Search Results (1244 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-58259 1 Suse 1 Rancher 2026-04-15 8.2 High
A vulnerability has been identified within Rancher Manager in which it did not enforce request body size limits on certain public (unauthenticated) and authenticated API endpoints. This allows a malicious user to exploit this by sending excessively large payloads, which are fully loaded into memory during processing, leading to Denial of Service (DoS).
CVE-2024-58269 1 Suse 1 Rancher 2026-04-15 4.3 Medium
A vulnerability has been identified in Rancher Manager, where sensitive information, including secret data, cluster import URLs, and registration tokens, is exposed to any entity with access to Rancher audit logs.
CVE-2025-54469 1 Suse 1 Neuvector 2026-04-15 9.9 Critical
A vulnerability was identified in NeuVector, where the enforcer used environment variables CLUSTER_RPC_PORT and CLUSTER_LAN_PORT to generate a command to be executed via popen, without first sanitising their values. The entry process of the enforcer container is the monitor process. When the enforcer container stops, the monitor process checks whether the consul subprocess has exited. To perform this check, the monitor process uses the popen function to execute a shell command that determines whether the ports used by the consul subprocess are still active. The values of environment variables CLUSTER_RPC_PORT and CLUSTER_LAN_PORT are used directly to compose shell commands via popen without validation or sanitization. This behavior could allow a malicious user to inject malicious commands through these variables within the enforcer container.
CVE-2024-52284 1 Suse 1 Rancher 2026-04-15 7.7 High
Unauthorized disclosure of sensitive data: Any user with `GET` or `LIST` permissions on `BundleDeployment` resources could retrieve Helm values containing credentials or other secrets.
CVE-2025-23387 1 Suse 1 Rancher 2026-04-15 5.3 Medium
A Exposure of Sensitive Information to an Unauthorized Actor vulnerability in SUSE rancher allowed unauthenticated users to list all CLI authentication tokens and delete them before the CLI is able to get the token value.This issue affects rancher: from 2.8.0 before 2.8.13, from 2.9.0 before 2.9.7, from 2.10.0 before 2.10.3.
CVE-2025-54470 1 Suse 1 Neuvector 2026-04-15 8.6 High
This vulnerability affects NeuVector deployments only when the Report anonymous cluster data option is enabled. When this option is enabled, NeuVector sends anonymous telemetry data to the telemetry server. In affected versions, NeuVector does not enforce TLS certificate verification when transmitting anonymous cluster data to the telemetry server. As a result, the communication channel is susceptible to man-in-the-middle (MITM) attacks, where an attacker could intercept or modify the transmitted data. Additionally, NeuVector loads the response of the telemetry server is loaded into memory without size limitation, which makes it vulnerable to a Denial of Service(DoS) attack
CVE-2025-23389 1 Suse 1 Rancher 2026-04-15 8.4 High
A Improper Access Control vulnerability in SUSE rancher allows a local user to impersonate other identities through SAML Authentication on first login. This issue affects rancher: from 2.8.0 before 2.8.13, from 2.9.0 before 2.9.7, from 2.10.0 before 2.10.3.
CVE-2025-23391 1 Suse 1 Rancher 2026-04-15 9.1 Critical
A Incorrect Privilege Assignment vulnerability in SUSE rancher allows a Restricted Administrator to change the password of Administrators and take over their accounts. This issue affects rancher: from 2.8.0 before 2.8.14, from 2.9.0 before 2.9.8, from 2.10.0 before 2.10.4.
CVE-2025-46811 1 Suse 1 Manager 2026-04-15 9.8 Critical
A Missing Authorization vulnerability in SUSE Linux Manager allows anyone with the ability to connect to port 443 of SUSE Manager is able to run any command as root on any client. This issue affects Container suse/manager/5.0/x86_64/server:5.0.5.7.30.1: from ? before 5.0.27-150600.3.33.1; Image SLES15-SP4-Manager-Server-4-3-BYOS: from ? before 4.3.87-150400.3.110.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure: from ? before 4.3.87-150400.3.110.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2: from ? before 4.3.87-150400.3.110.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE: from ? before 4.3.87-150400.3.110.2; SUSE Manager Server Module 4.3: from ? before 4.3.87-150400.3.110.2.
