VYPR

rpm package

opensuse/kubevirt1.8&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/kubevirt1.8&distro=openSUSE%20Tumbleweed

Vulnerabilities (9)

  • CVE-2026-9804HigMay 28, 2026
    affected < 1.8.3-1.1fixed 1.8.3-1.1

    A flaw was found in KubeVirt's virt-exportserver component. An attacker with specific namespace-level access can exploit a path traversal vulnerability in the VMExport directory endpoint. By placing a symbolic link (symlink) within an exported filesystem Persistent Volume Claim (

  • CVE-2026-33186CriMar 20, 2026
    affected < 1.8.3-1.1fixed 1.8.3-1.1

    gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi

  • CVE-2025-64433Nov 7, 2025
    affected < 1.8.3-1.1fixed 1.8.3-1.1

    KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, a vulnerability was discovered that allows a VM to read arbitrary files from the virt-launcher pod's file system. This issue stems from improper symlink handling when mounting PVC disks into

  • CVE-2025-64437Nov 7, 2025
    affected < 1.8.3-1.1fixed 1.8.3-1.1

    KubeVirt is a virtual machine management add-on for Kubernetes. In versions before 1.5.3 and 1.6.1, the virt-handler does not verify whether the launcher-sock is a symlink or a regular file. This oversight can be exploited, for example, to change the ownership of arbitrary files

  • CVE-2025-22872MedApr 16, 2025
    affected < 1.8.3-1.1fixed 1.8.3-1.1

    The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul

  • CVE-2024-33394May 2, 2024
    affected < 1.8.3-1.1fixed 1.8.3-1.1

    An issue in kubevirt kubevirt v1.2.0 and before allows a local attacker to execute arbitrary code via a crafted command to get the token component.

  • CVE-2023-44487HigKEVOct 10, 2023
    affected < 1.8.3-1.1fixed 1.8.3-1.1

    The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

  • CVE-2023-26484Mar 15, 2023
    affected < 1.8.3-1.1fixed 1.8.3-1.1

    KubeVirt is a virtual machine management add-on for Kubernetes. In versions 0.59.0 and prior, if a malicious user has taken over a Kubernetes node where virt-handler (the KubeVirt node-daemon) is running, the virt-handler service account can be used to modify all node specs. This

  • CVE-2021-43565Sep 6, 2022
    affected < 1.8.3-1.1fixed 1.8.3-1.1

    The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server.