Main Vulnerability Database SB2026040632

SB2026040632 - SUSE update for Security Beta update 5.2.0 Beta1 for Multi-Linux Manager Client Tools

Published: April 6, 2026

Security Bulletin ID SB2026040632

Severity

High

Patch available

YES

Number of vulnerabilities 11

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 11 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2025-3415)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the Grafana Alerting DingDing integration is not properly protected. A remote user can gain unauthorized access to sensitive information on the system.

2) Prototype pollution (CVE-ID: CVE-2025-61140)

The vulnerability allows a remote attacker to execute arbitrary JavaScript code.

The vulnerability exists due to improper input validation. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.

3) Code injection (CVE-ID: CVE-2025-62348)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the junos module when parsing yaml files. A remote attacker can trick the victim into using a specially crafted yaml file and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

4) Improper authentication (CVE-ID: CVE-2025-62349)

The vulnerability allows a remote user to impersonate other application users.

The vulnerability exists due to incorrect implementation of the authentication process. A remote user can perform authentication downgrade attack and impersonate another minion.

5) Improper Neutralization of HTTP Headers for Scripting Syntax (CVE-ID: CVE-2025-67724)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to a missing validation of the reason phrase in HTTP response. A remote attacker can inject arbitrary values into the HTTP server response and perform XSS attacks.

6) Excessive Iteration (CVE-ID: CVE-2025-67725)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to excessive iteration within the HTTPHeaders.add() method. A remote attacker can send a specially crafted HTTP request and perform a denial of service attack

7) Excessive Iteration (CVE-ID: CVE-2025-67726)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to excessive iteration within the _parseparam() function in httputil.py when parsing specific HTTP header values. A remote attacker can send a specially crafted HTTP request and perform a denial of service attack

8) Code Injection (CVE-ID: CVE-2026-1615)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to unsafe evaluation of user-supplied JSON Path expressions. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.

9) Improper access control (CVE-ID: CVE-2026-21722)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to the application does not limit their annotation timerange to the locked timerange of the public dashboard with annotations enabled. A remote attacker can read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange.

10) Inefficient regular expression complexity (CVE-ID: CVE-2026-25547)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions. When a remote attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process.

11) Path traversal (CVE-ID: CVE-2026-27606)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences within the Rollup module bundler. A remote attacker can send a specially crafted HTTP request and write arbitrary files on the system, leading to arbitrary code execution.

Remediation

Install update from vendor's website.

References

https://www.suse.com/support/update/announcement/2026/suse-su-20261148-1/

Vulnerable Software

SUSE Multi-Linux Manager Beta Client Tools for SLE Micro: 5
SUSE Multi-Linux Manager Beta Client Tools for SLE: 15
Multi-Linux-ManagerTools-Beta-SLE-Micro-release: before 5-159000.3.3.1
golang-github-prometheus-prometheus: before 3.5.0-159000.4.3.2
firewalld-prometheus-config: before 0.1-159000.4.3.2
prometheus-postgres_exporter-debuginfo: before 0.10.1-159000.2.2.1
golang-github-boynux-squid_exporter-debuginfo: before 1.13.0-159000.2.2.1
venv-salt-minion: before 3006.0-159000.5.3.2
grafana: before 11.6.11-159000.2.3.2
mgrctl: before 5.2.5-159000.2.3.2
golang-github-lusitaniae-apache_exporter-debuginfo: before 1.0.10-159000.2.2.1
golang-github-prometheus-prometheus-debuginfo: before 3.5.0-159000.4.3.2
golang-github-boynux-squid_exporter: before 1.13.0-159000.2.2.1
golang-github-prometheus-node_exporter-debuginfo: before 1.9.1-159000.4.2.1
golang-github-QubitProducts-exporter_exporter: before 0.4.0-159000.2.2.1
golang-github-prometheus-alertmanager: before 0.28.1-159000.12.2.1
golang-github-lusitaniae-apache_exporter: before 1.0.10-159000.2.2.1
golang-github-prometheus-node_exporter: before 1.9.1-159000.4.2.1
prometheus-postgres_exporter: before 0.10.1-159000.2.2.1
python3-uyuni-common-libs: before 5.2.3-159000.2.3.1
grafana-debuginfo: before 11.6.11-159000.2.3.2
mgrctl-debuginfo: before 5.2.5-159000.2.3.2
prometheus-blackbox_exporter: before 0.26.0-159000.2.2.1
golang-github-prometheus-alertmanager-debuginfo: before 0.28.1-159000.12.2.1
dracut-wireless: before 0.1.1595937550.0285244-159000.2.2.1
mgrctl-zsh-completion: before 5.2.5-159000.2.3.2
mgrctl-bash-completion: before 5.2.5-159000.2.3.2
python3-rhnlib: before 5.2.4-159000.4.3.1
python3-mgr-push: before 5.2.3-159000.2.3.1
supportutils-plugin-susemanager-client: before 5.2.2-159000.4.2.1
python3-spacewalk-client-tools: before 5.2.4-159000.4.3.1
supportutils-plugin-salt: before 1.2.3-159000.4.2.1
python3-defusedxml: before 0.7.1-159000.4.2.1
mgrctl-lang: before 5.2.5-159000.2.3.2
spacewalk-client-tools: before 5.2.4-159000.4.3.1
mgr-push: before 5.2.3-159000.2.3.1
spacecmd: before 5.2.6-159000.4.3.1
dracut-saltboot: before 1.1.0-159000.2.2.1

SB2026040632 - SUSE update for Security Beta update 5.2.0 Beta1 for Multi-Linux Manager Client Tools

Breakdown by Severity

Description

Remediation

References

Please verify you're human