Two important security updates have been released for openSUSE, one for Chromium and another for cockpit-repos. The Chromium update fixes three vulnerabilities (CVE-2026-2648, CVE-2026-2649, and CVE-2026-2650) in version 145.0.7632.109 and has a single bug fix. The cockpit-repos update addresses two vulnerabilities (CVE-2025-13465 and CVE-2025-64718) by updating the package to version 4.7, which includes several bug fixes and translation updates.

openSUSE-SU-2026:20258-1: important: Security update for chromium
openSUSE-SU-2026:20251-1: important: Security update for cockpit-repos

openSUSE-SU-2026:20258-1: important: Security update for chromium

openSUSE security update: security update for chromium
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20258-1
Rating: important
References:

* bsc#1258438

Cross-References:

* CVE-2026-2648
* CVE-2026-2649
* CVE-2026-2650

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 3 vulnerabilities and has one bug fix can now be installed.

Description:

This update for chromium fixes the following issues:

Changes in chromium:

- Chromium 145.0.7632.109 (boo#1258438):
* CVE-2026-2648: Heap buffer overflow in PDFium
* CVE-2026-2649: Integer overflow in V8
* CVE-2026-2650: Heap buffer overflow in Media

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-packagehub-136=1

Package List:

- openSUSE Leap 16.0:

chromedriver-145.0.7632.109-bp160.1.1
chromium-145.0.7632.109-bp160.1.1

References:

* https://www.suse.com/security/cve/CVE-2026-2648.html
* https://www.suse.com/security/cve/CVE-2026-2649.html
* https://www.suse.com/security/cve/CVE-2026-2650.html

openSUSE-SU-2026:20251-1: important: Security update for cockpit-repos

openSUSE security update: security update for cockpit-repos
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20251-1
Rating: important
References:

* bsc#1255425
* bsc#1257325

Cross-References:

* CVE-2025-13465
* CVE-2025-64718

CVSS scores:

* CVE-2025-13465 ( SUSE ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
* CVE-2025-13465 ( SUSE ): 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N
* CVE-2025-64718 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
* CVE-2025-64718 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 2 vulnerabilities and has 2 bug fixes can now be installed.

Description:

This update for cockpit-repos fixes the following issues:

Update to version 4.7.

Security issues fixed:

- CVE-2025-13465: prototype pollution in the _.unset and _.omit functions can lead to deletion of methods from global
(bsc#1257325).
- CVE-2025-64718: js-yaml prototype pollution in merge (bsc#1255425).

Other updates and bugfixes:

- version update to 4.7

* Translation updates

- version update to 4.6:

* Translation updates
* Dependency updates
* Fix translations pot file not being update

- version update to 4.5:

* Dependency updates

- version update to 4.4:

* Translation updates
* Dependency updates

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-296=1

Package List:

- openSUSE Leap 16.0:

cockpit-repos-4.7-160000.1.1

References:

* https://www.suse.com/security/cve/CVE-2025-13465.html
* https://www.suse.com/security/cve/CVE-2025-64718.html