Suse

Cross-site scripting (XSS) in Vikunja prior to version 1.1.0 allows authenticated attackers to execute arbitrary JavaScript in other users' browsers by injecting malicious code into task descriptions that are rendered without sanitization in hover tooltips. An attacker can exploit this by sharing a project and creating a specially crafted task that triggers the vulnerability when other users hover over it. A patch is available in version 1.1.0 and later.

Chrome versions up to 145.0.7632.45 is affected by user interface (ui) misrepresentation of critical information (CVSS 4.3).

Chrome versions up to 145.0.7632.45 is affected by user interface (ui) misrepresentation of critical information (CVSS 5.4).

Heap corruption in Google Chrome's Ozone component (versions prior to 145.0.7632.45) stems from a use-after-free vulnerability that can be triggered when users interact with malicious HTML pages through specific UI gestures. An unauthenticated remote attacker can exploit this to achieve arbitrary code execution with high impact on confidentiality, integrity, and availability. No patch is currently available, leaving affected Chrome users vulnerable to exploitation.

Chrome versions up to 145.0.7632.45 is affected by user interface (ui) misrepresentation of critical information (CVSS 6.5).

Google Chrome versions prior to 145.0.7632.45 contain a race condition in DevTools that allows remote attackers to corrupt objects by convincing users to perform specific UI interactions and install a malicious extension. An attacker exploiting this vulnerability could achieve high-impact outcomes including information disclosure, data modification, or denial of service. The vulnerability currently has no available patch.

Chrome versions up to 145.0.7632.45 is affected by user interface (ui) misrepresentation of critical information (CVSS 6.5).

Google Chrome versions before 145.0.7632.45 contain an animation implementation flaw that allows remote attackers to exfiltrate cross-origin data through specially crafted HTML pages. The vulnerability requires user interaction to trigger and affects all Chrome users, potentially exposing sensitive information from other websites. No patch is currently available.

Chrome versions up to 145.0.7632.45 is affected by user interface (ui) misrepresentation of critical information (CVSS 6.5).

Out of bounds memory access in Google Chrome's WebGPU implementation prior to version 145.0.7632.45 allows unauthenticated attackers to trigger memory corruption through a malicious HTML page. This vulnerability requires user interaction but carries high risk due to potential for arbitrary code execution or information disclosure. No patch is currently available.

Heap buffer overflow in Google Chrome's codec implementation prior to version 145.0.7632.45 enables remote attackers to corrupt heap memory and potentially achieve arbitrary code execution through a malicious HTML page. The vulnerability requires user interaction to visit a crafted webpage but does not require special privileges, affecting all Chrome users. No patch is currently available.

Heap corruption in Google Chrome's CSS engine prior to version 145.0.7632.45 can be triggered through crafted HTML pages, enabling remote attackers to achieve arbitrary code execution without user interaction beyond viewing a malicious webpage. The vulnerability stems from a use-after-free memory flaw that affects all Chrome users, and currently no patch is available. With a CVSS score of 8.8 and low exploit difficulty, this represents a critical risk to active Chrome installations.

Unsafe deserialization in DiskCache Python library through 5.6.3. Uses pickle by default, allowing attackers with cache directory write access to execute arbitrary code.

Roundcube Webmail versions up to 1.5.13 is affected by inclusion of functionality from untrusted control sphere (CVSS 4.7).

Python's cryptography library prior to version 46.0.5 fails to validate that elliptic curve public key points belong to the expected prime-order subgroup, allowing attackers to supply crafted keys from small-order subgroups. This validation gap enables attackers to extract sensitive information about a victim's private key during ECDH key exchange or compromise ECDSA signature verification. Developers using affected key loading or generation functions should update to the patched version immediately.

Buffer overflow in MUNGE authentication daemon (versions 0.5 to 0.5.17) allows local attackers to extract cryptographic key material from memory, enabling forgery of credentials to impersonate any user on systems relying on MUNGE for authentication. By sending a crafted message with an oversized address length field, an attacker can corrupt the daemon's internal state and retrieve the MAC subkey used for credential verification. The vulnerability affects Debian Linux and other distributions packaging affected MUNGE versions; patching to 0.5.18 or later is available.

