Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-48619 (GCVE-0-2026-48619)
Vulnerability from cvelistv5 – Published: 2026-06-26 01:14 – Updated: 2026-06-26 15:01- CWE-400 - Uncontrolled Resource Consumption
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48619",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T15:01:30.143238Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T15:01:43.942Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "node",
"vendor": "nodejs",
"versions": [
{
"lessThanOrEqual": "22.22.3",
"status": "affected",
"version": "22.22.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.16.0",
"status": "affected",
"version": "24.16.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "26.3.0",
"status": "affected",
"version": "26.3.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T01:14:36.541Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-48619",
"datePublished": "2026-06-26T01:14:36.541Z",
"dateReserved": "2026-05-22T15:00:09.276Z",
"dateUpdated": "2026-06-26T15:01:43.942Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-48619",
"date": "2026-07-09",
"epss": "0.00656",
"percentile": "0.47039"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-48619\",\"sourceIdentifier\":\"support@hackerone.com\",\"published\":\"2026-06-26T02:16:52.507\",\"lastModified\":\"2026-06-26T20:18:56.810\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client.\\r\\n\\r\\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.\"}],\"affected\":[{\"source\":\"support@hackerone.com\",\"affectedData\":[{\"vendor\":\"nodejs\",\"product\":\"node\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"22.22.3\",\"lessThanOrEqual\":\"22.22.3\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"24.16.0\",\"lessThanOrEqual\":\"24.16.0\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"26.3.0\",\"lessThanOrEqual\":\"26.3.0\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV30\":[{\"source\":\"support@hackerone.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-06-26T15:01:30.143238Z\",\"id\":\"CVE-2026-48619\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"support@hackerone.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nodejs:node.js:22.22.3:*:*:*:-:*:*:*\",\"matchCriteriaId\":\"3C0C5080-5F99-4651-9855-2DE03C9070C5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nodejs:node.js:24.16.0:*:*:*:-:*:*:*\",\"matchCriteriaId\":\"3B912C84-1AA5-4D74-AB1A-64162C80A33B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nodejs:node.js:26.3.0:*:*:*:-:*:*:*\",\"matchCriteriaId\":\"8152ACE6-3CAF-4CA0-8B19-D4753811EB44\"}]}]}],\"references\":[{\"url\":\"https://nodejs.org/en/blog/vulnerability/june-2026-security-releases\",\"source\":\"support@hackerone.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}",
"redhat_vex": {
"aggregate_severity": "Moderate",
"current_release_date": "2026-07-07T18:58:07+00:00",
"cve": "CVE-2026-48619",
"id": "CVE-2026-48619",
"initial_release_date": "2026-06-26T01:14:36.541000+00:00",
"product_status:fixed": "172",
"product_status:known_affected": "14",
"source": "Red Hat CSAF VEX",
"status": "final",
"title": "nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48619.json",
"version": "3"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-48619\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-26T15:01:30.143238Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-26T15:01:37.921Z\"}}], \"cna\": {\"metrics\": [{\"cvssV3_0\": {\"version\": \"3.0\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\"}}], \"affected\": [{\"vendor\": \"nodejs\", \"product\": \"node\", \"versions\": [{\"status\": \"affected\", \"version\": \"22.22.3\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"22.22.3\"}, {\"status\": \"affected\", \"version\": \"24.16.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"24.16.0\"}, {\"status\": \"affected\", \"version\": \"26.3.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"26.3.0\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://nodejs.org/en/blog/vulnerability/june-2026-security-releases\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client.\\r\\n\\r\\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400 Uncontrolled Resource Consumption\"}]}], \"providerMetadata\": {\"orgId\": \"36234546-b8fa-4601-9d6f-f4e334aa8ea1\", \"shortName\": \"hackerone\", \"dateUpdated\": \"2026-06-26T01:14:36.541Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-48619\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-26T15:01:43.942Z\", \"dateReserved\": \"2026-05-22T15:00:09.276Z\", \"assignerOrgId\": \"36234546-b8fa-4601-9d6f-f4e334aa8ea1\", \"datePublished\": \"2026-06-26T01:14:36.541Z\", \"assignerShortName\": \"hackerone\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
alsa-2026:35841
Vulnerability from osv_almalinux
Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.
Security Fix(es):
- ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (CVE-2026-42338)
- undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames (CVE-2026-12151)
- undici: Undici: Information disclosure due to improper cache-control header parsing (CVE-2026-9678)
- undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. (CVE-2026-6733)
- undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header (CVE-2026-11525)
- undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy (CVE-2026-9697)
- undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing (CVE-2026-6734)
- nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames (CVE-2026-48619)
- nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling (CVE-2026-48930)
- nodejs: Node.js: Unauthorized file metadata modification (CVE-2026-48935)
- nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt() (CVE-2026-48933)
- nodejs: Node.js: Certification validation bypass in TLS host verification (CVE-2026-48934)
- Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency (CVE-2026-48928)
- nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling (CVE-2026-48615)
- nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch (CVE-2026-48618)
Bug Fix(es) and Enhancement(s):
- nodejs24: Rebase to the latest Node.js 24 release [almalinux-10.2.z] (JIRA:AlmaLinux-186582)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "nodejs24"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:24.18.0-1.el10_2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "nodejs24-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:24.18.0-1.el10_2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "nodejs24-docs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:24.18.0-1.el10_2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "nodejs24-full-i18n"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:24.18.0-1.el10_2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "nodejs24-libs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:24.18.0-1.el10_2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "nodejs24-npm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:11.16.0-1.24.18.0.1.el10_2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "Node.js is a platform built on Chrome\u0027s JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices. \n\nSecurity Fix(es): \n\n * ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (CVE-2026-42338)\n * undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames (CVE-2026-12151)\n * undici: Undici: Information disclosure due to improper cache-control header parsing (CVE-2026-9678)\n * undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. (CVE-2026-6733)\n * undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header (CVE-2026-11525)\n * undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy (CVE-2026-9697)\n * undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing (CVE-2026-6734)\n * nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames (CVE-2026-48619)\n * nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling (CVE-2026-48930)\n * nodejs: Node.js: Unauthorized file metadata modification (CVE-2026-48935)\n * nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt() (CVE-2026-48933)\n * nodejs: Node.js: Certification validation bypass in TLS host verification (CVE-2026-48934)\n * Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency (CVE-2026-48928)\n * nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling (CVE-2026-48615)\n * nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch (CVE-2026-48618)\n\n\nBug Fix(es) and Enhancement(s): \n\n * nodejs24: Rebase to the latest Node.js 24 release [almalinux-10.2.z] (JIRA:AlmaLinux-186582)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
"id": "ALSA-2026:35841",
"modified": "2026-07-06T12:42:48Z",
"published": "2026-07-06T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2026:35841"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-11525"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-12151"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-42338"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-48615"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-48618"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-48619"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-48928"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-48930"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-48933"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-48934"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-48935"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-6733"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-6734"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-9678"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-9697"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2476810"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2489980"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2490000"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2490006"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2490008"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2490018"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2490024"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2493325"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2493326"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2493329"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2493331"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2493332"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2493333"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2493335"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2493337"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/10/ALSA-2026-35841.html"
}
],
"related": [
"CVE-2026-42338",
"CVE-2026-12151",
"CVE-2026-9678",
"CVE-2026-6733",
"CVE-2026-11525",
"CVE-2026-9697",
"CVE-2026-6734",
"CVE-2026-48619",
"CVE-2026-48930",
"CVE-2026-48935",
"CVE-2026-48933",
"CVE-2026-48934",
"CVE-2026-48928",
"CVE-2026-48615",
"CVE-2026-48618"
],
"summary": "Important: nodejs24 security, bug fix, and enhancement update"
}
alsa-2026:35842
Vulnerability from osv_almalinux
Node.js is a platform built on Chrome's JavaScript runtime \ for easily building fast, scalable network applications. \ Node.js uses an event-driven, non-blocking I/O model that \ makes it lightweight and efficient, perfect for data-intensive \ real-time applications that run across distributed devices.