CVE-2024-49504 1 Suse 1 Opensuse Tumbleweed 2026-04-15 8.4 High
grub2 allowed attackers with access to the grub shell to access files on the encrypted disks.
CVE-2024-52281 1 Suse 1 Rancher 2026-04-15 8.9 High
A: Improper Neutralization of Input During Web Page Generation vulnerability in SUSE rancher allows a malicious actor to perform a Stored XSS attack through the cluster description field. This issue affects rancher: from 2.9.0 before 2.9.4.
CVE-2025-8077 2 Neuvector, Suse 2 Neuvector, Neuvector 2026-04-15 9.8 Critical
A vulnerability exists in NeuVector versions up to and including 5.4.5, where a fixed string is used as the default password for the built-in `admin` account. If this password is not changed immediately after deployment, any workload with network access within the cluster could use the default credentials to obtain an authentication token. This token can then be used to perform any operation via NeuVector APIs.
CVE-2025-62877 1 Suse 1 Harvester 2026-04-15 9.8 Critical
Projects using the SUSE Virtualization (Harvester) environment may expose the OS default ssh login password  if they are using the 1.5.x or 1.6.x interactive installer to either create a new cluster or add new hosts to an existing cluster. The environment is not affected if the PXE boot mechanism is utilized along with the Harvester configuration setup.
CVE-2024-58267 2 Rancher, Suse 2 Rancher, Rancher 2026-04-15 8 High
A vulnerability has been identified within Rancher Manager whereby the SAML authentication from the Rancher CLI tool is vulnerable to phishing attacks. The custom authentication protocol for SAML-based providers can be abused to steal Rancher’s authentication tokens.
CVE-2025-53883 1 Suse 4 Container Suse Manager 5.0, Manager, Manager Server and 1 more 2026-04-15 N/A
A Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability allows attackers to run arbitrary javascript via a reflected XSS issue in the search fields.This issue affects Container suse/manager/5.0/x86_64/server:latest: from ? before 5.0.28-150600.3.36.8; SUSE Manager Server LTS 4.3: from ? before 4.3.88-150400.3.113.5.
CVE-2025-54467 2 Neuvector, Suse 2 Neuvector, Neuvector 2026-04-15 5.3 Medium
When a Java command with password parameters is executed and terminated by NeuVector for Process rule violation the password will appear in the NeuVector security event log.
CVE-2025-67860 1 Suse 1 Harvester 2026-04-15 3.8 Low
A vulnerability has been identified in the NeuVector scanner where the scanner process accepts registry and controller credentials as command-line arguments, potentially exposing sensitive credentials to local users.
CVE-2025-66001 1 Suse 1 Neuvector 2026-04-15 8.8 High
NeuVector supports login authentication through OpenID Connect. However, the TLS verification (which verifies the remote server's authenticity and integrity) for OpenID Connect is not enforced by default. As a result this may expose the system to man-in-the-middle (MITM) attacks.
CVE-2023-22650 1 Suse 1 Rancher 2026-04-15 8.8 High
A vulnerability has been identified in which Rancher does not automatically clean up a user which has been deleted from the configured authentication provider (AP). This characteristic also applies to disabled or revoked users, Rancher will not reflect these modifications which may leave the user’s tokens still usable.
CVE-2025-53884 2 Neuvector, Suse 2 Neuvector, Neuvector 2026-04-15 5.3 Medium
NeuVector stores user passwords and API keys using a simple, unsalted hash. This method is vulnerable to rainbow table attack (offline attack where hashes of known passwords are precomputed).