Out-of-bounds heap buffer reads in libpng versions prior to 1.6.55 can be triggered through the png_set_quantize() function when processing specially crafted PNG images with specific palette configurations, potentially causing denial of service or information disclosure. Public exploit code exists for this vulnerability, affecting applications that use libpng to process untrusted PNG files. A patch is available in version 1.6.55 and later.

An issue inTcpreplay v4.5.1 allows a local attacker to cause a denial of service via a crafted file to the tcpedit_dlt_getplugin function at src/tcpedit/plugins/dlt_utils.c. [CVSS 5.5 MEDIUM]

A vulnerability was found in ckolivas lrzip up to 0.651. This impacts the function lzma_decompress_buf of the file stream.c. [CVSS 5.3 MEDIUM]

Corrupted Git pack and index files are not properly validated in go-git versions before 5.16.5, allowing an attacker to supply malicious packfiles that bypass integrity checks and cause go-git to consume corrupted data. This can result in unexpected application errors and denial of service conditions for any system using the vulnerable go-git library to fetch or process Git repositories. The vulnerability requires user interaction to fetch from a malicious or compromised Git source.

Adminer versions 5.4.1 and earlier suffer from a post-message validation bypass that allows remote attackers to trigger denial of service affecting all users. By sending a crafted POST request with array parameters to the version endpoint, an attacker can cause openssl_verify() to receive malformed input, resulting in a TypeError that crashes the application and returns HTTP 500 errors. Public exploit code exists for this vulnerability; administrators should upgrade to version 5.4.2 immediately.

Path normalization bypass in Filebrowser prior to 2.57.1 allows authenticated users to circumvent file access restrictions by injecting multiple slashes into request URLs, enabling unauthorized access to files designated as restricted. The vulnerability exploits a mismatch between the authorization validation logic and filesystem path resolution, affecting users running vulnerable versions. Public exploit code exists for this high-severity issue.

Filebrowser versions prior to 2.57.1 allow authenticated users to reset passwords without verifying the current password due to case-sensitive validation logic that can be bypassed using mixed-case field names in API requests. An attacker with a valid JWT token obtained through XSS, session hijacking, or similar means could exploit this to perform account takeover. Public exploit code exists for this vulnerability, and a patch is available.

Memory exhaustion in Sliver C2 framework prior to version 1.7.0 allows unauthenticated remote attackers to bypass OTP validation in the DNS listener and create unbounded server-side sessions without expiry mechanisms. Public exploit code exists for this vulnerability, enabling attackers to repeatedly allocate sessions and exhaust server memory resources. The DNS C2 listener accepts bootstrap messages without proper authentication even when OTP enforcement is enabled.

Faraday HTTP client library versions before 2.14.1 fail to properly validate protocol-relative URLs when merging user-supplied paths with base URLs, allowing attackers to redirect requests to arbitrary hosts via SSRF attacks. Applications that pass untrusted input to Faraday request methods like get() or post() are vulnerable to request hijacking. A patch is available in version 2.14.1 and later.

FreeRDP versions prior to 3.22.0 contain a use-after-free vulnerability in the audio playback subsystem where the RDPSND async thread processes queued audio packets after the channel has been closed and its internal state freed, causing a denial of service. The vulnerability affects systems running vulnerable FreeRDP versions and can be exploited remotely without authentication or user interaction. A patch is available in FreeRDP 3.22.0 and later.

FreeRDP versions prior to 3.22.0 contain a use-after-free vulnerability in the input event handling mechanism where unsynchronized access to cached channel callbacks can be freed or reinitialized by concurrent channel closure operations. An attacker with network access can trigger a denial of service condition by exploiting this race condition. A patch is available in version 3.22.0 and later.

FreeRDP versions prior to 3.22.0 contain a buffer management error in audio format parsing that causes out-of-bounds memory access when processing malformed audio data. An attacker can exploit this vulnerability over the network without authentication to trigger a denial of service condition. A patch is available in FreeRDP 3.22.0 and later.

