SUSE Package Hub - SUSE-PackageHub-16.0-901

Update Info

SUSE-PackageHub-16.0-901

Security update for agama-web-ui

Type: security

Severity: moderate

Issued: 2026-06-08

Description:

This update for agama-web-ui fixes the following issues

- CVE-2025-7339: on-headers: incorrect array handling may lead to HTTP response header manipulation (bsc#1246678).
- CVE-2026-9277: shell-quote: improper escaping of newlines in object .op values by quote() can lead to shell command
  injection (bsc#1266256).
- CVE-2026-42041: axios: authentication bypass via validateStatus prototype pollution gadget due to suppression of HTTP
  error (bsc#1264160).
- CVE-2026-42264: axios: prototype pollution read-side gadgets in HTTP adapter can lead to credential injection and
  request h (bsc#1264802).

Changes for agama-web-ui:

- Update other dependencies reported by "npm audit".

References

CVE: CVE-2026-9277
CVE: CVE-2026-42264
CVE: CVE-2026-42041
CVE: CVE-2025-7339
Bugzilla: 1266256 VUL-0: CVE-2026-9277: agama-web-ui: shell-quote: improper escaping of newlines in object .op values by quote() can lead to shell command injection
Bugzilla: 1264802 VUL-0: CVE-2026-42264: agama-web-ui: axios: prototype pollution read-side gadgets in HTTP adapter can lead to credential injection and request h
Bugzilla: 1264160 VUL-0: CVE-2026-42041: agama-web-ui: axios: authentication bypass via validateStatus prototype pollution gadget due to suppression of HTTP error
Bugzilla: 1246678 VUL-0: CVE-2025-7339: agama-web-ui: on-headers: incorrect array handling may lead to HTTP response header manipulation

Packages

agama-web-ui-17+612.d8bf69336-160000.11.1