VYPR

rpm package

opensuse/warewulf4&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/warewulf4&distro=openSUSE%20Tumbleweed

Vulnerabilities (7)

  • CVE-2026-39821CriMay 22, 2026
    affected < 4.7.0-1.1fixed 4.7.0-1.1

    The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in program

  • CVE-2026-33814HigMay 7, 2026
    affected < 4.7.0-1.1fixed 4.7.0-1.1

    When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

  • CVE-2026-34986HigApr 6, 2026
    affected < 4.7.0-2.1fixed 4.7.0-2.1

    Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW

  • CVE-2025-69725MedFeb 19, 2026
    affected < 4.6.5-2.1fixed 4.6.5-2.1

    An Open Redirect vulnerability in the go-chi/chi >=5.2.2 RedirectSlashes function allows remote attackers to redirect victim users to malicious websites using the legitimate website domain.

  • CVE-2025-58058MedAug 28, 2025
    affected < 4.6.4-1.1fixed 4.6.4-1.1

    xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the

  • CVE-2025-22870MedMar 12, 2025
    affected < 4.6.0-2.1fixed 4.6.0-2.1

    Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

  • CVE-2025-22869Feb 26, 2025
    affected < 4.6.0-2.1fixed 4.6.0-2.1

    SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.