CVE-2026-25707

HIGH

Handcrafted repo metadata may cause arbitrary local files to be overwritten by libzypp

Title source: cna
STIX 2.1

Description

A relative path traversal bug problem when processing repository metadata in libzypp before 17.38.10 could be used by remote attackers supplying repositories to overwrite files on the system, leading to denial of service or privilege escalation.

Scores

CVSS v3 8.8
EPSS 0.0060
EPSS Percentile 44.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-23
Status published
Products (2)
opensuse/libzypp < 17.38.10
SUSE/libzypp < 17.38.10
Published Jun 29, 2026
Tracked Since Jun 29, 2026