VYPR

rpm package

opensuse/velociraptor&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/velociraptor&distro=openSUSE%20Tumbleweed

Vulnerabilities (85)

  • CVE-2026-42039HigApr 24, 2026
    affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError. This vulnerability is fixe

  • CVE-2026-34986HigApr 6, 2026
    affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1

    Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW

  • CVE-2026-33487HigMar 26, 2026
    affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1

    goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one that matches the signed element's ID. In Go versions before 1.22, or when `go.mo

  • CVE-2026-33186CriMar 20, 2026
    affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1

    gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi

  • CVE-2026-33036Mar 20, 2026
    affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1

    fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expa

  • CVE-2026-27904Feb 26, 2026
    affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1

    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), wh

  • CVE-2026-27606Feb 25, 2026
    affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1

    Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine a

  • CVE-2026-1229Feb 24, 2026
    affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1

    The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://

  • CVE-2026-2739MedFeb 20, 2026
    affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1

    This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.

  • CVE-2026-26996Feb 20, 2026
    affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1

    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal charact

  • CVE-2026-26278Feb 19, 2026
    affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1

    fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML inpu

  • CVE-2025-58190Feb 5, 2026
    affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1

    The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

  • CVE-2025-47911Feb 5, 2026
    affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1

    The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

  • CVE-2026-25128Jan 30, 2026
    affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1

    fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML

  • CVE-2025-13465MedJan 21, 2026
    affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1

    Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwritin

  • CVE-2025-58181Nov 19, 2025
    affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1

    SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

  • CVE-2025-64718Nov 13, 2025
    affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1

    js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. T

  • CVE-2025-58058MedAug 28, 2025
    affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1

    xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the

  • CVE-2025-7783CriJul 18, 2025
    affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1

    Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js. This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.

  • CVE-2025-6547CriJun 23, 2025
    affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1

    Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation.This issue affects pbkdf2: <=3.1.2.

Page 2 of 5