Security Fix(es):
- ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (CVE-2026-42338)
- undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames (CVE-2026-12151)
- undici: Undici: Information disclosure due to improper cache-control header parsing (CVE-2026-9678)
- undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. (CVE-2026-6733)
- undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header (CVE-2026-11525)
- nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames (CVE-2026-48619)
- nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling (CVE-2026-48930)
- nodejs: Node.js: Unauthorized file metadata modification (CVE-2026-48935)
- nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt() (CVE-2026-48933)
- nodejs: Node.js: Certification validation bypass in TLS host verification (CVE-2026-48934)
- Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency (CVE-2026-48928)
- nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling (CVE-2026-48615)
- nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch (CVE-2026-48618)
Bug Fix(es) and Enhancement(s):
- nodejs22: Rebase to the latest Node.js 22 release [almalinux-10.2.z] (JIRA:AlmaLinux-186623)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
| URL | Type | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "nodejs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:22.23.1-2.el10_2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "nodejs-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:22.23.1-2.el10_2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "nodejs-docs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:22.23.1-2.el10_2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "nodejs-full-i18n"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:22.23.1-2.el10_2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "nodejs-libs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:22.23.1-2.el10_2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "nodejs-npm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:10.9.8-1.22.23.1.2.el10_2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "Node.js is a platform built on Chrome\u0027s JavaScript runtime \\ for easily building fast, scalable network applications. \\ Node.js uses an event-driven, non-blocking I/O model that \\ makes it lightweight and efficient, perfect for data-intensive \\ real-time applications that run across distributed devices. \n\nSecurity Fix(es): \n\n * ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (CVE-2026-42338)\n * undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames (CVE-2026-12151)\n * undici: Undici: Information disclosure due to improper cache-control header parsing (CVE-2026-9678)\n * undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. (CVE-2026-6733)\n * undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header (CVE-2026-11525)\n * nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames (CVE-2026-48619)\n * nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling (CVE-2026-48930)\n * nodejs: Node.js: Unauthorized file metadata modification (CVE-2026-48935)\n * nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt() (CVE-2026-48933)\n * nodejs: Node.js: Certification validation bypass in TLS host verification (CVE-2026-48934)\n * Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency (CVE-2026-48928)\n * nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling (CVE-2026-48615)\n * nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch (CVE-2026-48618)\n\n\nBug Fix(es) and Enhancement(s): \n\n * nodejs22: Rebase to the latest Node.js 22 release [almalinux-10.2.z] (JIRA:AlmaLinux-186623)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
"id": "ALSA-2026:35842",
"modified": "2026-07-06T12:41:55Z",
"published": "2026-07-06T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2026:35842"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-11525"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-12151"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-42338"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-48615"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-48618"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-48619"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-48928"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-48930"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-48933"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-48934"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-48935"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-6733"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-9678"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2476810"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2489980"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2490000"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2490006"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2490008"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2493325"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2493326"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2493329"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2493331"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2493332"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2493333"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2493335"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2493337"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/10/ALSA-2026-35842.html"
}
],
"related": [
"CVE-2026-42338",
"CVE-2026-12151",
"CVE-2026-9678",
"CVE-2026-6733",
"CVE-2026-11525",
"CVE-2026-48619",
"CVE-2026-48930",
"CVE-2026-48935",
"CVE-2026-48933",
"CVE-2026-48934",
"CVE-2026-48928",
"CVE-2026-48615",
"CVE-2026-48618"
],
"summary": "Important: nodejs22 security, bug fix, and enhancement update"
}
alsa-2026:35891
Vulnerability from osv_almalinux
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
Security Fix(es):
- ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (CVE-2026-42338)
- undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames (CVE-2026-12151)
- undici: Undici: Information disclosure due to improper cache-control header parsing (CVE-2026-9678)
- undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. (CVE-2026-6733)
- undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header (CVE-2026-11525)
- undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy (CVE-2026-9697)
- undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing (CVE-2026-6734)
- nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames (CVE-2026-48619)
- nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling (CVE-2026-48930)
- nodejs: Node.js: Unauthorized file metadata modification (CVE-2026-48935)
- nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt() (CVE-2026-48933)
- nodejs: Node.js: Certification validation bypass in TLS host verification (CVE-2026-48934)
- Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency (CVE-2026-48928)
- nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling (CVE-2026-48615)
- nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch (CVE-2026-48618)
Bug Fix(es) and Enhancement(s):
- nodejs:24/nodejs: Rebase to the latest Node.js 24 release [almalinux-9.8.z] (JIRA:AlmaLinux-186580)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
| URL | Type | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "nodejs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:24.18.0-1.module_el9.8.0+277+61fc613e"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "nodejs-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:24.18.0-1.module_el9.8.0+277+61fc613e"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "nodejs-docs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:24.18.0-1.module_el9.8.0+277+61fc613e"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "nodejs-full-i18n"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:24.18.0-1.module_el9.8.0+277+61fc613e"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "nodejs-libs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:24.18.0-1.module_el9.8.0+277+61fc613e"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "nodejs-nodemon"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.3-3.module_el9.7.0+209+ecf6523e"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "nodejs-packaging"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2021.06-6.module_el9.7.0+209+ecf6523e"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "nodejs-packaging-bundler"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2021.06-6.module_el9.7.0+209+ecf6523e"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "npm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:11.16.0-1.24.18.0.1.module_el9.8.0+277+61fc613e"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "v8-13.6-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3:13.6.233.17-1.24.18.0.1.module_el9.8.0+277+61fc613e"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. \n\nSecurity Fix(es): \n\n * ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (CVE-2026-42338)\n * undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames (CVE-2026-12151)\n * undici: Undici: Information disclosure due to improper cache-control header parsing (CVE-2026-9678)\n * undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. (CVE-2026-6733)\n * undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header (CVE-2026-11525)\n * undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy (CVE-2026-9697)\n * undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing (CVE-2026-6734)\n * nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames (CVE-2026-48619)\n * nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling (CVE-2026-48930)\n * nodejs: Node.js: Unauthorized file metadata modification (CVE-2026-48935)\n * nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt() (CVE-2026-48933)\n * nodejs: Node.js: Certification validation bypass in TLS host verification (CVE-2026-48934)\n * Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency (CVE-2026-48928)\n * nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling (CVE-2026-48615)\n * nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch (CVE-2026-48618)\n\n\nBug Fix(es) and Enhancement(s): \n\n * nodejs:24/nodejs: Rebase to the latest Node.js 24 release [almalinux-9.8.z] (JIRA:AlmaLinux-186580)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
"id": "ALSA-2026:35891",
"modified": "2026-07-07T09:50:32Z",
"published": "2026-07-06T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2026:35891"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-11525"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-12151"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-42338"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-48615"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-48618"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-48619"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-48928"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-48930"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-48933"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-48934"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-48935"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-6733"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-6734"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-9678"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-9697"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2476810"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2489980"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2490000"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2490006"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2490008"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2490018"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2490024"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2493325"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2493326"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2493329"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2493331"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2493332"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2493333"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2493335"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2493337"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/9/ALSA-2026-35891.html"
