suse/govulncheck-vulndb&distro=SUSE Linux Enterprise Module for Package Hub 15 SP6

Vulnerabilities (274)

• CVE-2025-41115Nov 21, 2025
  affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1

  SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vuln

• CVE-2025-64751Nov 21, 2025
  affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1

  OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.4.0 to v1.11.0 ( openfga-0.1.34 <= Helm chart <= openfga-0.2.48, v.1.4.0 <= docker <= v.1.11.0) are vulnerable to improper policy enforcemen

• CVE-2025-13425LowNov 20, 2025
  affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1

  A bug in the filesystem traversal fallback path causes fs/diriterate/diriterate.go:Next() to overindex an empty slice when ReadDir returns nil for an empty directory, resulting in a panic (index out of range) and an application crash (denial of service) in OSV-SCALIBR.

• CVE-2025-65026Nov 19, 2025
  affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1

  esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, The esm.sh CDN service contains a Template Literal Injection vulnerability (CWE-94) in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?modul

• CVE-2025-65025Nov 19, 2025
  affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1

  esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, the esm.sh CDN service is vulnerable to path traversal during NPM package tarball extraction. An attacker can craft a malicious NPM package containing specially crafted file paths

• CVE-2025-55074Nov 18, 2025
  affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1

  Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects

• CVE-2025-61725HigOct 29, 2025
  affected < 0.0.20251209T172047-150000.1.127.1fixed 0.0.20251209T172047-150000.1.127.1

  The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.

• CVE-2025-61926MedOct 9, 2025
  affected < 0.0.20251023T162509-150000.1.110.1fixed 0.0.20251023T162509-150000.1.110.1

  Allstar is a GitHub App to set and enforce security policies. In versions prior to 4.5, a vulnerability in Allstar’s Reviewbot component caused inbound webhook requests to be validated against a hard-coded, shared secret. The value used for the secret token was compiled into the

• CVE-2025-61595HigOct 2, 2025
  affected < 0.0.20251023T162509-150000.1.110.1fixed 0.0.20251023T162509-150000.1.110.1

  MANTRA is a purpose-built RWA Layer 1 Blockchain, capable of adherence to real world regulatory requirements. Versions 4.0.1 and below do not enforce the tx gas limit in its send hooks. Send hooks can spend more gas than what remains in tx, combined with recursive calls in the wa

• CVE-2024-58267HigOct 2, 2025
  affected < 0.0.20251023T162509-150000.1.110.1fixed 0.0.20251023T162509-150000.1.110.1

  A vulnerability has been identified within Rancher Manager whereby the SAML authentication from the Rancher CLI tool is vulnerable to phishing attacks. The custom authentication protocol for SAML-based providers can be abused to steal Rancher’s authentication tokens.

• CVE-2024-58260HigOct 2, 2025
  affected < 0.0.20251023T162509-150000.1.110.1fixed 0.0.20251023T162509-150000.1.110.1

  A vulnerability has been identified within Rancher Manager where a missing server-side validation on the `.username` field in Rancher can allow users with update permissions on other User resources to cause denial of access for targeted accounts.

• CVE-2025-54468MedOct 2, 2025
  affected < 0.0.20251023T162509-150000.1.110.1fixed 0.0.20251023T162509-150000.1.110.1

  A vulnerability has been identified within Rancher Manager whereby `Impersonate-Extra-*` headers are being sent to an external entity, for example `amazonaws.com`, via the `/meta/proxy` Rancher endpoint. These headers may contain identifiable and/or sensitive information e.g. ema

• CVE-2025-59538Oct 1, 2025
  affected < 0.0.20251023T162509-150000.1.110.1fixed 0.0.20251023T162509-150000.1.110.1

  Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6 and 3.0.17, when the webhook.azuredevops.username and webhook.azuredevops.password are not set in the default configuration, the /a

• CVE-2025-59537Oct 1, 2025
  affected < 0.0.20251023T162509-150000.1.110.1fixed 0.0.20251023T162509-150000.1.110.1

  Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to

• CVE-2025-59531Oct 1, 2025
  affected < 0.0.20251023T162509-150000.1.110.1fixed 0.0.20251023T162509-150000.1.110.1

  Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to

• CVE-2025-55191Sep 30, 2025
  affected < 0.0.20251023T162509-150000.1.110.1fixed 0.0.20251023T162509-150000.1.110.1

  Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions between 2.1.0 and 2.14.19, 3.2.0-rc1, 3.1.0-rc1 through 3.1.7, and 3.0.0-rc1 through 3.0.18 contain a race condition in the repository credentials handler that can cause the Argo CD server to panic

• CVE-2025-59956Sep 29, 2025
  affected < 0.0.20251023T162509-150000.1.110.1fixed 0.0.20251023T162509-150000.1.110.1

  AgentAPI is an HTTP API for Claude Code, Goose, Aider, Gemini, Amp, and Codex. Versions 0.3.3 and below are susceptible to a client-side DNS rebinding attack when hosted over plain HTTP on localhost. An attacker can gain access to the /messages endpoint served by the Agent API. T

• CVE-2025-59942Sep 29, 2025
  affected < 0.0.20251023T162509-150000.1.110.1fixed 0.0.20251023T162509-150000.1.110.1

  go-f3 is a Golang implementation of Fast Finality for Filecoin (F3). In versions 0.8.6 and below, go-f3 panics when it validates a "poison" messages causing Filecoin nodes consuming F3 messages to become vulnerable. A "poison" message can can cause integer overflow in the signer

• CVE-2025-59941Sep 29, 2025
  affected < 0.0.20251023T162509-150000.1.110.1fixed 0.0.20251023T162509-150000.1.110.1

  go-f3 is a Golang implementation of Fast Finality for Filecoin (F3). In versions 0.8.8 and below, go-f3's justification verification caching mechanism has a vulnerability where verification results are cached without properly considering the context of the message. An attacker ca

• CVE-2025-59163LowSep 29, 2025
  affected < 0.0.20251023T162509-150000.1.110.1fixed 0.0.20251023T162509-150000.1.110.1

  vet is an open source software supply chain security tool. Versions 1.12.4 and below are vulnerable to a DNS rebinding attack due to lack of HTTP Host and Origin header validation. Data from the vet scan sqlite3 database may be exposed to remote attackers when vet is used as an M