Security update for govulncheck-vulndb SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:0142-1 Final 1 1 2026-01-17T07:33:48Z current 2026-01-17T07:33:48Z 2026-01-17T07:33:48Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for govulncheck-vulndb This update for govulncheck-vulndb fixes the following issues: - Update to version 0.0.20260114T191543 2026-01-14T19:15:43Z (jsc#PED-11136). Go CVE Numbering Authority IDs added or updated with aliases: * GO-2025-4248 CVE-2025-62690 GHSA-q66g-q98c-q454 * GO-2025-4251 CVE-2025-63389 GHSA-f6mr-38g8-39rg * GO-2026-4273 CVE-2025-14987 GHSA-hmhp-gh8m-c8xp - Update to version 0.0.20260113T164240 2026-01-13T16:42:40Z (jsc#PED-11136). Go CVE Numbering Authority IDs added or updated with aliases: * GO-2025-4269 CVE-2025-15107 GHSA-43h9-hc38-qph5 * GO-2025-4272 CVE-2025-14986 GHSA-p2gr-hm8g-q772 * GO-2026-4274 CVE-2025-69413 GHSA-pc73-rj2c-wvf9 * GO-2026-4275 CVE-2025-14273 GHSA-qvmc-92vg-6r35 * GO-2026-4277 CVE-2026-21483 GHSA-jmr4-p576-v565 * GO-2026-4278 CVE-2024-6717 GHSA-5mqx-rpxv-mvxj * GO-2026-4279 GHSA-4c5f-9mj4-m247 * GO-2026-4280 GHSA-hjr9-wj7v-7hv8 * GO-2026-4281 CVE-2025-62877 GHSA-6g8q-hp2j-gvwv * GO-2026-4283 CVE-2025-68954 GHSA-8c39-xppg-479c * GO-2026-4284 CVE-2026-21859 GHSA-8v65-47jx-7mfr * GO-2026-4285 GHSA-gg4x-fgg2-h9w9 * GO-2026-4286 CVE-2026-0650 GHSA-rwp9-5g7q-73q3 * GO-2026-4287 CVE-2026-21885 GHSA-xwh2-742g-w3wp * GO-2026-4289 CVE-2025-68151 GHSA-527x-5wrf-22m2 * GO-2026-4290 CVE-2026-22253 GHSA-6jm8-x3g6-r33j * GO-2026-4292 CVE-2026-22688 GHSA-78h3-63c4-5fqc * GO-2026-4293 CVE-2026-22687 GHSA-pcwc-3fw3-8cqv * GO-2026-4295 CVE-2017-18895 GHSA-h742-xx59-r9pq * GO-2026-4296 CVE-2017-18893 GHSA-887v-xh2x-47cm * GO-2026-4297 CVE-2017-18894 GHSA-gg42-mwr6-p82c * GO-2026-4298 CVE-2017-18891 GHSA-vrh2-rprg-rgc6 * GO-2026-4299 CVE-2017-18896 GHSA-63wg-qmrv-7q66 * GO-2026-4300 CVE-2017-18898 GHSA-9589-mq83-f749 * GO-2026-4301 CVE-2017-18897 GHSA-f7c3-7vp3-44p6 * GO-2026-4302 CVE-2017-18904 GHSA-8pff-p3gx-w4jf * GO-2026-4303 CVE-2017-18900 GHSA-8q4v-35v6-g8wr * GO-2026-4304 CVE-2017-18901 GHSA-c253-8hr4-r8v9 * GO-2026-4306 CVE-2017-18905 GHSA-g24c-fx4v-xg9w * GO-2026-4308 CVE-2025-60538 GHSA-mw8h-g64c-rxv4 * GO-2026-4309 CVE-2026-22703 GHSA-whqx-f9j3-ch6m The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2026-142,openSUSE-SLE-15.6-2026-142 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-20260142-1/ Link for SUSE-SU-2026:0142-1 https://lists.suse.com/pipermail/sle-security-updates/2026-January/023790.html E-Mail link for SUSE-SU-2026:0142-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2017-18891/ SUSE CVE CVE-2017-18891 page https://www.suse.com/security/cve/CVE-2017-18893/ SUSE CVE CVE-2017-18893 page https://www.suse.com/security/cve/CVE-2017-18894/ SUSE CVE CVE-2017-18894 page https://www.suse.com/security/cve/CVE-2017-18895/ SUSE CVE CVE-2017-18895 page https://www.suse.com/security/cve/CVE-2017-18896/ SUSE CVE CVE-2017-18896 page https://www.suse.com/security/cve/CVE-2017-18897/ SUSE CVE CVE-2017-18897 page https://www.suse.com/security/cve/CVE-2017-18898/ SUSE CVE CVE-2017-18898 page https://www.suse.com/security/cve/CVE-2017-18900/ SUSE CVE CVE-2017-18900 page https://www.suse.com/security/cve/CVE-2017-18901/ SUSE CVE CVE-2017-18901 page https://www.suse.com/security/cve/CVE-2017-18904/ SUSE CVE CVE-2017-18904 page https://www.suse.com/security/cve/CVE-2017-18905/ SUSE CVE CVE-2017-18905 page https://www.suse.com/security/cve/CVE-2024-6717/ SUSE CVE CVE-2024-6717 page https://www.suse.com/security/cve/CVE-2025-14273/ SUSE CVE CVE-2025-14273 page https://www.suse.com/security/cve/CVE-2025-14986/ SUSE CVE CVE-2025-14986 page https://www.suse.com/security/cve/CVE-2025-14987/ SUSE CVE CVE-2025-14987 page https://www.suse.com/security/cve/CVE-2025-15107/ SUSE CVE CVE-2025-15107 page https://www.suse.com/security/cve/CVE-2025-60538/ SUSE CVE CVE-2025-60538 page https://www.suse.com/security/cve/CVE-2025-62690/ SUSE CVE CVE-2025-62690 page https://www.suse.com/security/cve/CVE-2025-62877/ SUSE CVE CVE-2025-62877 page https://www.suse.com/security/cve/CVE-2025-63389/ SUSE CVE CVE-2025-63389 page https://www.suse.com/security/cve/CVE-2025-68151/ SUSE CVE CVE-2025-68151 page https://www.suse.com/security/cve/CVE-2025-68954/ SUSE CVE CVE-2025-68954 page https://www.suse.com/security/cve/CVE-2025-69413/ SUSE CVE CVE-2025-69413 page https://www.suse.com/security/cve/CVE-2026-0650/ SUSE CVE CVE-2026-0650 page https://www.suse.com/security/cve/CVE-2026-21483/ SUSE CVE CVE-2026-21483 page https://www.suse.com/security/cve/CVE-2026-21859/ SUSE CVE CVE-2026-21859 page https://www.suse.com/security/cve/CVE-2026-21885/ SUSE CVE CVE-2026-21885 page https://www.suse.com/security/cve/CVE-2026-22253/ SUSE CVE CVE-2026-22253 page