FreeRDP versions prior to 3.22.0 contain a use-after-free vulnerability in the URBDRC channel handler where asynchronous bulk transfer completions reference freed memory after channel closure, enabling denial of service attacks. An unauthenticated remote attacker can trigger this condition through malformed RDP protocol messages to crash the FreeRDP service. A patch is available in version 3.22.0 and later.

FreeRDP versions prior to 3.22.0 contain a use-after-free vulnerability in pointer handling where sdl_Pointer_New and sdl_Pointer_Free both attempt to free the same memory, causing a denial of service condition. An attacker with network access can trigger this memory corruption to crash RDP client instances without authentication. The vulnerability affects all users of vulnerable FreeRDP versions and is resolved in version 3.22.0 and later.

FreeRDP prior to 3.22.0 has a heap buffer overflow in the URBDRC USB redirection client enabling RCE through malicious RDP servers.

FreeRDP versions prior to 3.22.0 are vulnerable to a use-after-free condition in the ecam_channel_write function when a capture thread attempts to write samples through a freed device channel callback. An unauthenticated remote attacker can exploit this vulnerability to cause a denial of service by crashing the affected system. A patch is available in version 3.22.0 and later.

FreeRDP prior to 3.22.0 has a use-after-free in ecam_encoder_compress allowing malicious RDP servers to crash or execute code on clients.

FreeRDP versions prior to 3.22.0 contain a use-after-free vulnerability in audio format renegotiation that allows unauthenticated attackers to cause denial of service by triggering a crash through audio processing. The vulnerability occurs when the AUDIN format list is freed during renegotiation while the capture thread continues accessing the freed memory, affecting any system running vulnerable FreeRDP instances. A patch is available in version 3.22.0 and later.

FreeRDP versions prior to 3.22.0 contain a use-after-free vulnerability in the libusb device interface selection code where error handling prematurely frees configuration data that subsequent code attempts to access, causing denial of service. This vulnerability affects systems using FreeRDP for remote desktop protocol operations and can be triggered remotely without authentication or user interaction. A patch is available in version 3.22.0 and later.

FreeRDP versions prior to 3.22.0 are vulnerable to a use-after-free condition where the video_timer component sends notifications after the control channel closes, dereferencing freed memory and causing denial of service. An unauthenticated remote attacker can trigger this crash by manipulating RDP session timing, making the vulnerability exploitable with no user interaction required. A patch is available in FreeRDP 3.22.0 and later.

FreeRDP proxy versions prior to 3.22.0 are vulnerable to denial of service when processing specially crafted RDP server responses that trigger a null pointer dereference in the logon information handler. An unauthenticated attacker controlling a malicious RDP server can crash the FreeRDP proxy by sending a LogonInfoV2 PDU with empty domain or username fields. This vulnerability has been patched in version 3.22.0 and later.

Go Fiber web framework before 2.52.11 has a weak PRNG vulnerability (on Go < 1.24) that makes session tokens predictable, enabling session hijacking.

Crafted zones can lead to increased incoming network traffic. [CVSS 5.3 MEDIUM]

DNS recursive resolver denial-of-service via crafted zones and CNAME chain manipulation allows unauthenticated attackers to exhaust server resources and potentially poison the resolver's cache. The vulnerability affects Recursor instances exposed to untrusted DNS queries, enabling attackers to degrade performance or compromise DNS resolution integrity. No patch is currently available.

Crafted delegations or IP fragments can poison cached delegations in Recursor. [CVSS 6.5 MEDIUM]

Crafted delegations or IP fragments can poison cached delegations in Recursor. [CVSS 8.2 HIGH]

Roundcube Webmail versions before 1.5.13 and 1.6.x before 1.6.13 fail to block SVG feImage elements when the "Block remote images" security feature is enabled, allowing attackers to bypass the protection and load remote content. This remote image bypass could enable tracking, information disclosure, or facilitate phishing attacks against users who rely on this feature to prevent remote content loading. No patch is currently available for this medium-severity vulnerability.

jsonpath library before 1.2.0 has an arbitrary code injection vulnerability via unsafe use of eval-like constructs in JSONPath expressions.

