VYPR

rpm package

opensuse/govulncheck-vulndb&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed

Vulnerabilities (690)

  • CVE-2025-59358Sep 15, 2025
    affected < 0.0.20250917T170349-1.1fixed 0.0.20250917T170349-1.1

    The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service.

  • CVE-2025-9072Sep 15, 2025
    affected < 0.0.20250917T170349-1.1fixed 0.0.20250917T170349-1.1

    Mattermost versions 10.10.x <= 10.10.1, 10.5.x <= 10.5.9, 10.9.x <= 10.9.4 fail to validate the redirect_to parameter, allowing an attacker to craft a malicious link that, once a user authenticates with their SAML provider, could post the user’s cookies to an attacker-controlled

  • CVE-2025-9084Sep 15, 2025
    affected < 0.0.20250917T170349-1.1fixed 0.0.20250917T170349-1.1

    Mattermost versions 10.5.x <= 10.5.9 fail to properly validate redirect URLs which allows attackers to redirect users to malicious sites via crafted OAuth login URLs

  • CVE-2025-9078Sep 15, 2025
    affected < 0.0.20250917T170349-1.1fixed 0.0.20250917T170349-1.1

    Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to properly validate cache keys for link metadata which allows authenticated users to access unauthorized posts and poison link previews via hash collision attacks

  • CVE-2025-9076Sep 15, 2025
    affected < 0.0.20250917T170349-1.1fixed 0.0.20250917T170349-1.1

    Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This vulnerability affects Matterm

  • CVE-2025-54376HigSep 10, 2025
    affected < 0.0.20250917T170349-1.1fixed 0.0.20250917T170349-1.1

    Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can stream rea

  • CVE-2025-54123Sep 10, 2025
    affected < 0.0.20250917T170349-1.1fixed 0.0.20250917T170349-1.1

    Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, the middleware functionality in Hoverfly is vulnerable to command injection vulnerability at `/api/v2/hoverfly/middleware` endpoint due to insufficient validation and sanitization in user input. The vul

  • CVE-2025-58063HigSep 9, 2025
    affected < 0.0.20250917T170349-1.1fixed 0.0.20250917T170349-1.1

    CoreDNS is a DNS server that chains plugins. Starting in version 1.2.0 and prior to version 1.12.4, the CoreDNS etcd plugin contains a TTL confusion vulnerability where lease IDs are incorrectly used as TTL values, enabling DNS cache pinning attacks. This effectively creates a Do

  • CVE-2025-58430Sep 9, 2025
    affected < 0.0.20250917T170349-1.1fixed 0.0.20250917T170349-1.1

    listmonk is a standalone, self-hosted, newsletter and mailing list manager. In versions up to and including 1.1.0, every http request in addition to the session cookie `session` there included `nonce`. The value is not checked and validated by the backend, removing `nonce` allows

  • CVE-2025-58450CriSep 8, 2025
    affected < 0.0.20250917T170349-1.1fixed 0.0.20250917T170349-1.1

    pREST (PostgreSQL REST), is an API that delivers an application on top of a Postgres database. SQL injection is possible in versions prior to 2.0.0-rc3. The validation present in versions prior to 2.0.0-rc3 does not provide adequate protection from injection attempts. Version 2.0

  • CVE-2025-58445Sep 6, 2025
    affected < 0.0.20250917T170349-1.1fixed 0.0.20250917T170349-1.1

    Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. All versions of Atlantis publicly expose detailed version information through its /status endpoint. This information disclosure could allow attackers to identify and target k

  • CVE-2025-58437Sep 6, 2025
    affected < 0.0.20250917T170349-1.1fixed 0.0.20250917T170349-1.1

    Coder allows organizations to provision remote development environments via Terraform. In versions 2.22.0 through 2.24.3, 2.25.0 and 2.25.1, Coder can be compromised through insecure session handling in prebuilt workspaces. Coder automatically generates a session token for a use

  • CVE-2025-9566HigSep 5, 2025
    affected < 0.0.20250908T141310-1.1fixed 0.0.20250908T141310-1.1

    There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only

  • CVE-2025-7445MedSep 5, 2025
    affected < 0.0.20250917T170349-1.1fixed 0.0.20250917T170349-1.1

    Kubernetes secrets-store-sync-controller in versions before 0.0.2 discloses service account tokens in logs.

  • CVE-2025-55190Sep 4, 2025
    affected < 0.0.20250908T141310-1.1fixed 0.0.20250908T141310-1.1

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (

  • CVE-2025-58355HigSep 4, 2025
    affected < 0.0.20250908T141310-1.1fixed 0.0.20250908T141310-1.1

    Soft Serve is a self-hostable Git server for the command line. In versions 0.9.1 and below, attackers can create or override arbitrary files with uncontrolled data through its SSH API. This issue is fixed in version 0.10.0.

  • CVE-2025-56761Sep 3, 2025
    affected < 0.0.20250908T141310-1.1fixed 0.0.20250908T141310-1.1

    Memos 0.22 is vulnerable to Stored Cross site scripting (XSS) vulnerabilities by the upload attachment and user avatar features. Memos does not verify the content type of the uploaded data and serve it back as is. An authenticated attacker can use this to elevate their privileges

  • CVE-2025-56760Sep 3, 2025
    affected < 0.0.20250908T141310-1.1fixed 0.0.20250908T141310-1.1

    When Memos 0.22 is configured to store objects locally, an attacker can create a file via the CreateResource endpoint containing a path traversal sequence in the name, allowing arbitrary file write on the server.

  • CVE-2024-58259HigSep 2, 2025
    affected < 0.0.20250908T141310-1.1fixed 0.0.20250908T141310-1.1

    A vulnerability has been identified within Rancher Manager in which it did not enforce request body size limits on certain public (unauthenticated) and authenticated API endpoints. This allows a malicious user to exploit this by sending excessively large payloads, which are f

  • CVE-2024-52284HigSep 2, 2025
    affected < 0.0.20250908T141310-1.1fixed 0.0.20250908T141310-1.1

    Unauthorized disclosure of sensitive data: Any user with `GET` or `LIST` permissions on `BundleDeployment` resources could retrieve Helm values containing credentials or other secrets.

Page 6 of 35