Cross-site Scripting (XSS) Affecting buildah package, versions <1.35.5-150500.3.62.1


Severity

Recommended
high

Based on SUSE Linux Enterprise Server security rating.

Threat Intelligence

EPSS
0.19% (9th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-SLES157-BUILDAH-17816546
  • published4 Jul 2026
  • disclosed2 Jul 2026

Introduced: 2 Jul 2026

NewCVE-2026-42506  (opens in a new tab)
CWE-79  (opens in a new tab)

How to fix?

Upgrade SLES:15.7 buildah to version 1.35.5-150500.3.62.1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream buildah package and not the buildah package as distributed by SLES. See How to fix? for SLES:15.7 relevant fixed versions and status.

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

CVSS Base Scores

version 3.1