Improper authorization in WukongCRM up to version 11.3.3 allows authenticated remote attackers to manipulate URL handling logic and bypass access controls. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. The flaw affects the PermissionServiceImpl component and enables attackers to gain unauthorized access to restricted functionality.

Antrea Kubernetes networking has an authentication bypass enabling unauthorized access to the Kubernetes network policy infrastructure.

Nebula is a scalable overlay networking tool. [CVSS 8.1 HIGH]

Heap buffer overflow in Vim's tag file resolution allows local attackers with user privileges to corrupt heap memory and crash the application or potentially execute code by supplying a malicious 'helpfile' option value. The vulnerability exists in the get_tagfname() function which fails to validate the length of user-controlled input before copying it into a fixed-size buffer. Public exploit code exists for this issue affecting Vim prior to version 9.1.2132, though a patch is available.

Authenticated operators in Sliver C2 framework versions prior to 1.6.11 can read arbitrary files on the server through a path traversal vulnerability in the website content subsystem, potentially exposing sensitive credentials, configurations, and cryptographic keys. Public exploit code exists for this vulnerability. The issue is resolved in version 1.6.11 and later.

calibre is an e-book manager. [CVSS 7.8 HIGH]

Calibre 9.1.0 and earlier contains a path traversal vulnerability in EPUB conversion that allows malicious EPUB files to corrupt or modify arbitrary files writable by the Calibre process. The vulnerability exploits improper handling of CipherReference URIs in encryption metadata, enabling attackers to write outside the intended extraction directory. Public exploit code exists for this high-severity issue, which is patched in version 9.2.0.

Remote code execution in Calibre prior to version 9.2.0 through a path traversal flaw in the CHM reader allows local attackers to write arbitrary files with user permissions, enabling payload execution via the Windows Startup folder. Public exploit code exists for this vulnerability. Windows users should upgrade to Calibre 9.2.0 or later to remediate the risk.

The Rust time library versions 0.3.6 through 0.3.46 are vulnerable to denial of service through stack exhaustion when processing maliciously crafted RFC 2822 formatted input. An unauthenticated attacker can trigger recursive parsing of deprecated RFC 2822 features to exhaust stack memory and crash applications using affected versions. A patch implementing recursion depth limits is available in version 0.3.47 and later.

Keylime attestation framework since version 7.12.0 has a TLS authentication flaw where the registrar doesn't enforce client-side certificate validation.

Unauthenticated attackers can bypass public link scope verification in OpenCloud Reva versions prior to 2.42.3 and 2.40.3 through a flaw in GRPC authorization middleware. By exploiting the archiver service, an attacker can create archives containing all resources accessible to the public link creator, resulting in unauthorized information disclosure. A patch is available in versions 2.42.3 and 2.40.3.

Improper policy enforcement in OpenFGA versions 1.8.5 through 1.11.2 (and corresponding Helm Chart and Docker releases) allows authenticated users to bypass authorization checks through specially crafted tuple configurations that mix type-bound public and non-public access policies. An attacker with valid credentials can exploit mismatched tuple assignments to gain unauthorized access to protected resources by leveraging lexicographic object ID ordering in the authorization engine. No patch is currently available.

Arbitrary file deletion in Gogs 0.13.3 and earlier allows authenticated repository contributors to exploit a path traversal flaw in the wiki page update function, enabling deletion of arbitrary files on the affected server. An attacker with wiki write access can manipulate the old_title parameter to traverse the filesystem and remove critical files. No patch is currently available for this high-severity vulnerability (CVSS 8.1).

Gogs versions 0.13.3 and earlier are vulnerable to arbitrary file read and write operations through path traversal in the Git hook editing functionality, affecting self-hosted installations. An authenticated attacker with high privileges can exploit this vulnerability to access or modify files outside the intended directory. Public exploit code exists for this vulnerability, and no patch is currently available.

Gogs versions 0.13.3 and earlier fail to enforce write permissions on the repository contents endpoint, allowing attackers with read-only access to modify files, create commits, and execute git push operations. An authenticated user possessing only read permissions can bypass authorization checks and gain unauthorized write access to repository contents. This affects self-hosted Gogs instances and has no patch currently available for affected versions.