}
],
"related": [
"CVE-2026-42338",
"CVE-2026-12151",
"CVE-2026-9678",
"CVE-2026-6733",
"CVE-2026-11525",
"CVE-2026-9697",
"CVE-2026-6734",
"CVE-2026-48619",
"CVE-2026-48930",
"CVE-2026-48935",
"CVE-2026-48933",
"CVE-2026-48934",
"CVE-2026-48928",
"CVE-2026-48615",
"CVE-2026-48618"
],
"summary": "Important: nodejs:24 security, bug fix, and enhancement update"
}
alsa-2026:35892
Vulnerability from osv_almalinux
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
Security Fix(es):
- ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (CVE-2026-42338)
- undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames (CVE-2026-12151)
- undici: Undici: Information disclosure due to improper cache-control header parsing (CVE-2026-9678)
- undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. (CVE-2026-6733)
- undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header (CVE-2026-11525)
- nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames (CVE-2026-48619)
- nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling (CVE-2026-48930)
- nodejs: Node.js: Unauthorized file metadata modification (CVE-2026-48935)
- nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt() (CVE-2026-48933)
- nodejs: Node.js: Certification validation bypass in TLS host verification (CVE-2026-48934)
- Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency (CVE-2026-48928)
- nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling (CVE-2026-48615)
- nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch (CVE-2026-48618)
Bug Fix(es) and Enhancement(s):
- nodejs:22/nodejs: Rebase to the latest Node.js 22 release [almalinux-9.8.z] (JIRA:AlmaLinux-186622)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
| URL | Type | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "nodejs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:22.23.1-1.module_el9.8.0+276+8b329b47"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "nodejs-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:22.23.1-1.module_el9.8.0+276+8b329b47"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "nodejs-docs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:22.23.1-1.module_el9.8.0+276+8b329b47"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "nodejs-full-i18n"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:22.23.1-1.module_el9.8.0+276+8b329b47"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "nodejs-libs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:22.23.1-1.module_el9.8.0+276+8b329b47"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "nodejs-nodemon"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.1-1.module_el9.7.0+208+fb06c0ab"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "nodejs-packaging"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2021.06-6.module_el9.7.0+227+12323393"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "nodejs-packaging-bundler"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2021.06-6.module_el9.7.0+227+12323393"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "npm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:10.9.8-1.22.23.1.1.module_el9.8.0+276+8b329b47"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "v8-12.4-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3:12.4.254.21-1.22.23.1.1.module_el9.8.0+276+8b329b47"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. \n\nSecurity Fix(es): \n\n * ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (CVE-2026-42338)\n * undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames (CVE-2026-12151)\n * undici: Undici: Information disclosure due to improper cache-control header parsing (CVE-2026-9678)\n * undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. (CVE-2026-6733)\n * undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header (CVE-2026-11525)\n * nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames (CVE-2026-48619)\n * nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling (CVE-2026-48930)\n * nodejs: Node.js: Unauthorized file metadata modification (CVE-2026-48935)\n * nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt() (CVE-2026-48933)\n * nodejs: Node.js: Certification validation bypass in TLS host verification (CVE-2026-48934)\n * Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency (CVE-2026-48928)\n * nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling (CVE-2026-48615)\n * nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch (CVE-2026-48618)\n\n\nBug Fix(es) and Enhancement(s): \n\n * nodejs:22/nodejs: Rebase to the latest Node.js 22 release [almalinux-9.8.z] (JIRA:AlmaLinux-186622)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
"id": "ALSA-2026:35892",
"modified": "2026-07-07T11:42:55Z",
"published": "2026-07-06T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2026:35892"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-11525"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-12151"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-42338"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-48615"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-48618"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-48619"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-48928"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-48930"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-48933"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-48934"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-48935"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-6733"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-9678"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2476810"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2489980"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2490000"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2490006"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2490008"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2493325"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2493326"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2493329"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2493331"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2493332"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2493333"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2493335"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2493337"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/9/ALSA-2026-35892.html"
}
],
"related": [
"CVE-2026-42338",
"CVE-2026-12151",
"CVE-2026-9678",
"CVE-2026-6733",
"CVE-2026-11525",
"CVE-2026-48619",
"CVE-2026-48930",
"CVE-2026-48935",
"CVE-2026-48933",
"CVE-2026-48934",
"CVE-2026-48928",
"CVE-2026-48615",
"CVE-2026-48618"
],
"summary": "Important: nodejs:22 security, bug fix, and enhancement update"
}
bit-node-2026-48619
Vulnerability from bitnami_vulndb
A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client.
This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
{
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "node",
"purl": "pkg:bitnami/node"
},
"ranges": [
{
"events": [
{
"introduced": "22.22.3"
},
{
"fixed": "22.23.0"
},
{
"introduced": "24.16.0"
},
{
"fixed": "24.17.0"
},
{
"introduced": "26.3.0"
},
{
"fixed": "26.3.1"
}
],
"type": "SEMVER"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
],
"aliases": [
"CVE-2026-48619"
],
"database_specific": {
"cpes": [
"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*"
],
"severity": "High"
},
"details": "A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.",
"id": "BIT-node-2026-48619",
"modified": "2026-06-29T06:04:07.500Z",
"published": "2026-06-29T05:48:51.254Z",
"references": [
{
"type": "WEB",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48619"
}
],
"schema_version": "1.6.2"
}
CERTFR-2026-AVI-0786
Vulnerability from certfr_avis - Published: 2026-06-19 - Updated: 2026-06-19
De multiples vulnérabilités ont été découvertes dans Node.js. Certaines d'entre elles permettent à un attaquant de provoquer un déni de service à distance, une atteinte à la confidentialité des données et une atteinte à l'intégrité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Node.js versions 24.x ant\u00e9rieures \u00e0 24.17.0",
"product": {
"name": "Node.js",
"vendor": {
"name": "Node.js",
"scada": false
}
}
},
{
"description": "Node.js versions 26.x ant\u00e9rieures \u00e0 26.3.1",
"product": {
"name": "Node.js",
"vendor": {
"name": "Node.js",
"scada": false
}
}
},
{
"description": "Node.js versions 22.x ant\u00e9rieures \u00e0 22.23.0",
"product": {
"name": "Node.js",
"vendor": {
"name": "Node.js",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-48619",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48619"
},
{
"name": "CVE-2026-48618",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48618"
},
{
"name": "CVE-2026-48934",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48934"
},
{
"name": "CVE-2026-48936",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48936"
},
{
"name": "CVE-2026-21636",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21636"
},
{
"name": "CVE-2026-48931",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48931"
},
{
"name": "CVE-2026-48937",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48937"
},
{
"name": "CVE-2026-48617",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48617"
},
{
"name": "CVE-2026-48933",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48933"
},
{
"name": "CVE-2026-48935",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48935"
},
{
"name": "CVE-2026-48615",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48615"
},
{
"name": "CVE-2026-48930",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48930"
},
{
"name": "CVE-2026-48928",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48928"
}
],
"initial_release_date": "2026-06-19T00:00:00",
"last_revision_date": "2026-06-19T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0786",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-06-19T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Node.js. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0 distance, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Node.js",
"vendor_advisories": [
{
"published_at": "2026-06-18",
"title": "Bulletin de s\u00e9curit\u00e9 Node.js june-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
]
}
FKIE_CVE-2026-48619
Vulnerability from fkie_nvd - Published: 2026-06-26 02:16 - Updated: 2026-06-26 20:18| URL | Tags | ||
|---|---|---|---|
| support@hackerone.com | https://nodejs.org/en/blog/vulnerability/june-2026-security-releases | Patch, Vendor Advisory |
{
"affected": [
{
"affectedData": [
{
"defaultStatus": "unaffected",
"product": "node",
"vendor": "nodejs",
"versions": [
{
"lessThanOrEqual": "22.22.3",
"status": "affected",
"version": "22.22.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.16.0",
"status": "affected",
"version": "24.16.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "26.3.0",
"status": "affected",
"version": "26.3.0",
"versionType": "semver"
}
]
}
],
"source": "support@hackerone.com"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nodejs:node.js:22.22.3:*:*:*:-:*:*:*",
"matchCriteriaId": "3C0C5080-5F99-4651-9855-2DE03C9070C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:24.16.0:*:*:*:-:*:*:*",
"matchCriteriaId": "3B912C84-1AA5-4D74-AB1A-64162C80A33B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:26.3.0:*:*:*:-:*:*:*",
"matchCriteriaId": "8152ACE6-3CAF-4CA0-8B19-D4753811EB44",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**."
}
],
"id": "CVE-2026-48619",
"lastModified": "2026-06-26T20:18:56.810",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "support@hackerone.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-48619",
"options": [
{
"exploitation": "none"
},
{
"automatable": "yes"
},
{
"technicalImpact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T15:01:30.143238Z",
"version": "2.0.3"
}
}
]
},
"published": "2026-06-26T02:16:52.507",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
}
]
}
GHSA-V3CQ-R2F8-QMMC
Vulnerability from github – Published: 2026-06-26 03:31 – Updated: 2026-06-26 03:31A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client.
