CVE-2026-25707 HIGH

CVE-2026-25707: Handcrafted repo metadata may cause arbitrary local files to be overwritten by libzypp

Vendor Suse

Product libzypp

Weakness CWE-23

Published June 29, 2026

Last update June 29, 2026

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A relative path traversal bug problem when processing repository metadata in libzypp before 17.38.10 could be used by remote attackers supplying repositories to overwrite files on the system, leading to denial of service or privilege escalation.

Key dates

02Disclosure timeline

June 29, 2026 CVE published

June 29, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-25707 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/23.html

Related vulnerabilities

CVE-2026-25707: Handcrafted repo metadata may cause arbitrary local files to be overwritten by libzypp

01Description

02Disclosure timeline

03References

04Related CVE