rpm package
opensuse/heroic-games-launcher&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/heroic-games-launcher&distro=openSUSE%20Tumbleweed
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-34601 | Hig | 7.5 | < 2.20.1-5.1 | 2.20.1-5.1 | Apr 2, 2026 | xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In xmldom versions 0.6.0 and prior and @xmldom/xmldom prior to versions 0.8.12 and 0.9.9, xmldom/xmldom allows attacker-controlled strings containing the CDATA terminator | |
| CVE-2026-33036 | — | < 2.20.1-4.1 | 2.20.1-4.1 | Mar 20, 2026 | fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expa | ||
| CVE-2026-28292 | Cri | 9.8 | < 2.20.1-3.1 | 2.20.1-3.1 | Mar 10, 2026 | `simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Ver | |
| CVE-2026-3449 | Low | 3.3 | < 2.20.1-2.1 | 2.20.1-2.1 | Mar 3, 2026 | Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang | |
| CVE-2026-27606 | — | < 2.20.0-2.1 | 2.20.0-2.1 | Feb 25, 2026 | Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine a | ||
| CVE-2026-26278 | — | < 2.20.0-1.1 | 2.20.0-1.1 | Feb 19, 2026 | fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML inpu | ||
| CVE-2026-25547 | Cri | — | < 2.20.0-1.1 | 2.20.0-1.1 | Feb 4, 2026 | @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated nume | |
| CVE-2026-22029 | Hig | 8.0 | < 2.18.1-2.1 | 2.18.1-2.1 | Jan 10, 2026 | React Router is a router for React. In @remix-run/router version prior to 1.23.2 and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can res |
- affected < 2.20.1-5.1fixed 2.20.1-5.1
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In xmldom versions 0.6.0 and prior and @xmldom/xmldom prior to versions 0.8.12 and 0.9.9, xmldom/xmldom allows attacker-controlled strings containing the CDATA terminator
- CVE-2026-33036Mar 20, 2026affected < 2.20.1-4.1fixed 2.20.1-4.1
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expa
- affected < 2.20.1-3.1fixed 2.20.1-3.1
`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Ver
- affected < 2.20.1-2.1fixed 2.20.1-2.1
Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang
- CVE-2026-27606Feb 25, 2026affected < 2.20.0-2.1fixed 2.20.0-2.1
Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine a
- CVE-2026-26278Feb 19, 2026affected < 2.20.0-1.1fixed 2.20.0-1.1
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML inpu
- affected < 2.20.0-1.1fixed 2.20.0-1.1
@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated nume
- affected < 2.18.1-2.1fixed 2.18.1-2.1
React Router is a router for React. In @remix-run/router version prior to 1.23.2 and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can res