This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
{
"affected": [],
"aliases": [
"CVE-2026-48619"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-26T02:16:52Z",
"severity": "MODERATE"
},
"details": "A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client.\n\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.",
"id": "GHSA-v3cq-r2f8-qmmc",
"modified": "2026-06-26T03:31:29Z",
"published": "2026-06-26T03:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48619"
},
{
"type": "WEB",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
OPENSUSE-SU-2026:11121-1
Vulnerability from csaf_opensuse - Published: 2026-06-25 00:00 - Updated: 2026-06-25 00:00| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| URL | Category |
|---|---|
| https://www.suse.com/support/security/rating/ | external |
| https://ftp.suse.com/pub/projects/security/csaf/o… | self |
| https://www.suse.com/security/cve/CVE-2026-11525/ | self |
| https://www.suse.com/security/cve/CVE-2026-12151/ | self |
| https://www.suse.com/security/cve/CVE-2026-2581/ | self |
| https://www.suse.com/security/cve/CVE-2026-27135/ | self |
| https://www.suse.com/security/cve/CVE-2026-40170/ | self |
| https://www.suse.com/security/cve/CVE-2026-42338/ | self |
| https://www.suse.com/security/cve/CVE-2026-48615/ | self |
| https://www.suse.com/security/cve/CVE-2026-48617/ | self |
| https://www.suse.com/security/cve/CVE-2026-48618/ | self |
| https://www.suse.com/security/cve/CVE-2026-48619/ | self |
| https://www.suse.com/security/cve/CVE-2026-48928/ | self |
| https://www.suse.com/security/cve/CVE-2026-48930/ | self |
| https://www.suse.com/security/cve/CVE-2026-48931/ | self |
| https://www.suse.com/security/cve/CVE-2026-48933/ | self |
| https://www.suse.com/security/cve/CVE-2026-48934/ | self |
| https://www.suse.com/security/cve/CVE-2026-48935/ | self |
| https://www.suse.com/security/cve/CVE-2026-48937/ | self |
| https://www.suse.com/security/cve/CVE-2026-6733/ | self |
| https://www.suse.com/security/cve/CVE-2026-9496/ | self |
| https://www.suse.com/security/cve/CVE-2026-9678/ | self |
| https://www.suse.com/security/cve/CVE-2026-9679/ | self |
| https://www.suse.com/security/cve/CVE-2026-11525 | external |
| https://bugzilla.suse.com/1268481 | external |
| https://www.suse.com/security/cve/CVE-2026-12151 | external |
| https://bugzilla.suse.com/1268482 | external |
| https://www.suse.com/security/cve/CVE-2026-2581 | external |
| https://bugzilla.suse.com/1268480 | external |
| https://www.suse.com/security/cve/CVE-2026-27135 | external |
| https://bugzilla.suse.com/1259835 | external |
| https://www.suse.com/security/cve/CVE-2026-40170 | external |
| https://bugzilla.suse.com/1262273 | external |
| https://www.suse.com/security/cve/CVE-2026-42338 | external |
| https://bugzilla.suse.com/1268097 | external |
| https://www.suse.com/security/cve/CVE-2026-48615 | external |
| https://bugzilla.suse.com/1268598 | external |
| https://www.suse.com/security/cve/CVE-2026-48617 | external |
| https://bugzilla.suse.com/1268554 | external |
| https://www.suse.com/security/cve/CVE-2026-48618 | external |
| https://bugzilla.suse.com/1268593 | external |
| https://www.suse.com/security/cve/CVE-2026-48619 | external |
| https://bugzilla.suse.com/1268618 | external |
| https://www.suse.com/security/cve/CVE-2026-48928 | external |
| https://bugzilla.suse.com/1268605 | external |
| https://www.suse.com/security/cve/CVE-2026-48930 | external |
| https://bugzilla.suse.com/1268606 | external |
| https://www.suse.com/security/cve/CVE-2026-48931 | external |
| https://bugzilla.suse.com/1268611 | external |
| https://www.suse.com/security/cve/CVE-2026-48933 | external |
| https://bugzilla.suse.com/1268592 | external |
| https://www.suse.com/security/cve/CVE-2026-48934 | external |
| https://bugzilla.suse.com/1268608 | external |
| https://www.suse.com/security/cve/CVE-2026-48935 | external |
| https://bugzilla.suse.com/1268609 | external |
| https://www.suse.com/security/cve/CVE-2026-48937 | external |
| https://bugzilla.suse.com/1268555 | external |
| https://www.suse.com/security/cve/CVE-2026-6733 | external |
| https://bugzilla.suse.com/1268479 | external |
| https://www.suse.com/security/cve/CVE-2026-9496 | external |
| https://bugzilla.suse.com/1266318 | external |
| https://www.suse.com/security/cve/CVE-2026-9678 | external |
| https://bugzilla.suse.com/1268478 | external |
| https://www.suse.com/security/cve/CVE-2026-9679 | external |
| https://bugzilla.suse.com/1268477 | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "corepack24-24.17.0-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the corepack24-24.17.0-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-11121",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_11121-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-11525 page",
"url": "https://www.suse.com/security/cve/CVE-2026-11525/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-12151 page",
"url": "https://www.suse.com/security/cve/CVE-2026-12151/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-2581 page",
"url": "https://www.suse.com/security/cve/CVE-2026-2581/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-27135 page",
"url": "https://www.suse.com/security/cve/CVE-2026-27135/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-40170 page",
"url": "https://www.suse.com/security/cve/CVE-2026-40170/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42338 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42338/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-48615 page",
"url": "https://www.suse.com/security/cve/CVE-2026-48615/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-48617 page",
"url": "https://www.suse.com/security/cve/CVE-2026-48617/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-48618 page",
"url": "https://www.suse.com/security/cve/CVE-2026-48618/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-48619 page",
"url": "https://www.suse.com/security/cve/CVE-2026-48619/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-48928 page",
"url": "https://www.suse.com/security/cve/CVE-2026-48928/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-48930 page",
"url": "https://www.suse.com/security/cve/CVE-2026-48930/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-48931 page",
"url": "https://www.suse.com/security/cve/CVE-2026-48931/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-48933 page",
"url": "https://www.suse.com/security/cve/CVE-2026-48933/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-48934 page",
"url": "https://www.suse.com/security/cve/CVE-2026-48934/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-48935 page",
"url": "https://www.suse.com/security/cve/CVE-2026-48935/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-48937 page",
"url": "https://www.suse.com/security/cve/CVE-2026-48937/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-6733 page",
"url": "https://www.suse.com/security/cve/CVE-2026-6733/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-9496 page",
"url": "https://www.suse.com/security/cve/CVE-2026-9496/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-9678 page",
"url": "https://www.suse.com/security/cve/CVE-2026-9678/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-9679 page",
"url": "https://www.suse.com/security/cve/CVE-2026-9679/"
}
],
"title": "corepack24-24.17.0-1.1 on GA media",
"tracking": {
"current_release_date": "2026-06-25T00:00:00Z",
"generator": {
"date": "2026-06-25T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:11121-1",
"initial_release_date": "2026-06-25T00:00:00Z",
"revision_history": [
{
"date": "2026-06-25T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "corepack24-24.17.0-1.1.aarch64",
"product": {
"name": "corepack24-24.17.0-1.1.aarch64",
"product_id": "corepack24-24.17.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs24-24.17.0-1.1.aarch64",
"product": {
"name": "nodejs24-24.17.0-1.1.aarch64",
"product_id": "nodejs24-24.17.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs24-devel-24.17.0-1.1.aarch64",
"product": {
"name": "nodejs24-devel-24.17.0-1.1.aarch64",
"product_id": "nodejs24-devel-24.17.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs24-docs-24.17.0-1.1.aarch64",
"product": {
"name": "nodejs24-docs-24.17.0-1.1.aarch64",
"product_id": "nodejs24-docs-24.17.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "npm24-24.17.0-1.1.aarch64",
"product": {
"name": "npm24-24.17.0-1.1.aarch64",
"product_id": "npm24-24.17.0-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack24-24.17.0-1.1.ppc64le",
"product": {
"name": "corepack24-24.17.0-1.1.ppc64le",
"product_id": "corepack24-24.17.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs24-24.17.0-1.1.ppc64le",
"product": {
"name": "nodejs24-24.17.0-1.1.ppc64le",
"product_id": "nodejs24-24.17.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs24-devel-24.17.0-1.1.ppc64le",
"product": {
"name": "nodejs24-devel-24.17.0-1.1.ppc64le",
"product_id": "nodejs24-devel-24.17.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs24-docs-24.17.0-1.1.ppc64le",
"product": {
"name": "nodejs24-docs-24.17.0-1.1.ppc64le",
"product_id": "nodejs24-docs-24.17.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "npm24-24.17.0-1.1.ppc64le",
"product": {
"name": "npm24-24.17.0-1.1.ppc64le",
"product_id": "npm24-24.17.0-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack24-24.17.0-1.1.s390x",
"product": {
"name": "corepack24-24.17.0-1.1.s390x",
"product_id": "corepack24-24.17.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "nodejs24-24.17.0-1.1.s390x",
"product": {
"name": "nodejs24-24.17.0-1.1.s390x",
"product_id": "nodejs24-24.17.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "nodejs24-devel-24.17.0-1.1.s390x",
"product": {
"name": "nodejs24-devel-24.17.0-1.1.s390x",
"product_id": "nodejs24-devel-24.17.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "nodejs24-docs-24.17.0-1.1.s390x",
"product": {
"name": "nodejs24-docs-24.17.0-1.1.s390x",
"product_id": "nodejs24-docs-24.17.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "npm24-24.17.0-1.1.s390x",
"product": {
"name": "npm24-24.17.0-1.1.s390x",
"product_id": "npm24-24.17.0-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack24-24.17.0-1.1.x86_64",
"product": {
"name": "corepack24-24.17.0-1.1.x86_64",
"product_id": "corepack24-24.17.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs24-24.17.0-1.1.x86_64",
"product": {
"name": "nodejs24-24.17.0-1.1.x86_64",
"product_id": "nodejs24-24.17.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs24-devel-24.17.0-1.1.x86_64",
"product": {
"name": "nodejs24-devel-24.17.0-1.1.x86_64",