https://www.suse.com/security/cve/CVE-2026-22687/ SUSE CVE CVE-2026-22687 page https://www.suse.com/security/cve/CVE-2026-22688/ SUSE CVE CVE-2026-22688 page https://www.suse.com/security/cve/CVE-2026-22703/ SUSE CVE CVE-2026-22703 page openSUSE Leap 15.6 An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows Phishing because an error page can have a link. CVE-2017-18891 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260142-1/ https://www.suse.com/security/cve/CVE-2017-18891.html CVE-2017-18891 An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. Display names allow XSS. CVE-2017-18893 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260142-1/ https://www.suse.com/security/cve/CVE-2017-18893.html CVE-2017-18893 An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. Sometimes. resource-owner authorization is bypassed, allowing account takeover. CVE-2017-18894 moderate 5.5 AV:N/AC:L/Au:S/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260142-1/ https://www.suse.com/security/cve/CVE-2017-18894.html CVE-2017-18894 An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to obtain sensitive information (user statuses) via a REST API version 4 endpoint. CVE-2017-18895 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260142-1/ https://www.suse.com/security/cve/CVE-2017-18895.html CVE-2017-18895 An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to add DEBUG lines to the logs via a REST API version 3 logging endpoint. CVE-2017-18896 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260142-1/ https://www.suse.com/security/cve/CVE-2017-18896.html CVE-2017-18896 An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. It mishandles a deny action for a redirection. CVE-2017-18897 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260142-1/ https://www.suse.com/security/cve/CVE-2017-18897.html CVE-2017-18897 An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows crafted posts that potentially cause a web browser to hang. CVE-2017-18898 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260142-1/ https://www.suse.com/security/cve/CVE-2017-18898.html CVE-2017-18898 An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows CSV injection via a compliance report. CVE-2017-18900 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260142-1/ https://www.suse.com/security/cve/CVE-2017-18900.html CVE-2017-18900 An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover a team invite ID by requesting a JSON document. CVE-2017-18901 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260142-1/ https://www.suse.com/security/cve/CVE-2017-18901.html CVE-2017-18901 An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. It allows XSS via an uploaded file. CVE-2017-18904 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260142-1/ https://www.suse.com/security/cve/CVE-2017-18904.html CVE-2017-18904 An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth 2.0 service provider, Session invalidation was mishandled. CVE-2017-18905 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260142-1/ https://www.suse.com/security/cve/CVE-2017-18905.html CVE-2017-18905 HashiCorp Nomad and Nomad Enterprise 1.6.12 up to 1.7.9, and 1.8.1 archive unpacking during migration is vulnerable to path escaping of the allocation directory. This vulnerability, CVE-2024-6717, is fixed in Nomad 1.6.13, 1.7.10, and 1.8.2. CVE-2024-6717 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260142-1/ https://www.suse.com/security/cve/CVE-2024-6717.html CVE-2024-6717 Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 with the Jira plugin enabled and Mattermost Jira plugin versions <=4.4.0 fail to enforce authentication and issue-key path restrictions in the Jira plugin, which allows an unauthenticated attacker who knows a valid user ID to issue authenticated GET and POST requests to the Jira server via crafted plugin payloads that spoof the user ID and inject arbitrary issue key paths. Mattermost Advisory ID: MMSA-2025-00555 CVE-2025-14273 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260142-1/ https://www.suse.com/security/cve/CVE-2025-14273.html CVE-2025-14273 When frontend.enableExecuteMultiOperation is enabled, the server can apply namespace-scoped validation and feature gates for the embedded StartWorkflowExecutionRequest using its Namespace field rather than the outer, authorized ExecuteMultiOperationRequest.Namespace. This allows a caller authorized for one namespace to bypass that namespace's limits/policies by setting the embedded start request's namespace to a different namespace. The workflow is still created in the outer (authorized) namespace; only validation/gating is performed under the wrong namespace context. This issue affects Temporal: from 1.24.0 through 1.29.1. Fixed in 