SUSE SLES15 Security Update : nodejs22 (SUSE-SU-2026:2695-1)

high Nessus Plugin ID 324854

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2695-1 advisory.

- CVE-2026-48618: tls: normalize hostname for server identity checks (bsc#1268593).
- CVE-2026-48933: crypto: guard WebCrypto cipher output length (bsc#1268592).
- CVE-2026-48615: lib,test: redact proxy credentials in tunnel errors (bsc#1268598).
- CVE-2026-48619: http2: cap originSet size to prevent unbounded memory growth (bsc#1268618).
- CVE-2026-48928: tls: fix case-sensitive SNI context matching (bsc#1268605).
- CVE-2026-48930: dns,net: reject hostnames with embedded NUL bytes (bsc#1268606).
- CVE-2026-48934: tls: bind reusable sessions to authenticated host (bsc#1268608).
- CVE-2026-48617: permission: handle process.chdir on writereport (bsc#1268554).
- CVE-2026-48931: http: fix response queue poisoning in http.Agent (bsc#1268611).
- CVE-2026-48935: permission: disable FileHandle utimes with permission model (bsc#1268609).
- CVE-2026-48937: http2: servers keep accepting data even after sending a `GOAWAY` frame (bsc#1268555).
- CVE-2026-12151: undici: Denial of Service due to unbounded memory growth via WebSocket frames (bsc#1268482).
- CVE-2026-6733: undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery ( bsc#1268479).
- CVE-2026-9679: undici: vulnerable to HTTP header injection via Set-Cookie percent-decoding ( bsc#1268477).
- CVE-2026-11525: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header (bsc#1268481).
- CVE-2026-27135: nghttp2: assertion failure due to missing state validation can lead to DoS (bsc#1259853).
- CVE-2026-40170: ngtcp2: qlog parameters_set stack buffer overflow. (bsc#1262274).
- CVE-2026-9496: pacote: excessive CPU consumption in `addGitSha` when processing a specially crafted `spec.rawSpec` ( bsc#1266318).
- CVE-2026-42338: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (bsc#1268097).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected nodejs22, nodejs22-devel, nodejs22-docs and / or npm22 packages.

See Also

https://bugzilla.suse.com/1259853

https://bugzilla.suse.com/1262274

https://bugzilla.suse.com/1266318

https://bugzilla.suse.com/1268097

https://bugzilla.suse.com/1268477

https://bugzilla.suse.com/1268479

https://bugzilla.suse.com/1268481

https://bugzilla.suse.com/1268482

https://bugzilla.suse.com/1268554

https://bugzilla.suse.com/1268555

https://bugzilla.suse.com/1268592

https://bugzilla.suse.com/1268593

https://bugzilla.suse.com/1268598

https://bugzilla.suse.com/1268605

https://bugzilla.suse.com/1268606

https://bugzilla.suse.com/1268608

https://bugzilla.suse.com/1268609

https://bugzilla.suse.com/1268611

https://bugzilla.suse.com/1268618

https://lists.suse.com/pipermail/sle-updates/2026-June/047737.html

https://www.suse.com/security/cve/CVE-2026-11525

https://www.suse.com/security/cve/CVE-2026-12151

https://www.suse.com/security/cve/CVE-2026-27135

https://www.suse.com/security/cve/CVE-2026-40170

https://www.suse.com/security/cve/CVE-2026-42338

https://www.suse.com/security/cve/CVE-2026-48615

https://www.suse.com/security/cve/CVE-2026-48617

https://www.suse.com/security/cve/CVE-2026-48618

https://www.suse.com/security/cve/CVE-2026-48619

https://www.suse.com/security/cve/CVE-2026-48928

https://www.suse.com/security/cve/CVE-2026-48930

https://www.suse.com/security/cve/CVE-2026-48931

https://www.suse.com/security/cve/CVE-2026-48933

https://www.suse.com/security/cve/CVE-2026-48934

https://www.suse.com/security/cve/CVE-2026-48935

https://www.suse.com/security/cve/CVE-2026-48937

https://www.suse.com/security/cve/CVE-2026-6733

https://www.suse.com/security/cve/CVE-2026-9496

https://www.suse.com/security/cve/CVE-2026-9679

Plugin Details

Severity: High

ID: 324854

File Name: suse_SU-2026-2695-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 7/2/2026

Updated: 7/2/2026

Supported Sensors: Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 96.92

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-48930

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.7

Threat Score: 7.7

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2026-9496

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:nodejs22-docs, p-cpe:/a:novell:suse_linux:nodejs22, p-cpe:/a:novell:suse_linux:nodejs22-devel, p-cpe:/a:novell:suse_linux:npm22, cpe:/o:novell:suse_linux:15

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/30/2026

Vulnerability Publication Date: 3/18/2026

Reference Information

CVE: CVE-2026-11525, CVE-2026-12151, CVE-2026-27135, CVE-2026-40170, CVE-2026-42338, CVE-2026-48615, CVE-2026-48617, CVE-2026-48618, CVE-2026-48619, CVE-2026-48928, CVE-2026-48930, CVE-2026-48931, CVE-2026-48933, CVE-2026-48934, CVE-2026-48935, CVE-2026-48937, CVE-2026-6733, CVE-2026-9496, CVE-2026-9679

SuSE: SUSE-SU-2026:2695-1