VYPR

rpm package

opensuse/mcphost&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/mcphost&distro=openSUSE%20Tumbleweed

Vulnerabilities (17)

  • CVE-2026-42506MedMay 22, 2026
    affected < 0.34.0-8.1fixed 0.34.0-8.1

    Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

  • CVE-2026-42502MedMay 22, 2026
    affected < 0.34.0-8.1fixed 0.34.0-8.1

    Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

  • CVE-2026-39821CriMay 22, 2026
    affected < 0.34.0-7.1fixed 0.34.0-7.1

    The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in program

  • CVE-2026-27136MedMay 22, 2026
    affected < 0.34.0-8.1fixed 0.34.0-8.1

    Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

  • CVE-2026-25681MedMay 22, 2026
    affected < 0.34.0-8.1fixed 0.34.0-8.1

    Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

  • CVE-2026-25680MedMay 22, 2026
    affected < 0.34.0-8.1fixed 0.34.0-8.1

    Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

  • CVE-2026-39835MedMay 22, 2026
    affected < 0.34.0-5.1fixed 0.34.0-5.1

    SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

  • CVE-2026-39832CriMay 22, 2026
    affected < 0.34.0-5.1fixed 0.34.0-5.1

    When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now

  • CVE-2026-39831CriMay 22, 2026
    affected < 0.34.0-5.1fixed 0.34.0-5.1

    The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the

  • CVE-2026-39827MedMay 22, 2026
    affected < 0.34.0-5.1fixed 0.34.0-5.1

    An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state

  • CVE-2026-33814HigMay 7, 2026
    affected < 0.34.0-5.1fixed 0.34.0-5.1

    When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

  • CVE-2026-32285HigMar 26, 2026
    affected < 0.34.0-1.1fixed 0.34.0-1.1

    The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.

  • CVE-2026-33186CriMar 20, 2026
    affected < 0.34.0-1.1fixed 0.34.0-1.1

    gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi

  • CVE-2025-47914Nov 19, 2025
    affected < 0.32.0-1.1fixed 0.32.0-1.1

    SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

  • CVE-2025-58181Nov 19, 2025
    affected < 0.32.0-1.1fixed 0.32.0-1.1

    SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

  • CVE-2025-47913Nov 13, 2025
    affected < 0.32.0-1.1fixed 0.32.0-1.1

    SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.

  • CVE-2025-30153HigMar 19, 2025
    affected < 0.34.0-1.1fixed 0.34.0-1.1

    kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted ZIP file (e.g., a ZIP bomb), causing the server to consume all available system