rpm package
opensuse/velociraptor&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/velociraptor&distro=openSUSE%20Tumbleweed
Vulnerabilities (85)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-42039 | Hig | 7.5 | < 0.7.0.4.git185.a5708584-2.1 | 0.7.0.4.git185.a5708584-2.1 | Apr 24, 2026 | Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError. This vulnerability is fixe | |
| CVE-2026-34986 | Hig | 7.5 | < 0.7.0.4.git185.a5708584-2.1 | 0.7.0.4.git185.a5708584-2.1 | Apr 6, 2026 | Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW | |
| CVE-2026-33487 | Hig | 7.5 | < 0.7.0.4.git185.a5708584-2.1 | 0.7.0.4.git185.a5708584-2.1 | Mar 26, 2026 | goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one that matches the signed element's ID. In Go versions before 1.22, or when `go.mo | |
| CVE-2026-33186 | Cri | 9.1 | < 0.7.0.4.git185.a5708584-2.1 | 0.7.0.4.git185.a5708584-2.1 | Mar 20, 2026 | gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi | |
| CVE-2026-33036 | — | < 0.7.0.4.git185.a5708584-2.1 | 0.7.0.4.git185.a5708584-2.1 | Mar 20, 2026 | fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expa | ||
| CVE-2026-27904 | — | < 0.7.0.4.git185.a5708584-2.1 | 0.7.0.4.git185.a5708584-2.1 | Feb 26, 2026 | minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), wh | ||
| CVE-2026-27606 | — | < 0.7.0.4.git185.a5708584-2.1 | 0.7.0.4.git185.a5708584-2.1 | Feb 25, 2026 | Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine a | ||
| CVE-2026-1229 | — | < 0.7.0.4.git185.a5708584-2.1 | 0.7.0.4.git185.a5708584-2.1 | Feb 24, 2026 | The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https:// | ||
| CVE-2026-2739 | Med | 5.3 | < 0.7.0.4.git185.a5708584-2.1 | 0.7.0.4.git185.a5708584-2.1 | Feb 20, 2026 | This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely. | |
| CVE-2026-26996 | — | < 0.7.0.4.git185.a5708584-2.1 | 0.7.0.4.git185.a5708584-2.1 | Feb 20, 2026 | minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal charact | ||
| CVE-2026-26278 | — | < 0.7.0.4.git185.a5708584-2.1 | 0.7.0.4.git185.a5708584-2.1 | Feb 19, 2026 | fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML inpu | ||
| CVE-2025-58190 | — | < 0.7.0.4.git185.a5708584-2.1 | 0.7.0.4.git185.a5708584-2.1 | Feb 5, 2026 | The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content. | ||
| CVE-2025-47911 | — | < 0.7.0.4.git185.a5708584-2.1 | 0.7.0.4.git185.a5708584-2.1 | Feb 5, 2026 | The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content. | ||
| CVE-2026-25128 | — | < 0.7.0.4.git185.a5708584-2.1 | 0.7.0.4.git185.a5708584-2.1 | Jan 30, 2026 | fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML | ||
| CVE-2025-13465 | Med | 5.3 | < 0.7.0.4.git185.a5708584-2.1 | 0.7.0.4.git185.a5708584-2.1 | Jan 21, 2026 | Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwritin | |
| CVE-2025-58181 | — | < 0.7.0.4.git185.a5708584-2.1 | 0.7.0.4.git185.a5708584-2.1 | Nov 19, 2025 | SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. | ||
| CVE-2025-64718 | — | < 0.7.0.4.git185.a5708584-2.1 | 0.7.0.4.git185.a5708584-2.1 | Nov 13, 2025 | js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. T | ||
| CVE-2025-58058 | Med | 5.3 | < 0.7.0.4.git185.a5708584-2.1 | 0.7.0.4.git185.a5708584-2.1 | Aug 28, 2025 | xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the | |
| CVE-2025-7783 | Cri | — | < 0.7.0.4.git185.a5708584-2.1 | 0.7.0.4.git185.a5708584-2.1 | Jul 18, 2025 | Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js. This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3. | |
| CVE-2025-6547 | Cri | — | < 0.7.0.4.git185.a5708584-2.1 | 0.7.0.4.git185.a5708584-2.1 | Jun 23, 2025 | Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation.This issue affects pbkdf2: <=3.1.2. |
- affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError. This vulnerability is fixe
- affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW
- affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1
goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one that matches the signed element's ID. In Go versions before 1.22, or when `go.mo
- affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi
- CVE-2026-33036Mar 20, 2026affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expa
- CVE-2026-27904Feb 26, 2026affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), wh
- CVE-2026-27606Feb 25, 2026affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1
Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine a
- CVE-2026-1229Feb 24, 2026affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1
The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://
- affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1
This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.
- CVE-2026-26996Feb 20, 2026affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal charact
- CVE-2026-26278Feb 19, 2026affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML inpu
- CVE-2025-58190Feb 5, 2026affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1
The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
- CVE-2025-47911Feb 5, 2026affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1
The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
- CVE-2026-25128Jan 30, 2026affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML
- affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwritin
- CVE-2025-58181Nov 19, 2025affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
- CVE-2025-64718Nov 13, 2025affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1
js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. T
- affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1
xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the
- affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1
Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js. This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
- affected < 0.7.0.4.git185.a5708584-2.1fixed 0.7.0.4.git185.a5708584-2.1
Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation.This issue affects pbkdf2: <=3.1.2.
Page 2 of 5