Skip to main content

Libzypp

5 CVEs product

Monthly

CVE-2026-44941 HIGH PATCH This Week

Arbitrary root file write in libzypp before 17.38.12 lets an attacker who can get a victim to add or refresh a malicious software repository overwrite or inject files anywhere on the system as root, because the "keyhint" value in repomd.xml is parsed without rejecting path separators (CWE-23 relative path traversal). Because libzypp performs repository operations with root privileges on SUSE/openSUSE systems, this escalates directly to full host compromise. Publicly available exploit code exists (SSVC=poc); it is not listed in CISA KEV, and EPSS is low (0.49%, 38th percentile), consistent with a targeted rather than mass-exploited flaw.

Path Traversal Libzypp
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-25707 HIGH PATCH This Week

Arbitrary file overwrite in libzypp before 17.38.10 lets a remote attacker who controls a software repository plant crafted repository metadata (repomd/SUSE content files) with '../' location paths that escape the repo root, allowing files anywhere on the system to be overwritten when a victim adds and refreshes that repository. Because zypper-based refresh operations typically run as root, this can escalate to privilege escalation or denial of service. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Privilege Escalation Path Traversal Denial Of Service Libzypp
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-44942 MEDIUM PATCH This Month

Path traversal in libzypp's .repo file processing enables low-privileged network-accessible attackers to write content into arbitrary directories on the host filesystem beyond the intended zypp cache boundary. Affected versions span the 17.x series before 17.38.13 and the 16.x series before 16.22.19, covering systems running SUSE Linux Enterprise and openSUSE derivatives that use zypper as their package manager. The primary real-world impact is disk exhaustion across unexpected filesystem paths, causing a denial of service; no confidentiality impact is attributed in the CVSS assessment. No public exploit or CISA KEV listing has been identified at time of analysis.

Path Traversal Libzypp Red Hat Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.5%
CVE-2018-7685 HIGH This Week

The decoupled download and installation steps in libzypp before 17.5.0 could lead to a corrupted RPM being left in the cache, where a later call would not display the corrupted RPM warning and allow. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Libzypp
NVD
CVSS 3.0
7.8
EPSS
0.3%
CVE-2013-3704 MEDIUM This Month

The RPM GPG key import and handling feature in libzypp 12.15.0 and earlier reports a different key fingerprint than the one used to sign a repository when multiple key blobs are used, which might. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Libzypp
NVD
CVSS 2.0
4.3
EPSS
0.5%
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary root file write in libzypp before 17.38.12 lets an attacker who can get a victim to add or refresh a malicious software repository overwrite or inject files anywhere on the system as root, because the "keyhint" value in repomd.xml is parsed without rejecting path separators (CWE-23 relative path traversal). Because libzypp performs repository operations with root privileges on SUSE/openSUSE systems, this escalates directly to full host compromise. Publicly available exploit code exists (SSVC=poc); it is not listed in CISA KEV, and EPSS is low (0.49%, 38th percentile), consistent with a targeted rather than mass-exploited flaw.

Path Traversal Libzypp
NVD GitHub VulDB
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Arbitrary file overwrite in libzypp before 17.38.10 lets a remote attacker who controls a software repository plant crafted repository metadata (repomd/SUSE content files) with '../' location paths that escape the repo root, allowing files anywhere on the system to be overwritten when a victim adds and refreshes that repository. Because zypper-based refresh operations typically run as root, this can escalate to privilege escalation or denial of service. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Privilege Escalation Path Traversal Denial Of Service +1
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Path traversal in libzypp's .repo file processing enables low-privileged network-accessible attackers to write content into arbitrary directories on the host filesystem beyond the intended zypp cache boundary. Affected versions span the 17.x series before 17.38.13 and the 16.x series before 16.22.19, covering systems running SUSE Linux Enterprise and openSUSE derivatives that use zypper as their package manager. The primary real-world impact is disk exhaustion across unexpected filesystem paths, causing a denial of service; no confidentiality impact is attributed in the CVSS assessment. No public exploit or CISA KEV listing has been identified at time of analysis.

Path Traversal Libzypp Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

The decoupled download and installation steps in libzypp before 17.5.0 could lead to a corrupted RPM being left in the cache, where a later call would not display the corrupted RPM warning and allow. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Libzypp
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The RPM GPG key import and handling feature in libzypp 12.15.0 and earlier reports a different key fingerprint than the one used to sign a repository when multiple key blobs are used, which might. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Libzypp
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy