T182144-1.1 | 0.0.20250918T182144-1.1 | Sep 18, 2025 | If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned. | ||
| CVE-2025-59410 | — | < 0.0.20250924T192141-1.1 | 0.0.20250924T192141-1.1 | Sep 17, 2025 | Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the code in the scheduler for downloading a tiny file is hard coded to use the HTTP protocol, rather than HTTPS. This means that an attacker could perform a Man-in-the-Middle at |
- CVE-2025-54287Oct 2, 2025affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
Template Injection in instance snapshot creation component in Canonical LXD (>= 4.0) allows an attacker with instance configuration permissions to read arbitrary files on the host system via specially crafted snapshot pattern templates using the Pongo2 template engine.
- CVE-2025-54286Oct 2, 2025affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions exploiting client certificate authentication.
- CVE-2025-59538Oct 1, 2025affected < 0.0.20251023T162509-1.1fixed 0.0.20251023T162509-1.1
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6 and 3.0.17, when the webhook.azuredevops.username and webhook.azuredevops.password are not set in the default configuration, the /a
- CVE-2025-59537Oct 1, 2025affected < 0.0.20251023T162509-1.1fixed 0.0.20251023T162509-1.1
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to
- CVE-2025-59531Oct 1, 2025affected < 0.0.20251023T162509-1.1fixed 0.0.20251023T162509-1.1
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to
- CVE-2025-55191Sep 30, 2025affected < 0.0.20251023T162509-1.1fixed 0.0.20251023T162509-1.1
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions between 2.1.0 and 2.14.19, 3.2.0-rc1, 3.1.0-rc1 through 3.1.7, and 3.0.0-rc1 through 3.0.18 contain a race condition in the repository credentials handler that can cause the Argo CD server to panic
- CVE-2025-59956Sep 29, 2025affected < 0.0.20251023T162509-1.1fixed 0.0.20251023T162509-1.1
AgentAPI is an HTTP API for Claude Code, Goose, Aider, Gemini, Amp, and Codex. Versions 0.3.3 and below are susceptible to a client-side DNS rebinding attack when hosted over plain HTTP on localhost. An attacker can gain access to the /messages endpoint served by the Agent API. T
- CVE-2025-59942Sep 29, 2025affected < 0.0.20251023T162509-1.1fixed 0.0.20251023T162509-1.1
go-f3 is a Golang implementation of Fast Finality for Filecoin (F3). In versions 0.8.6 and below, go-f3 panics when it validates a "poison" messages causing Filecoin nodes consuming F3 messages to become vulnerable. A "poison" message can can cause integer overflow in the signer
- CVE-2025-59941Sep 29, 2025affected < 0.0.20251023T162509-1.1fixed 0.0.20251023T162509-1.1
go-f3 is a Golang implementation of Fast Finality for Filecoin (F3). In versions 0.8.8 and below, go-f3's justification verification caching mechanism has a vulnerability where verification results are cached without properly considering the context of the message. An attacker ca
- CVE-2025-59937Sep 29, 2025affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
go-mail is a comprehensive library for sending mails with Go. In versions 0.7.0 and below, due to incorrect handling of the mail.Address values when a sender- or recipient address is passed to the corresponding MAIL FROM or RCPT TO commands of the SMTP client, there is a possibil
- affected < 0.0.20251023T162509-1.1fixed 0.0.20251023T162509-1.1
vet is an open source software supply chain security tool. Versions 1.12.4 and below are vulnerable to a DNS rebinding attack due to lack of HTTP Host and Origin header validation. Data from the vet scan sqlite3 database may be exposed to remote attackers when vet is used as an M
- CVE-2025-10954Sep 27, 2025affected < 0.0.20251105T184115-1.1fixed 0.0.20251105T184115-1.1
Versions of the package github.com/nyaruka/phonenumbers before 1.2.2 are vulnerable to Improper Validation of Syntactic Correctness of Input in the phonenumbers.Parse() function. An attacker can cause a panic by providing crafted input causing a "runtime error: slice bounds out o
- affected < 0.0.20251023T162509-1.1fixed 0.0.20251023T162509-1.1
Project Gardener implements the automated management and operation of Kubernetes clusters as a service. Code injection may be possible in Gardener Extensions for AWS providers prior to version 1.64.0, Azure providers prior to version 1.55.0, OpenStack providers prior to version 1
- CVE-2025-59824Sep 24, 2025affected < 0.0.20251023T162509-1.1fixed 0.0.20251023T162509-1.1
Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to version 0.48.0, Omni Wireguard SideroLink has the potential to escape. Omni and each Talos machine establish a peer-to-peer (P2P) SideroLink connection using WireGuard to mutually authenticate and au
- affected < 0.0.20250922T204835-1.1fixed 0.0.20250922T204835-1.1
When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended sec
- CVE-2025-9081Sep 19, 2025affected < 0.0.20250924T192141-1.1fixed 0.0.20250924T192141-1.1
Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration
- CVE-2025-9079Sep 19, 2025affected < 0.0.20250924T192141-1.1fixed 0.0.20250924T192141-1.1
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to prepackaged plugins directory
- affected < 0.0.20250924T192141-1.1fixed 0.0.20250924T192141-1.1
Grafana is an open-source platform for monitoring and observability. Grafana-Zabbix is a plugin for Grafana allowing to visualize monitoring data from Zabbix and create dashboards for analyzing metrics and realtime monitoring. Versions 5.2.1 and below contained a ReDoS vulner
- CVE-2025-47906Sep 18, 2025affected < 0.0.20250918T182144-1.1fixed 0.0.20250918T182144-1.1
If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
- CVE-2025-59410Sep 17, 2025affected < 0.0.20250924T192141-1.1fixed 0.0.20250924T192141-1.1
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the code in the scheduler for downloading a tiny file is hard coded to use the HTTP protocol, rather than HTTPS. This means that an attacker could perform a Man-in-the-Middle at
Page 4 of 35