VYPR

rpm package

opensuse/trivy&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/trivy&distro=openSUSE%20Tumbleweed

Vulnerabilities (56)

  • CVE-2026-34986HigApr 6, 2026
    affected < 0.70.0-1.1fixed 0.70.0-1.1

    Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW

  • CVE-2026-33748HigMar 27, 2026
    affected < 0.70.0-1.1fixed 0.70.0-1.1

    BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, insufficient validation of Git URL fragment subdir components may allow access to files outside the checked-out Git repository root. Pos

  • CVE-2026-33747HigMar 27, 2026
    affected < 0.70.0-1.1fixed 0.70.0-1.1

    BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit sta

  • CVE-2026-33186CriMar 20, 2026
    affected < 0.70.0-1.1fixed 0.70.0-1.1

    gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi

  • CVE-2025-69725MedFeb 19, 2026
    affected < 0.70.0-1.1fixed 0.70.0-1.1

    An Open Redirect vulnerability in the go-chi/chi >=5.2.2 RedirectSlashes function allows remote attackers to redirect victim users to malicious websites using the legitimate website domain.

  • CVE-2026-25934Feb 9, 2026
    affected < 0.70.0-1.1fixed 0.70.0-1.1

    go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files,

  • CVE-2025-58190Feb 5, 2026
    affected < 0.68.2-1.1fixed 0.68.2-1.1

    The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

  • CVE-2025-47911Feb 5, 2026
    affected < 0.68.2-1.1fixed 0.68.2-1.1

    The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

  • CVE-2025-11065MedJan 26, 2026
    affected < 0.67.2-1.1fixed 0.67.2-1.1

    A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data process

  • CVE-2025-64702Dec 11, 2025
    affected < 0.69.0-1.1fixed 0.69.0-1.1

    quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (man

  • CVE-2025-66564Dec 4, 2025
    affected < 0.69.0-1.1fixed 0.69.0-1.1

    Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits t

  • CVE-2025-47914Nov 19, 2025
    affected < 0.68.2-1.1fixed 0.68.2-1.1

    SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

  • CVE-2025-47913Nov 13, 2025
    affected < 0.68.2-1.1fixed 0.68.2-1.1

    SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.

  • CVE-2025-58058MedAug 28, 2025
    affected < 0.66.0-1.1fixed 0.66.0-1.1

    xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the

  • CVE-2025-53547Jul 8, 2025
    affected < 0.64.1-1.1fixed 0.64.1-1.1

    Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated. Fields in a Chart.yaml file, that are carried over to a Chart.lo

  • CVE-2025-47291May 21, 2025
    affected < 0.65.0-1.1fixed 0.65.0-1.1

    containerd is an open-source container runtime. A bug was found in the containerd's CRI implementation where containerd, starting in version 2.0.1 and prior to version 2.0.5, doesn't put usernamespaced containers under the Kubernetes' cgroup hierarchy, therefore some Kubernetes l

  • CVE-2025-46569HigMay 1, 2025
    affected < 0.65.0-2.1fixed 0.65.0-2.1

    Open Policy Agent (OPA) is an open source, general-purpose policy engine. Prior to version 1.4.0, when run as a server, OPA exposes an HTTP Data API for reading and writing documents. Requesting a virtual document through the Data API entails policy evaluation, where a Rego query

  • CVE-2025-22872MedApr 16, 2025
    affected < 0.65.0-1.1fixed 0.65.0-1.1

    The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul

  • CVE-2025-30204HigMar 21, 2025
    affected < 0.65.0-1.1fixed 0.65.0-1.1

    golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a maliciou

  • CVE-2025-22868Feb 26, 2025
    affected < 0.65.0-1.1fixed 0.65.0-1.1

    An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.