Alpine: multiple qt6-qtwebengine packages: security update to 6.9.3-r2

critical Tenable Cloud Security Plugin ID 436238

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Insufficient validation of untrusted input in Core in Google Chrome prior to 139.0.7258.66 allowed a
remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security
severity: Low) (CVE-2025-8582)

- Joplin is a free, open source note taking and to-do application, which can handle a large number of notes
organised into notebooks. This vulnerability is caused by differences between how Joplin's HTML sanitizer
handles comments and how the browser handles comments. This affects both the Rich Text Editor and the
Markdown viewer. However, unlike the Rich Text Editor, the Markdown viewer is `cross-origin isolated`,
which prevents JavaScript from directly accessing functions/variables in the toplevel Joplin `window`.
This issue is not present in Joplin 3.1.24 and may have been introduced in `9b50539`. This is an XSS
vulnerability that impacts users that open untrusted notes in the Rich Text Editor. This vulnerability has
been addressed in version 3.2.12 and all users are advised to upgrade. There are no known workarounds for
this vulnerability. (CVE-2025-24028)

See Also

https://security.alpinelinux.org/vuln/CVE-2025-24028

https://security.alpinelinux.org/vuln/CVE-2025-8582

Plugin Details

Severity: Critical

ID: 436238

Version: Revision 1.4

Type: Local

Published: 12/4/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 95.11

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-24028

CVSS v3

Risk Factor: Critical

Base Score: 9.6

Temporal Score: 8.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 2/7/2025

Reference Information

CVE: CVE-2025-24028, CVE-2025-8582