Security update for cockpit-repos SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:20540-1 Final 1 1 2026-02-18T11:27:28Z current 2026-02-18T11:27:28Z 2026-02-18T11:27:28Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for cockpit-repos This update for cockpit-repos fixes the following issues: Update to version 4.7. Security issues fixed: - CVE-2025-13465: prototype pollution in the _.unset and _.omit functions can lead to deletion of methods from global (bsc#1257325). - CVE-2025-64718: js-yaml prototype pollution in merge (bsc#1255425). Other updates and bugfixes: - version update to 4.7 * Translation updates - version update to 4.6: * Translation updates * Dependency updates * Fix translations pot file not being update - version update to 4.5: * Dependency updates - version update to 4.4: * Translation updates * Dependency updates The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SL-Micro-6.2-296 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-202620540-1/ Link for SUSE-SU-2026:20540-1 https://lists.suse.com/pipermail/sle-security-updates/2026-March/024597.html E-Mail link for SUSE-SU-2026:20540-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1255425 SUSE Bug 1255425 https://bugzilla.suse.com/1257325 SUSE Bug 1257325 https://www.suse.com/security/cve/CVE-2025-13465/ SUSE CVE CVE-2025-13465 page https://www.suse.com/security/cve/CVE-2025-64718/ SUSE CVE CVE-2025-64718 page SUSE Linux Micro 6.2 cockpit-repos-4.7-160000.1.1 cockpit-repos-4.7-160000.1.1 as a component of SUSE Linux Micro 6.2 Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23 CVE-2025-13465 SUSE Linux Micro 6.2:cockpit-repos-4.7-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620540-1/ https://www.suse.com/security/cve/CVE-2025-13465.html CVE-2025-13465 https://bugzilla.suse.com/1257321 SUSE Bug 1257321 js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default). CVE-2025-64718 SUSE Linux Micro 6.2:cockpit-repos-4.7-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620540-1/ https://www.suse.com/security/cve/CVE-2025-64718.html CVE-2025-64718 https://bugzilla.suse.com/1255407 SUSE Bug 1255407