"product_id": "nodejs24-devel-24.17.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs24-docs-24.17.0-1.1.x86_64",
"product": {
"name": "nodejs24-docs-24.17.0-1.1.x86_64",
"product_id": "nodejs24-docs-24.17.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "npm24-24.17.0-1.1.x86_64",
"product": {
"name": "npm24-24.17.0-1.1.x86_64",
"product_id": "npm24-24.17.0-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack24-24.17.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64"
},
"product_reference": "corepack24-24.17.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack24-24.17.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le"
},
"product_reference": "corepack24-24.17.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack24-24.17.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x"
},
"product_reference": "corepack24-24.17.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack24-24.17.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64"
},
"product_reference": "corepack24-24.17.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.17.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64"
},
"product_reference": "nodejs24-24.17.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.17.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le"
},
"product_reference": "nodejs24-24.17.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.17.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x"
},
"product_reference": "nodejs24-24.17.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.17.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64"
},
"product_reference": "nodejs24-24.17.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.17.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64"
},
"product_reference": "nodejs24-devel-24.17.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.17.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le"
},
"product_reference": "nodejs24-devel-24.17.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.17.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x"
},
"product_reference": "nodejs24-devel-24.17.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.17.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64"
},
"product_reference": "nodejs24-devel-24.17.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-docs-24.17.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64"
},
"product_reference": "nodejs24-docs-24.17.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-docs-24.17.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le"
},
"product_reference": "nodejs24-docs-24.17.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-docs-24.17.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x"
},
"product_reference": "nodejs24-docs-24.17.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-docs-24.17.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64"
},
"product_reference": "nodejs24-docs-24.17.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.17.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64"
},
"product_reference": "npm24-24.17.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.17.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le"
},
"product_reference": "npm24-24.17.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.17.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x"
},
"product_reference": "npm24-24.17.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.17.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
},
"product_reference": "npm24-24.17.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-11525",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-11525"
}
],
"notes": [
{
"category": "general",
"text": "Impact:\nWhen undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently mapped to one of the three standard tokens. For example, SameSite=NoneOfYourBusiness is parsed as None (the most permissive setting), and SameSite=StrictLax is parsed as Lax (a downgrade from Strict).\n\nAffected applications are those that consume Set-Cookie headers from server responses (for example via undici\u0027s fetch or proxy code paths) and then forward or rely on the parsed sameSite attribute. A malicious or non-compliant server can coerce the consumer\u0027s view of a cookie\u0027s SameSite policy to a weaker value, silently degrading the SameSite enforcement the cookie is supposed to provide.\n\nThis was introduced in undici 5.15.0 when the cookies feature was added.\n\nPatches:\nUpgrade to undici v6.26.0, v7.28.0 or v8.5.0.\n\nWorkarounds:\nAfter parsing a Set-Cookie header, validate that the resulting sameSite attribute is one of \u0027Strict\u0027, \u0027Lax\u0027, or \u0027None\u0027 (exact, case-insensitive) before forwarding or relying on it.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-11525",
"url": "https://www.suse.com/security/cve/CVE-2026-11525"
},
{
"category": "external",
"summary": "SUSE Bug 1268481 for CVE-2026-11525",
"url": "https://bugzilla.suse.com/1268481"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2026-11525"
},
{
"cve": "CVE-2026-12151",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-12151"
}
],
"notes": [
{
"category": "general",
"text": "Impact:\nThe undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service.\n\nAffected applications are those using the undici WebSocket client (new WebSocket(...)) or the WebSocketStream API that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint.\n\nAll releases starting at undici 6.17.0 are affected.\n\nPatches: Upgrade to undici \u003e= 6.26.0, \u003e= 7.28.0, or \u003e= 8.5.0. Workarounds:\nNo workaround is available. The fix must be applied through an upgrade.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-12151",
"url": "https://www.suse.com/security/cve/CVE-2026-12151"
},
{
"category": "external",
"summary": "SUSE Bug 1268482 for CVE-2026-12151",
"url": "https://bugzilla.suse.com/1268482"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-12151"
},
{
"cve": "CVE-2026-2581",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-2581"
}
],
"notes": [
{
"category": "general",
"text": "This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS).\n\nIn vulnerable Undici versions, when interceptors.deduplicate() is enabled, response data for deduplicated requests could be accumulated in memory for downstream handlers. An attacker-controlled or untrusted upstream endpoint can exploit this with large/chunked responses and concurrent identical requests, causing high memory usage and potential OOM process termination.\n\nImpacted users are applications that use Undici\u0027s deduplication interceptor against endpoints that may produce large or long-lived response bodies.\n\nPatchesThe issue has been patched by changing deduplication behavior to stream response chunks to downstream handlers as they arrive (instead of full-body accumulation), and by preventing late deduplication when body streaming has already started.\n\nUsers should upgrade to the first official Undici (and Node.js, where applicable) releases that include this patch.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-2581",
"url": "https://www.suse.com/security/cve/CVE-2026-2581"
},
{
"category": "external",
"summary": "SUSE Bug 1268480 for CVE-2026-2581",
"url": "https://bugzilla.suse.com/1268480"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-2581"
},
{
"cve": "CVE-2026-27135",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-27135"
}
],
"notes": [
{
"category": "general",
"text": "nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-27135",
"url": "https://www.suse.com/security/cve/CVE-2026-27135"
},
{
"category": "external",
"summary": "SUSE Bug 1259835 for CVE-2026-27135",
"url": "https://bugzilla.suse.com/1259835"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-27135"
},
{
"cve": "CVE-2026-40170",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-40170"
}
],
"notes": [
{
"category": "general",
"text": "ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1, ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack buffer without bounds checking. When qlog is enabled, a remote peer can send sufficiently large transport parameters during the QUIC handshake to cause writes beyond the buffer boundary, resulting in a stack buffer overflow. This affects deployments that enable the qlog callback and process untrusted peer transport parameters. This issue has been fixed in version 1.22.1. If developers are unable to immediately upgrade, they can disable the qlog on client.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-40170",
"url": "https://www.suse.com/security/cve/CVE-2026-40170"
},
{
"category": "external",
"summary": "SUSE Bug 1262273 for CVE-2026-40170",
"url": "https://bugzilla.suse.com/1262273"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-40170"
},
{
"cve": "CVE-2026-42338",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42338"
}
],
"notes": [
{
"category": "general",
"text": "ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emitted by the Address6 constructor for invalid input) can contain unescaped attacker-controlled content in one branch. An application that (1) passes untrusted input to Address6 and (2) renders the output of these methods, or the thrown error\u0027s parseMessage, as HTML (e.g. via innerHTML) is vulnerable to cross-site scripting. This vulnerability is fixed in 10.1.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42338",
"url": "https://www.suse.com/security/cve/CVE-2026-42338"
},
{
"category": "external",
"summary": "SUSE Bug 1268097 for CVE-2026-42338",
"url": "https://bugzilla.suse.com/1268097"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-42338"
},
{
"cve": "CVE-2026-48615",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-48615"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages.\r\n\r\nWhen proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-48615",
"url": "https://www.suse.com/security/cve/CVE-2026-48615"
},
{
"category": "external",
"summary": "SUSE Bug 1268598 for CVE-2026-48615",
"url": "https://bugzilla.suse.com/1268598"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-48615"
},
{
"cve": "CVE-2026-48617",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-48617"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js Permission Model enforcement allows Bypass via `process.report.writeReport()` Path Misvalidation. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-48617",
"url": "https://www.suse.com/security/cve/CVE-2026-48617"
},
{
"category": "external",
"summary": "SUSE Bug 1268554 for CVE-2026-48617",
"url": "https://bugzilla.suse.com/1268554"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 2.9,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-48617"