1.27.4, 1.28.2, 1.29.2. CVE-2025-14986 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260142-1/ https://www.suse.com/security/cve/CVE-2025-14986.html CVE-2025-14986 When system.enableCrossNamespaceCommands is enabled (on by default), the Temporal server permits certain workflow task commands (e.g. StartChildWorkflowExecution, SignalExternalWorkflowExecution, RequestCancelExternalWorkflowExecution) to target a different namespace than the namespace authorized at the gRPC boundary. The frontend authorizes RespondWorkflowTaskCompleted based on the outer request namespace, but the history service later resolves and executes the command using the namespace embedded in command attributes without authorizing the caller for that target namespace. This can allow a worker authorized for one namespace to create, signal, or cancel workflows in another namespace. This issue affects Temporal: through 1.29.1. Fixed in 1.27.4, 1.28.2, 1.29.2. CVE-2025-14987 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260142-1/ https://www.suse.com/security/cve/CVE-2025-14987.html CVE-2025-14987 A security vulnerability has been detected in actiontech sqle up to 4.2511.0. The impacted element is an unknown function of the file sqle/utils/jwt.go of the component JWT Secret Handler. The manipulation of the argument JWTSecretKey leads to use of hard-coded cryptographic key . The attack is possible to be carried out remotely. The attack's complexity is rated as high. The exploitability is regarded as difficult. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report and is planning to fix this flaw in an upcoming release. CVE-2025-15107 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260142-1/ https://www.suse.com/security/cve/CVE-2025-15107.html CVE-2025-15107 A lack of rate limiting in the login page of shiori v1.7.4 and below allows attackers to bypass authentication via a brute force attack. CVE-2025-60538 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260142-1/ https://www.suse.com/security/cve/CVE-2025-60538.html CVE-2025-60538 Mattermost versions 10.11.x <= 10.11.4 fail to validate redirect URLs on the /error page, which allows an attacker to redirect a victim to a malicious site via a crafted link opened in a new tab. CVE-2025-62690 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260142-1/ https://www.suse.com/security/cve/CVE-2025-62690.html CVE-2025-62690 Projects using the SUSE Virtualization (Harvester) environment may expose the OS default ssh login password if they are using the 1.5.x or 1.6.x interactive installer to either create a new cluster or add new hosts to an existing cluster. The environment is not affected if the PXE boot mechanism is utilized along with the Harvester configuration setup. CVE-2025-62877 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260142-1/ https://www.suse.com/security/cve/CVE-2025-62877.html CVE-2025-62877 https://bugzilla.suse.com/1253316 SUSE Bug 1253316 A critical authentication bypass vulnerability exists in Ollama platform's API endpoints in versions prior to and including v0.12.3. The platform exposes multiple API endpoints without requiring authentication, enabling remote attackers to perform unauthorized model management operations. CVE-2025-63389 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260142-1/ https://www.suse.com/security/cve/CVE-2025-63389.html CVE-2025-63389 https://bugzilla.suse.com/1255387 SUSE Bug 1255387 CoreDNS is a DNS server that chains plugins. Prior to version 1.14.0, multiple CoreDNS server implementations (gRPC, HTTPS, and HTTP/3) lack critical resource-limiting controls. An unauthenticated remote attacker can exhaust memory and degrade or crash the server by opening many concurrent connections, streams, or sending oversized request bodies. The issue is similar in nature to CVE-2025-47950 (QUIC DoS) but affects additional server types that do not enforce connection limits, stream limits, or message size constraints. Version 1.14.0 contains a patch. CVE-2025-68151 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260142-1/ https://www.suse.com/security/cve/CVE-2025-68151.html CVE-2025-68151 https://bugzilla.suse.com/1256410 SUSE Bug 1256410 Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was already connected to SFTP to remain connected and access files even after their permissions are revoked. A user must have been connected to SFTP at the time of their permissions being revoked in order for this vulnerability to be exploited. This issue is fixed in version 1.12.0. CVE-2025-68954 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260142-1/ https://www.suse.com/security/cve/CVE-2025-68954.html CVE-2025-68954 In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists. CVE-2025-69413 