Denial of service in Gogs 0.13.3 and earlier allows authenticated users to crash the application by deleting repository files before synchronization. Public exploit code exists for this vulnerability, affecting self-hosted Git service deployments. A patch is available in versions 0.13.4 and 0.14.0+dev.

Gophish <=0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. [CVSS 7.6 HIGH]

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. [CVSS 8.8 HIGH]

MuPDF versions 1.23.0 through 1.27.0 are vulnerable to a double-free memory corruption flaw in the display list rendering function that can be triggered through crafted barcode input during exception handling. Applications using MuPDF's barcode decoding feature can crash or potentially experience heap corruption when processing specially crafted files. Public exploit code exists for this vulnerability, and a patch is available.

Gogs self-hosted Git service v0.13.3 has a command injection vulnerability enabling remote code execution through crafted repository operations.

Mattermost Confluence plugin version <1.7.0 fails to properly escape user-controlled display names in HTML template rendering which allows authenticated Confluence users with malicious display names to execute arbitrary JavaScript in victim browsers via sending a specially crafted OAuth2 connection link that, when visited, renders the attacker's display name without proper sanitization. [CVSS 7.7 HIGH]

Use-after-free memory corruption in mruby up to version 3.4.0 within the JMPNOT-to-JMPIF optimization logic allows local attackers with user-level privileges to corrupt memory and potentially execute arbitrary code. Public exploit code exists for this vulnerability, and a patch is available. Affected systems should apply the available security update promptly.

Command execution in pgAdmin 4 server mode allows authenticated attackers to bypass restore operation restrictions by extracting the restrict key during PLAIN-format dump file operations and injecting malicious payloads to re-enable meta-commands. An attacker with web interface access can race the restore process in real time to achieve reliable code execution on the pgAdmin host. No patch is currently available for this vulnerability.

Critical certificate validation bypass in Go crypto/tls during session resumption. If ClientCAs or RootCAs fields are mutated between creating the config and resuming a session, the TLS stack uses the modified trust store, potentially accepting certificates from unintended CAs. CVSS 10.0, PoC available, patch available.

The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content. [CVSS 5.3 MEDIUM]

Html contains a vulnerability that allows attackers to denial of service (DoS) if an attacker provides specially crafted HTML content (CVSS 5.3).

Dnsmasq-utils 2.79-1 contains a buffer overflow vulnerability in the dhcp_release utility that allows attackers to cause a denial of service by supplying excessive input. [CVSS 5.5 MEDIUM]

A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. [CVSS 8.6 HIGH]

Navidrome versions prior to 0.60.0 allow authenticated users to trigger denial of service by requesting image resizing with extremely large parameters, causing uncontrolled memory allocation and potential disk exhaustion. Public exploit code exists for this vulnerability, which can crash the server process via the OOM killer or fill the cache directory with massive files. An attacker with valid credentials can achieve complete service outage without administrative privileges.

Navidrome versions before 0.60.0 contain a stored cross-site scripting vulnerability in song comment metadata that allows attackers to inject malicious scripts and steal user credentials when victims view affected music files. Public exploit code exists for this vulnerability. Administrators should upgrade to version 0.60.0 or later to remediate the risk.

Devtron is an open source tool integration platform for Kubernetes. [CVSS 8.8 HIGH]

Denial-of-service in cert-manager versions 1.18.0-1.18.4 and 1.19.0-1.19.2 allows network-adjacent attackers to crash the controller by poisoning DNS cache entries during ACME DNS-01 validation through unencrypted DNS traffic interception. An attacker positioned to intercept DNS queries from the cert-manager pod can inject malicious DNS responses that trigger a panic in the controller, disrupting certificate management operations in affected Kubernetes clusters. A patch is available for immediate deployment.

The Terraform/OpenTofu Proxmox Provider prior to version 0.93.1 contains a path traversal vulnerability in its SSH sudoer configuration documentation that permits attackers to escape directory restrictions using ../ sequences and modify arbitrary files on the system. Public exploit code exists for this vulnerability, affecting users who implement the documented SSH configuration. The vulnerability has been patched in version 0.93.1 and a fix is available.