},
{
"cve": "CVE-2026-48618",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-48618"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat.\r\n\r\nThis can lead to confidentiality impact or bypass of the intended security boundary under affected configurations.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-48618",
"url": "https://www.suse.com/security/cve/CVE-2026-48618"
},
{
"category": "external",
"summary": "SUSE Bug 1268593 for CVE-2026-48618",
"url": "https://bugzilla.suse.com/1268593"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-48618"
},
{
"cve": "CVE-2026-48619",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-48619"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-48619",
"url": "https://www.suse.com/security/cve/CVE-2026-48619"
},
{
"category": "external",
"summary": "SUSE Bug 1268618 for CVE-2026-48619",
"url": "https://bugzilla.suse.com/1268618"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-48619"
},
{
"cve": "CVE-2026-48928",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-48928"
}
],
"notes": [
{
"category": "general",
"text": "A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-48928",
"url": "https://www.suse.com/security/cve/CVE-2026-48928"
},
{
"category": "external",
"summary": "SUSE Bug 1268605 for CVE-2026-48928",
"url": "https://bugzilla.suse.com/1268605"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-48928"
},
{
"cve": "CVE-2026-48930",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-48930"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-48930",
"url": "https://www.suse.com/security/cve/CVE-2026-48930"
},
{
"category": "external",
"summary": "SUSE Bug 1268606 for CVE-2026-48930",
"url": "https://bugzilla.suse.com/1268606"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-48930"
},
{
"cve": "CVE-2026-48931",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-48931"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-48931",
"url": "https://www.suse.com/security/cve/CVE-2026-48931"
},
{
"category": "external",
"summary": "SUSE Bug 1268611 for CVE-2026-48931",
"url": "https://bugzilla.suse.com/1268611"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2026-48931"
},
{
"cve": "CVE-2026-48933",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-48933"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-48933",
"url": "https://www.suse.com/security/cve/CVE-2026-48933"
},
{
"category": "external",
"summary": "SUSE Bug 1268592 for CVE-2026-48933",
"url": "https://bugzilla.suse.com/1268592"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-48933"
},
{
"cve": "CVE-2026-48934",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-48934"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-48934",
"url": "https://www.suse.com/security/cve/CVE-2026-48934"
},
{
"category": "external",
"summary": "SUSE Bug 1268608 for CVE-2026-48934",
"url": "https://bugzilla.suse.com/1268608"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-48934"
},
{
"cve": "CVE-2026-48935",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-48935"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. `--allow-fs-read`.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-48935",
"url": "https://www.suse.com/security/cve/CVE-2026-48935"
},
{
"category": "external",
"summary": "SUSE Bug 1268609 for CVE-2026-48935",
"url": "https://bugzilla.suse.com/1268609"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-48935"
},
{
"cve": "CVE-2026-48937",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-48937"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a `GOAWAY` frame. This vulnerability affects two supported release lines: **Node.js 22** and **Node.js 24**.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-48937",
"url": "https://www.suse.com/security/cve/CVE-2026-48937"
},
{
"category": "external",
"summary": "SUSE Bug 1268555 for CVE-2026-48937",
"url": "https://bugzilla.suse.com/1268555"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-48937"
},
{
"cve": "CVE-2026-6733",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-6733"
}
],
"notes": [
{
"category": "general",
"text": "Impact:\nUndici\u0027s HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes. When the client dispatches the next request on that socket, it associates the injected response with the new request, causing responses to be delivered to the wrong requests.\n\nThis requires an attacker-controlled or compromised upstream HTTP/1.1 server and keep-alive connection reuse.\n\nPatches:\nUpgrade to undici v6.26.0, v7.28.0 or v8.5.0.\n\nWorkarounds:\nDisable keep-alive connection reuse by setting keepAliveTimeout: 0 on the Client or Pool.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-6733",
"url": "https://www.suse.com/security/cve/CVE-2026-6733"
},
{
"category": "external",
"summary": "SUSE Bug 1268479 for CVE-2026-6733",
"url": "https://bugzilla.suse.com/1268479"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2026-6733"
},
{
"cve": "CVE-2026-9496",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-9496"
}
],
"notes": [
{
"category": "general",
"text": "Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function\u0027s regex replacement and string-manipulation logic, causing excessive CPU consumption and potentially stalling or crashing the process.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-9496",
"url": "https://www.suse.com/security/cve/CVE-2026-9496"
},
{
"category": "external",
"summary": "SUSE Bug 1266318 for CVE-2026-9496",
"url": "https://bugzilla.suse.com/1266318"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-9496"
},
{
"cve": "CVE-2026-9678",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-9678"
}
],
"notes": [
{
"category": "general",
"text": "Impact:\nUndici\u0027s cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=\" authorization\" or no-cache=\"\\tauthorization\". The parser preserves the surrounding whitespace, so later comparisons against the literal authorization field name fail and the response is stored.\n\nIn shared-cache mode, this allows a response containing one user\u0027s authenticated data to be served from cache to a subsequent caller, including an unauthenticated caller, when both requests resolve to the same cache key.\n\nAffected applications are those that explicitly enable the cache interceptor (interceptors.cache()) in shared mode, forward Authorization headers upstream, and receive cacheable responses with non-canonical qualified private or no-cache directives.\n\nPatches:\nUpgrade to undici v7.28.0 or v8.5.0.\n\nWorkarounds:\nIf upgrade is not immediately possible, disable shared-cache mode for traffic that includes Authorization headers, avoid caching responses to authenticated requests, or add Vary: Authorization upstream.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-9678",
"url": "https://www.suse.com/security/cve/CVE-2026-9678"
},
{
"category": "external",
"summary": "SUSE Bug 1268478 for CVE-2026-9678",
"url": "https://bugzilla.suse.com/1268478"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-9678"
},
{
"cve": "CVE-2026-9679",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-9679"
}
],
"notes": [
{
"category": "general",
"text": "Impact:\nundici\u0027s cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 5.4 does not specify any decoding and browsers do not decode either.\n\nApplications that parse a Set-Cookie header and then forward the parsed value into a response header (proxies, middleware, SSR frameworks) become vulnerable to HTTP response header injection: an attacker-controlled upstream can inject arbitrary Set-Cookie, Location, or Cache-Control headers into the application\u0027s downstream response, enabling session fixation, open redirect, or cache poisoning.\n\nAffected applications are those that use undici\u0027s cookie parsing (parseSetCookie, parseCookie, getSetCookies) and forward the parsed cookie value into a response header.\n\nThis was introduced in undici 7.0.0 via PR #3789.\n\nPatches:\nUpgrade to undici v6.26.0, v7.28.0 or v8.5.0.\n\nWorkarounds:\nIf upgrade is not immediately possible, do not forward values returned by parseSetCookie/parseCookie/getSetCookies directly into response headers; sanitize the value first to strip or reject CR, LF, NUL, ;, and = bytes.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-9679",
"url": "https://www.suse.com/security/cve/CVE-2026-9679"
},
{
"category": "external",
"summary": "SUSE Bug 1268477 for CVE-2026-9679",
"url": "https://bugzilla.suse.com/1268477"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-9679"
}
]
}
RHSA-2026:33866
Vulnerability from csaf_redhat - Published: 2026-06-30 22:56 - Updated: 2026-07-09 05:45A flaw was found in brace-expansion. An attacker can exploit a vulnerability in the `expand()` function by providing a specially crafted string. This string, containing consecutive non-expanding brace groups, can trigger exponential-time complexity, leading to significant CPU consumption and event-loop blocking. This can result in a Denial of Service (DoS) for the affected system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Node.js. A malicious server can exploit the HTTP/2 client by sending an unlimited number of ORIGIN frames. This can lead to an Out of Memory error on the client, resulting in a denial of service.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Node.js. An inconsistency in how Node.js matches hostnames can be exploited by a remote attacker in multi-context mTLS (mutual Transport Layer Security) setups. This vulnerability allows for a trust-policy bypass, potentially leading to unauthorized access to sensitive information or integrity compromise within the affected system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Node.js. This vulnerability in the TLS (Transport Layer Security) hostname handling allows embedded null characters in hostnames. This can lead to silent authority rebinding, potentially enabling an attacker to redirect network traffic to an unintended server and disclose sensitive information.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Node.js. An attacker can exploit a vulnerability in the Transport Layer Security (TLS) host verification process to bypass certification validation. This bypass could allow an attacker to intercept or alter communications, potentially leading to information disclosure or integrity compromise.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Node.js. The Permission API allows a local user to modify file metadata on paths that have been explicitly set as read-only. This can lead to unauthorized changes in file properties, impacting the integrity of the file system.
