Three security updates are available for openSUSE: one for python-Django, one for chromium, and one for localsearch. The update for python-Django fixes six vulnerabilities and has six bug fixes, affecting openSUSE Leap 16.0, while the update for chromium fixes two vulnerabilities and has one bug fix, also affecting openSUSE Leap 16.0. In contrast, the update for localsearch addresses four vulnerabilities and is applicable to openSUSE Tumbleweed.

openSUSE-SU-2026:20184-1: important: Security update for python-Django
openSUSE-SU-2026:20183-1: important: Security update for chromium
openSUSE-SU-2026:10162-1: moderate: localsearch-3.10.2-2.1 on GA media

openSUSE-SU-2026:20184-1: important: Security update for python-Django

openSUSE security update: security update for python-django
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20184-1
Rating: important
References:

* bsc#1257401
* bsc#1257403
* bsc#1257405
* bsc#1257406
* bsc#1257407
* bsc#1257408

Cross-References:

* CVE-2025-13473
* CVE-2025-14550
* CVE-2026-1207
* CVE-2026-1285
* CVE-2026-1287
* CVE-2026-1312

CVSS scores:

* CVE-2025-13473 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2025-14550 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-1207 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-1285 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-1287 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-1312 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 6 vulnerabilities and has 6 bug fixes can now be installed.

Description:

This update for python-Django fixes the following issues:

Changes in python-Django:

- CVE-2026-1312: Fixed potential SQL injection via QuerySet.order_by and FilteredRelation (bsc#1257408).
- CVE-2026-1287: Fixed potential SQL injection in column aliases via control characters (bsc#1257407).
- CVE-2026-1207: Fixed potential SQL injection via raster lookups on PostGIS (bsc#1257405).
- CVE-2026-1285: Fixed potential denial-of-service in django.utils.text.Truncator HTML methods (bsc#1257406).
- CVE-2025-13473: Fixed username enumeration through timing difference in mod_wsgi authentication handler (bsc#1257401).
- CVE-2025-14550: Fixed potential denial-of-service via repeated headers when using ASGI (bsc#1257403).

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-packagehub-113=1

Package List:

- openSUSE Leap 16.0:

python313-Django-5.2.4-bp160.5.1

References:

* https://www.suse.com/security/cve/CVE-2025-13473.html
* https://www.suse.com/security/cve/CVE-2025-14550.html
* https://www.suse.com/security/cve/CVE-2026-1207.html
* https://www.suse.com/security/cve/CVE-2026-1285.html
* https://www.suse.com/security/cve/CVE-2026-1287.html
* https://www.suse.com/security/cve/CVE-2026-1312.html

openSUSE-SU-2026:20183-1: important: Security update for chromium

openSUSE security update: security update for chromium
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20183-1
Rating: important
References:

* bsc#1257650

Cross-References:

* CVE-2026-1861
* CVE-2026-1862

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 2 vulnerabilities and has one bug fix can now be installed.

Description:

This update for chromium fixes the following issues:

Changes in chromium:

- Chromium 144.0.7559.132 (boo#1257650)
* CVE-2026-1861: Heap buffer overflow in libvpx in Google Chrome
prior to 144.0.7559.132 allowed a remote attacker to potentially
exploit heap corruption via a crafted HTML page.
* CVE-2026-1862: Type Confusion in V8 in Google Chrome prior to
144.0.7559.132 allowed a remote attacker to potentially exploit
heap corruption via a crafted HTML page.

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-packagehub-112=1

Package List:

- openSUSE Leap 16.0:

chromedriver-144.0.7559.132-bp160.1.1
chromium-144.0.7559.132-bp160.1.1

References:

* https://www.suse.com/security/cve/CVE-2026-1861.html
* https://www.suse.com/security/cve/CVE-2026-1862.html

openSUSE-SU-2026:10162-1: moderate: localsearch-3.10.2-2.1 on GA media

# localsearch-3.10.2-2.1 on GA media

Announcement ID: openSUSE-SU-2026:10162-1
Rating: moderate

Cross-References:

* CVE-2026-1764
* CVE-2026-1765
* CVE-2026-1766
* CVE-2026-1767

CVSS scores:

* CVE-2026-1764 ( SUSE ): 5.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:H
* CVE-2026-1764 ( SUSE ): 5.2 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-1765 ( SUSE ): 5.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:H
* CVE-2026-1766 ( SUSE ): 5.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:H
* CVE-2026-1767 ( SUSE ): 5.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:H

Affected Products:

* openSUSE Tumbleweed

An update that solves 4 vulnerabilities can now be installed.

## Description:

These are all security issues fixed in the localsearch-3.10.2-2.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* localsearch 3.10.2-2.1
* localsearch-lang 3.10.2-2.1

## References:

* https://www.suse.com/security/cve/CVE-2026-1764.html
* https://www.suse.com/security/cve/CVE-2026-1765.html
* https://www.suse.com/security/cve/CVE-2026-1766.html
* https://www.suse.com/security/cve/CVE-2026-1767.html