Path traversal in Alist prior to version 3.57.0 allows authenticated users to manipulate filename parameters and bypass directory restrictions within the same storage mount. Attackers can exploit this vulnerability to perform unauthorized file operations including deletion, movement, and copying across user boundaries. Public exploit code exists for this vulnerability.

Alist file manager has an improper certificate validation vulnerability allowing MITM attacks that could compromise file operations and stored credentials.

Melange versions 0.14.0 through 0.40.2 allow local attackers with configuration file control to read arbitrary files from the host system through path traversal in license file path validation, potentially exfiltrating sensitive data embedded in generated SBOMs. This vulnerability affects build pipeline scenarios where configuration is user-controlled, such as pull request-driven CI or build-as-a-service environments. A patch is available in version 0.40.3.

Melange versions 0.10.0 through 0.40.2 allow unauthenticated command injection through the patch pipeline, enabling attackers to execute arbitrary shell commands on build hosts by injecting shell metacharacters into patch-related inputs such as series paths and filenames. This vulnerability affects users who build APK packages using melange build or melange license-check operations, particularly in CI/CD environments where build inputs may be controlled by untrusted sources. A patch is available in version 0.40.3 and later.

melange allows users to build apk packages using declarative pipelines. [CVSS 7.9 HIGH]

Melange versions 0.11.3 through 0.40.2 suffer from a path traversal vulnerability in the retrieveWorkspace function that fails to validate tar entry paths, allowing an attacker with control over a QEMU guest VM's tar stream to write arbitrary files outside the intended workspace directory on the host system. An attacker exploiting this vulnerability could achieve arbitrary file write capabilities on the host machine, potentially leading to system compromise. A patch is available in version 0.40.3 and later.

Apko versions 0.14.8 through 1.1.0 are vulnerable to denial of service when processing APK packages from untrusted repositories due to missing decompression limits in the ExpandApk function. An attacker controlling a compromised APK repository can provide a malicious small, highly-compressed package that expands into a massive tar stream, exhausting disk space and CPU resources on the build host. The vulnerability affects Golang and Apko products and has been patched in version 1.1.1.

Resource exhaustion in Apko versions 0.14.8 through 1.0.x allows local attackers to cause denial of service by supplying a malicious APK archive with excessive gzip-compressed data that forces unbounded decompression work. The expandapk.Split function fails to impose limits on gzip inflation, enabling attackers to exhaust CPU resources and trigger process timeouts when parsing attacker-controlled APK streams. This issue is resolved in version 1.1.0.

Apko versions up to 1.1.1 contains a vulnerability that allows attackers to build and publish OCI container images built from apk packages (CVSS 7.5).

A race condition in the Linux kernel's SCSI error handling mechanism can prevent the error handler from being properly awakened when concurrent command completions occur, causing I/O operations to hang indefinitely. A local attacker with low privileges can trigger this condition through timing-sensitive operations to cause a denial of service. No patch is currently available for this vulnerability.

A denial of service vulnerability in the Linux kernel's writeback mechanism allows local users with standard privileges to cause indefinite hangs in wait_sb_inodes() when interacting with faulty FUSE servers that fail to respond to write requests. The vulnerability stems from improper handling of mappings without data integrity semantics, which should be skipped during synchronization operations but are instead waited upon indefinitely. An attacker controlling a malfunctioning FUSE server can exploit this to freeze system operations that depend on filesystem synchronization.

The Linux kernel USB CAN driver (usb_8dev) fails to properly manage URB memory when USB transfers complete, allowing a local attacker with user privileges to trigger a memory leak and cause a denial of service through resource exhaustion. The vulnerability occurs because completed URBs are unanchored by the USB framework before the callback function executes, preventing proper cleanup during driver shutdown. No patch is currently available for this issue.

In the Linux kernel, the following vulnerability has been resolved: net/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_ag This is more of a preventive patch to make the code more consistent and to prevent possible exploits that employ child qlen manipulations on qfq.