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260142-1/ https://www.suse.com/security/cve/CVE-2025-69413.html CVE-2025-69413 OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of path normalization in the whitelist logic, crafted requests can bypass authentication and access protected API endpoints without valid credentials. Unauthorized access may allow modification of feature flags and export of sensitive data. CVE-2026-0650 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260142-1/ https://www.suse.com/security/cve/CVE-2026-0650.html CVE-2026-0650 listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to version 6.0.0, lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, the XSS executes in their browser context, allowing the attacker to perform privileged actions such as creating backdoor admin accounts. The attack can be weaponized via the public archive feature, where victims simply need to visit a link - no preview click required. Version 6.0.0 fixes the issue. CVE-2026-21483 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260142-1/ https://www.suse.com/security/cve/CVE-2026-21483.html CVE-2026-21483 Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Side Request Forgery (SSRF) vulnerability in the /proxy endpoint, allowing attackers to make requests to internal network resources. The /proxy endpoint validates http:// and https:// schemes, but it does not block internal IP addresses, enabling attackers to access internal services and APIs. This vulnerability is limited to HTTP GET requests with minimal headers. The issue is fixed in version 1.28.1. CVE-2026-21859 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260142-1/ https://www.suse.com/security/cve/CVE-2026-21859.html CVE-2026-21859 Miniflux 2 is an open source feed reader. Prior to version 2.2.16, Miniflux's media proxy endpoint (`GET /proxy/{encodedDigest}/{encodedURL}`) can be abused to perform Server-Side Request Forgery (SSRF). An authenticated user can cause Miniflux to generate a signed proxy URL for attacker-chosen media URLs embedded in feed entry content, including internal addresses (e.g., localhost, private RFC1918 ranges, or link-local metadata endpoints). Requesting the resulting `/proxy/...` URL makes Miniflux fetch and return the internal response. Version 2.2.16 fixes the issue. CVE-2026-21885 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260142-1/ https://www.suse.com/security/cve/CVE-2026-21885.html CVE-2026-21885 Soft Serve is a self-hostable Git server for the command line. Prior to version 0.11.2, an authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting the force flag. The vulnerable code path processes force deletions before retrieving user context, bypassing ownership validation entirely. This issue has been patched in version 0.11.2. CVE-2026-22253 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260142-1/ https://www.suse.com/security/cve/CVE-2026-22253.html CVE-2026-22253 WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, after WeKnora enables the Agent service, it allows users to call the database query tool. Due to insufficient backend validation, an attacker can use prompt-based bypass techniques to evade query restrictions and obtain sensitive information from the target server and database. This issue has been patched in version 0.2.5. CVE-2026-22687 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260142-1/ https://www.suse.com/security/cve/CVE-2026-22687.html CVE-2026-22687 WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, there is a command injection vulnerability that allows authenticated users to inject stdio_config.command/args into MCP stdio settings, causing the server to execute subprocesses using these injected values. This issue has been patched in version 0.2.5. CVE-2026-22688 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260142-1/ https://www.suse.com/security/cve/CVE-2026-22688.html CVE-2026-22688 Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor entry, Cosign verifies the Rekor entry signature, and also compares the artifact's digest, the user's public key from either a Fulcio certificate or provided by the user, and the artifact signature to the Rekor entry contents. Without these comparisons, Cosign would accept any response from Rekor as valid. A malicious actor that has compromised a user's identity or signing key could construct a valid Cosign bundle by including any arbitrary Rekor entry, thus preventing the user from being able to audit the signing event. This issue has been patched in versions 2.6.2 and 3.0.4. CVE-2026-22703 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260142-1/ https://www.suse.com/security/cve/CVE-2026-22703.html CVE-2026-22703 https://bugzilla.suse.com/1256496 SUSE Bug 1256496