CWE-279 - Incorrect Execution-Assigned Permissions| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Node.js. The Node.js Permission API can allow a local server to be started through a Unix domain socket, even when the `--allow-net` permission is not explicitly granted. This bypasses intended security restrictions, potentially leading to unintended local network exposure or integrity impact.
CWE-648 - Incorrect Use of Privileged APIs| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in js-yaml, a JavaScript YAML parser and dumper. A remote attacker can exploit this vulnerability by providing a specially crafted YAML document that repeatedly uses the same alias in a merge sequence. This can lead to algorithmic CPU exhaustion, causing the Node.js worker or event loop to be blocked for an extended period, resulting in a denial of service (DoS) for the affected system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
| URL | Category |
|---|---|
| https://access.redhat.com/errata/RHSA-2026:33866 | self |
| https://access.redhat.com/security/cve/CVE-2026-13149 | external |
| https://access.redhat.com/security/updates/classi… | external |
| https://images.redhat.com/ | external |
| https://access.redhat.com/security/cve/CVE-2026-53550 | external |
| https://access.redhat.com/security/cve/CVE-2026-48936 | external |
| https://access.redhat.com/security/cve/CVE-2026-48934 | external |
| https://access.redhat.com/security/cve/CVE-2026-48928 | external |
| https://access.redhat.com/security/cve/CVE-2026-48930 | external |
| https://access.redhat.com/security/cve/CVE-2026-48619 | external |
| https://access.redhat.com/security/cve/CVE-2026-48935 | external |
| https://access.redhat.com/security/cve/CVE-2026-59870 | external |
| https://access.redhat.com/security/cve/CVE-2026-59868 | external |
| https://security.access.redhat.com/data/csaf/v2/a… | self |
| https://access.redhat.com/security/cve/CVE-2026-13149 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2494813 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-13149 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-13149 | external |
| https://github.com/juliangruber/brace-expansion/c… | external |
| https://www.npmjs.com/package/brace-expansion | external |
| https://access.redhat.com/security/cve/CVE-2026-48619 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2493325 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-48619 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-48619 | external |
| https://nodejs.org/en/blog/vulnerability/june-202… | external |
| https://access.redhat.com/security/cve/CVE-2026-48928 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2493333 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-48928 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-48928 | external |
| https://access.redhat.com/security/cve/CVE-2026-48930 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2493326 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-48930 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-48930 | external |
| https://github.com/nodejs/node/commit/7dafafa2424… | external |
| https://hackerone.com/reports/3656716 | external |
| https://access.redhat.com/security/cve/CVE-2026-48934 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2493332 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-48934 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-48934 | external |
| https://access.redhat.com/security/cve/CVE-2026-48935 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2493329 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-48935 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-48935 | external |
| https://access.redhat.com/security/cve/CVE-2026-48936 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2493336 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-48936 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-48936 | external |
| https://access.redhat.com/security/cve/CVE-2026-53550 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2491401 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-53550 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-53550 | external |
| https://github.com/nodeca/js-yaml/security/adviso… | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Hardened Images RPMs is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "This update includes the following RPMs:\n\nnodejs26:\n * nodejs26-26.4.0-1.3.hum1 (aarch64, x86_64)\n * nodejs26-bin-26.4.0-1.3.hum1 (noarch)\n * nodejs26-devel-26.4.0-1.3.hum1 (aarch64, x86_64)\n * nodejs26-docs-26.4.0-1.3.hum1 (noarch)\n * nodejs26-full-i18n-26.4.0-1.3.hum1 (aarch64, x86_64)\n * nodejs26-libs-26.4.0-1.3.hum1 (aarch64, x86_64)\n * nodejs26-npm-11.17.0-1.26.4.0.1.3.hum1 (noarch)\n * nodejs26-npm-bin-26.4.0-1.3.hum1 (noarch)\n * v8-14.6-devel-14.6.202.34-1.26.4.0.1.3.hum1 (aarch64, x86_64)\n * nodejs26-26.4.0-1.3.hum1.src (src)\n\nSecurity Fix(es):\n\nnodejs26:\n * CVE-2026-13149",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:33866",
"url": "https://access.redhat.com/errata/RHSA-2026:33866"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-13149",
"url": "https://access.redhat.com/security/cve/CVE-2026-13149"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://images.redhat.com/",
"url": "https://images.redhat.com/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-53550",
"url": "https://access.redhat.com/security/cve/CVE-2026-53550"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-48936",
"url": "https://access.redhat.com/security/cve/CVE-2026-48936"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-48934",
"url": "https://access.redhat.com/security/cve/CVE-2026-48934"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-48928",
"url": "https://access.redhat.com/security/cve/CVE-2026-48928"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-48930",
"url": "https://access.redhat.com/security/cve/CVE-2026-48930"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-48619",
"url": "https://access.redhat.com/security/cve/CVE-2026-48619"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-48935",
"url": "https://access.redhat.com/security/cve/CVE-2026-48935"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-59870",
"url": "https://access.redhat.com/security/cve/CVE-2026-59870"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-59868",
"url": "https://access.redhat.com/security/cve/CVE-2026-59868"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_33866.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs Security Update",
"tracking": {
"current_release_date": "2026-07-09T05:45:56+00:00",
"generator": {
"date": "2026-07-09T05:45:56+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:33866",
"initial_release_date": "2026-06-30T22:56:15+00:00",
"revision_history": [
{
"date": "2026-06-30T22:56:15+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-07-09T05:11:35+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-09T05:45:56+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Hardened Images",
"product": {
"name": "Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:hummingbird:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Hardened Images"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs26-main@aarch64",
"product": {
"name": "nodejs26-main@aarch64",
"product_id": "nodejs26-main@aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs26@26.4.0-1.3.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs26-main@src",
"product": {
"name": "nodejs26-main@src",
"product_id": "nodejs26-main@src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs26@26.4.0-1.3.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs26-main@x86_64",
"product": {
"name": "nodejs26-main@x86_64",
"product_id": "nodejs26-main@x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs26@26.4.0-1.3.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs26-main@noarch",
"product": {
"name": "nodejs26-main@noarch",
"product_id": "nodejs26-main@noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs26-bin@26.4.0-1.3.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs26-main@aarch64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs26-main@aarch64"
},
"product_reference": "nodejs26-main@aarch64",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs26-main@noarch as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs26-main@noarch"
},
"product_reference": "nodejs26-main@noarch",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs26-main@src as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs26-main@src"
},
"product_reference": "nodejs26-main@src",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs26-main@x86_64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs26-main@x86_64"
},
"product_reference": "nodejs26-main@x86_64",
"relates_to_product_reference": "Red Hat Hardened Images"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-13149",
"cwe": {
"id": "CWE-1333",
"name": "Inefficient Regular Expression Complexity"
},
"discovery_date": "2026-06-30T10:00:59.843854+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2494813"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in brace-expansion. An attacker can exploit a vulnerability in the `expand()` function by providing a specially crafted string. This string, containing consecutive non-expanding brace groups, can trigger exponential-time complexity, leading to significant CPU consumption and event-loop blocking. This can result in a Denial of Service (DoS) for the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "brace-expansion: Brace-expansion: Denial of Service due to exponential-time complexity",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A flaw was found in brace-expansion, a widely-used npm package for expanding brace sequences. The expand() function exhibits exponential-time complexity when processing consecutive non-expanding brace groups. An attacker who can supply crafted input to expand(), directly or transitively via minimatch or glob, can cause significant CPU consumption and event-loop blocking, resulting in denial of service. The max option does not mitigate this issue, as it bounds the output size rather than the recursion work.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-13149"
},
{
"category": "external",
"summary": "RHBZ#2494813",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2494813"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-13149",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-13149"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-13149",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13149"
},
{
"category": "external",
"summary": "https://github.com/juliangruber/brace-expansion/commit/c7e33ec13ac1a684c116720843ce24e208611754",
"url": "https://github.com/juliangruber/brace-expansion/commit/c7e33ec13ac1a684c116720843ce24e208611754"
},
{
"category": "external",
"summary": "https://www.npmjs.com/package/brace-expansion",
"url": "https://www.npmjs.com/package/brace-expansion"
}
],
"release_date": "2026-06-30T08:30:34.502000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-30T22:56:15+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33866"
},
{
