SB2026040631 - SUSE update for Security update 5.0.7 for Multi-Linux Manager Client Tools

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026040631

SB2026040631 - SUSE update for Security update 5.0.7 for Multi-Linux Manager Client Tools

Published: April 6, 2026

Security Bulletin ID SB2026040631
Severity
High
Patch available
YES
Number of vulnerabilities 11
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 27% Medium 45% Low 27%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 11 secuirty vulnerabilities.


1) Interpretation conflict (CVE-ID: CVE-2025-12816)

The vulnerability allows a remote attacker to bypass downstream cryptographic verification and security decisions.

The vulnerability exists due to incorrect validation of ASN.1 structures within the asn1.validate() function in forge/lib/asn1.js. A remote non-authenticated attacker can use specially crafted ASN.1 structures to desynchronize DER schema validations and bypass downstream cryptographic verification and security decisions.


2) Prototype pollution (CVE-ID: CVE-2025-13465)

The vulnerability allows a remote attacker to alter application's behavior. 

The vulnerability exists due to improper input validation within the in the _.unset and _.omit functions. A remote attacker can pass specially crafted input to the application and delete methods from global prototypes.


3) Information disclosure (CVE-ID: CVE-2025-3415)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the Grafana Alerting DingDing integration is not properly protected. A remote user can gain unauthorized access to sensitive information on the system.


4) Prototype pollution (CVE-ID: CVE-2025-61140)

The vulnerability allows a remote attacker to execute arbitrary JavaScript code.

The vulnerability exists due to improper input validation. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.


5) Uncontrolled recursion (CVE-ID: CVE-2025-68156)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to uncontrolled recursion within the flatten, min, max, mean, and median function. A remote attacker can pass specially crafted input to the application and perform a denial of service attack. 


6) Code Injection (CVE-ID: CVE-2026-1615)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to unsafe evaluation of user-supplied JSON Path expressions. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.


7) Resource management error (CVE-ID: CVE-2026-21720)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application when caching avatars from the Gravatar service API. If such a request times out after 3 seconds a Goroutine is left running consuming system resources.


8) Improper privilege management (CVE-ID: CVE-2026-21721)

The vulnerability allows a remote user to escalate privileges within the application.

The vulnerability exists due to improper privilege management when displaying visualization panels. A remote user can view panels they have no access to.


9) Improper access control (CVE-ID: CVE-2026-21722)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to the application does not limit their annotation timerange to the locked timerange of the public dashboard with annotations enabled. A remote attacker can read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange.


10) Inefficient regular expression complexity (CVE-ID: CVE-2026-25547)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions. When a remote attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process.


11) Path traversal (CVE-ID: CVE-2026-27606)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences within the Rollup module bundler. A remote attacker can send a specially crafted HTTP request and write arbitrary files on the system, leading to arbitrary code execution.


Remediation

Install update from vendor's website.

References