Vulnerabilities (CVE)

Filtered by vendor Opensuse Subscribe
Filtered by product Leap
Total 1920 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2016-4346 2 Opensuse, Php 3 Leap, Opensuse, Php 2026-06-17 7.5 HIGH 9.8 CRITICAL
Integer overflow in the str_pad function in ext/standard/string.c in PHP before 7.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a long string, leading to a heap-based buffer overflow.
CVE-2016-4342 2 Opensuse, Php 2 Leap, Php 2026-06-17 8.3 HIGH 8.8 HIGH
ext/phar/phar_object.c in PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3 mishandles zero-length uncompressed data, which allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted (1) TAR, (2) ZIP, or (3) PHAR archive.
CVE-2016-4303 4 Debian, Es, Novell and 1 more 5 Debian Linux, Iperf3, Suse Package Hub For Suse Linux Enterprise and 2 more 2026-06-17 7.5 HIGH 9.8 CRITICAL
The parse_string function in cjson.c in the cJSON library mishandles UTF8/16 strings, which allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a non-hex character in a JSON string, which triggers a heap-based buffer overflow.
CVE-2016-4069 2 Opensuse, Roundcube 2 Leap, Webmail 2026-06-17 6.8 MEDIUM 8.8 HIGH
Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail before 1.1.5 allows remote attackers to hijack the authentication of users for requests that download attachments and cause a denial of service (disk consumption) via unspecified vectors.
CVE-2016-4068 2 Opensuse, Roundcube 4 Leap, Opensuse, Roundcube Webmail and 1 more 2026-06-17 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2015-8864.
CVE-2016-4049 2 Opensuse, Quagga 3 Leap, Opensuse, Quagga 2026-06-17 5.0 MEDIUM 7.5 HIGH
The bgp_dump_routes_func function in bgpd/bgp_dump.c in Quagga does not perform size checks when dumping data, which might allow remote attackers to cause a denial of service (assertion failure and daemon crash) via a large BGP packet.
CVE-2016-4036 1 Opensuse 2 Leap, Opensuse 2026-06-17 2.1 LOW 5.5 MEDIUM
The quagga package before 0.99.23-2.6.1 in openSUSE and SUSE Linux Enterprise Server 11 SP 1 uses weak permissions for /etc/quagga, which allows local users to obtain sensitive information by reading files in the directory.
CVE-2016-4007 1 Opensuse 2 Leap, Opensuse 2026-06-17 10.0 HIGH 9.8 CRITICAL
Multiple unspecified vulnerabilities in the obs-service-extract_file package before 0.3-5.1 in openSUSE Leap 42.1 and before 0.3-3.1 in openSUSE 13.2 allow attackers to execute arbitrary commands via a service definition, related to executing unzip with "illegal options."
CVE-2016-3992 3 Cronic Project, Debian, Opensuse 4 Cronic, Debian Linux, Leap and 1 more 2026-06-17 4.9 MEDIUM 6.2 MEDIUM
cronic before 3 allows local users to write to arbitrary files via a symlink attack on a (1) cronic.out.$$, (2) cronic.err.$$, or (3) cronic.trace.$$ file in /tmp.
CVE-2016-3982 4 Canonical, Debian, Opensuse and 1 more 5 Ubuntu Linux, Debian Linux, Leap and 2 more 2026-06-17 6.8 MEDIUM 8.8 HIGH
Off-by-one error in the bmp_rle4_fread function in pngxrbmp.c in OptiPNG before 0.7.6 allows remote attackers to cause a denial of service (out-of-bounds read or write access and crash) or possibly execute arbitrary code via a crafted image file, which triggers a heap-based buffer overflow.
CVE-2016-3959 3 Fedoraproject, Golang, Opensuse 3 Fedora, Go, Leap 2026-06-17 5.0 MEDIUM 7.5 HIGH
The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x before 1.6.1 does not properly check parameters passed to the big integer library, which might allow remote attackers to cause a denial of service (infinite loop) via a crafted public key to a program that uses HTTPS client certificates or SSH server libraries.
CVE-2016-3718 6 Canonical, Imagemagick, Opensuse and 3 more 30 Ubuntu Linux, Imagemagick, Leap and 27 more 2026-06-17 4.3 MEDIUM 5.5 MEDIUM
The (1) HTTP and (2) FTP coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted image.
CVE-2016-3715 6 Canonical, Imagemagick, Opensuse and 3 more 30 Ubuntu Linux, Imagemagick, Leap and 27 more 2026-06-17 5.8 MEDIUM 5.5 MEDIUM
The EPHEMERAL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to delete arbitrary files via a crafted image.
CVE-2016-3714 5 Canonical, Debian, Imagemagick and 2 more 6 Ubuntu Linux, Debian Linux, Imagemagick and 3 more 2026-06-17 10.0 HIGH 8.4 HIGH
The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka "ImageTragick."
CVE-2016-3705 5 Canonical, Debian, Hp and 2 more 6 Ubuntu Linux, Debian Linux, Icewall Federation Agent and 3 more 2026-06-17 5.0 MEDIUM 7.5 HIGH
The (1) xmlParserEntityCheck and (2) xmlParseAttValueComplex functions in parser.c in libxml2 2.9.3 do not properly keep track of the recursion depth, which allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via a crafted XML document containing a large number of nested entity references.
CVE-2016-3630 5 Debian, Fedoraproject, Mercurial and 2 more 7 Debian Linux, Fedora, Mercurial and 4 more 2026-06-17 6.8 MEDIUM 8.8 HIGH
The binary delta decoder in Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a (1) clone, (2) push, or (3) pull command, related to (a) a list sizing rounding error and (b) short records.
CVE-2016-3627 7 Canonical, Debian, Hp and 4 more 14 Ubuntu Linux, Debian Linux, Icewall Federation Agent and 11 more 2026-06-17 5.0 MEDIUM 7.5 HIGH
The xmlStringGetNodeList function in tree.c in libxml2 2.9.3 and earlier, when used in recovery mode, allows context-dependent attackers to cause a denial of service (infinite recursion, stack consumption, and application crash) via a crafted XML document.
CVE-2016-3427 8 Apache, Canonical, Debian and 5 more 38 Cassandra, Ubuntu Linux, Debian Linux and 35 more 2026-06-17 10.0 HIGH 9.8 CRITICAL
Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX.
CVE-2016-3119 2 Mit, Opensuse 3 Kerberos 5, Leap, Opensuse 2026-06-17 3.5 LOW 5.3 MEDIUM
The process_db_args function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the LDAP KDB module in kadmind in MIT Kerberos 5 (aka krb5) through 1.13.4 and 1.14.x through 1.14.1 mishandles the DB argument, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request to modify a principal.
CVE-2016-3100 2 Kde, Opensuse 3 Kde Frameworks, Leap, Opensuse 2026-06-17 2.1 LOW 8.4 HIGH
kinit in KDE Frameworks before 5.23.0 uses weak permissions (644) for /tmp/xauth-xxx-_y, which allows local users to obtain X11 cookies of other users and consequently capture keystrokes and possibly gain privileges by reading the file.