"category": "workaround",
"details": "There is no practical mitigation for this vulnerability. The brace-expansion package is typically a transitive dependency pulled in via minimatch and glob, making it difficult to isolate. Users should upgrade to a fixed version of brace-expansion when one becomes available.",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "brace-expansion: Brace-expansion: Denial of Service due to exponential-time complexity"
},
{
"cve": "CVE-2026-48619",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-06-26T02:01:06.466413+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2493325"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. A malicious server can exploit the HTTP/2 client by sending an unlimited number of ORIGIN frames. This can lead to an Out of Memory error on the client, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Moderate flaw in the Node.js HTTP/2 client can lead to a denial of service. A malicious server could exploit this by sending an excessive number of ORIGIN frames, causing the client to consume all available memory. This affects Red Hat products utilizing Node.js as an HTTP/2 client.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48619"
},
{
"category": "external",
"summary": "RHBZ#2493325",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493325"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48619",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48619"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48619",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48619"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
],
"release_date": "2026-06-26T01:14:36.541000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-30T22:56:15+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33866"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames"
},
{
"cve": "CVE-2026-48928",
"cwe": {
"id": "CWE-289",
"name": "Authentication Bypass by Alternate Name"
},
"discovery_date": "2026-06-26T02:01:48.441706+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2493333"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. An inconsistency in how Node.js matches hostnames can be exploited by a remote attacker in multi-context mTLS (mutual Transport Layer Security) setups. This vulnerability allows for a trust-policy bypass, potentially leading to unauthorized access to sensitive information or integrity compromise within the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48928"
},
{
"category": "external",
"summary": "RHBZ#2493333",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493333"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48928",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48928"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48928",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48928"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
],
"release_date": "2026-06-26T01:14:36.981000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-30T22:56:15+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33866"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency"
},
{
"cve": "CVE-2026-48930",
"cwe": {
"id": "CWE-170",
"name": "Improper Null Termination"
},
"discovery_date": "2026-06-26T02:01:11.476251+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2493326"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. This vulnerability in the TLS (Transport Layer Security) hostname handling allows embedded null characters in hostnames. This can lead to silent authority rebinding, potentially enabling an attacker to redirect network traffic to an unintended server and disclose sensitive information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48930"
},
{
"category": "external",
"summary": "RHBZ#2493326",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493326"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48930",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48930"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48930",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48930"
},
{
"category": "external",
"summary": "https://github.com/nodejs/node/commit/7dafafa2424710ded8b77eb7c878e884c1aef64e",
"url": "https://github.com/nodejs/node/commit/7dafafa2424710ded8b77eb7c878e884c1aef64e"
},
{
"category": "external",
"summary": "https://hackerone.com/reports/3656716",
"url": "https://hackerone.com/reports/3656716"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
],
"release_date": "2026-06-26T01:14:37.006000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-30T22:56:15+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33866"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling"
},
{
"cve": "CVE-2026-48934",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"discovery_date": "2026-06-26T02:01:43.284771+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2493332"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. An attacker can exploit a vulnerability in the Transport Layer Security (TLS) host verification process to bypass certification validation. This bypass could allow an attacker to intercept or alter communications, potentially leading to information disclosure or integrity compromise.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Node.js: Certification validation bypass in TLS host verification",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48934"
},
{
"category": "external",
"summary": "RHBZ#2493332",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493332"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48934",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48934"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48934",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48934"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
],
"release_date": "2026-06-26T01:14:36.894000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-30T22:56:15+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33866"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Node.js: Certification validation bypass in TLS host verification"
},
{
"cve": "CVE-2026-48935",
"cwe": {
"id": "CWE-279",
"name": "Incorrect Execution-Assigned Permissions"
},
"discovery_date": "2026-06-26T02:01:29.191932+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2493329"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. The Permission API allows a local user to modify file metadata on paths that have been explicitly set as read-only. This can lead to unauthorized changes in file properties, impacting the integrity of the file system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Node.js: Unauthorized file metadata modification",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48935"
},
{
"category": "external",
"summary": "RHBZ#2493329",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493329"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48935",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48935"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48935",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48935"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
],
"release_date": "2026-06-26T01:14:36.641000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-30T22:56:15+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33866"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs: Node.js: Unauthorized file metadata modification"
},
{
"cve": "CVE-2026-48936",
"cwe": {
"id": "CWE-648",
"name": "Incorrect Use of Privileged APIs"
},
"discovery_date": "2026-06-26T02:02:04.921691+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2493336"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. The Node.js Permission API can allow a local server to be started through a Unix domain socket, even when the `--allow-net` permission is not explicitly granted. This bypasses intended security restrictions, potentially leading to unintended local network exposure or integrity impact.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Node.js: Local server can be started without network permission via Permission API flaw",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48936"
},
{
"category": "external",
"summary": "RHBZ#2493336",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493336"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48936",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48936"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48936",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48936"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
],
"release_date": "2026-06-26T01:14:36.878000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-30T22:56:15+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33866"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs: Node.js: Local server can be started without network permission via Permission API flaw"
},
{
"cve": "CVE-2026-53550",
"cwe": {
"id": "CWE-1333",
"name": "Inefficient Regular Expression Complexity"
},
"discovery_date": "2026-06-22T16:01:01.300830+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2491401"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in js-yaml, a JavaScript YAML parser and dumper. A remote attacker can exploit this vulnerability by providing a specially crafted YAML document that repeatedly uses the same alias in a merge sequence. This can lead to algorithmic CPU exhaustion, causing the Node.js worker or event loop to be blocked for an extended period, resulting in a denial of service (DoS) for the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "js-yaml: js-yaml: Denial of Service via crafted YAML merge keys",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat rates this flaw as Moderate impact, consistent with the upstream CVEORG assessment. The vulnerability causes CPU exhaustion via quadratic merge-key processing in js-yaml\u0027s YAML parser. In Red Hat products, all confirmed vulnerable code paths run client-side in the browser (OpenShift Console plugins, Kiali frontend, monitoring dashboard editors). A denial of service is limited to freezing the user\u0027s own browser tab when processing crafted YAML input, not server-side resource exhaustion. The user can recover by closing the tab.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-53550"
},
{
"category": "external",
"summary": "RHBZ#2491401",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491401"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-53550",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53550"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-53550",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53550"
},
{
"category": "external",
"summary": "https://github.com/nodeca/js-yaml/security/advisories/GHSA-h67p-54hq-rp68",
"url": "https://github.com/nodeca/js-yaml/security/advisories/GHSA-h67p-54hq-rp68"
}
],
"release_date": "2026-06-22T14:59:14.906000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-30T22:56:15+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33866"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "js-yaml: js-yaml: Denial of Service via crafted YAML merge keys"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.