CVE-2026-28295: information disclosure when processing untrusted PASV responses from FTP servers (bsc#1258953).
CVE-2026-28296: arbitrary FTP command injection due to unsanitized CRLF sequences in user supplied file paths
(bsc#1258954).
Affected Packages
gvfs
SUSE Linux Enterprise Module for Desktop Applications 15 SP7SUSE Linux Enterprise Server 15 SP6-LTSSSUSE Linux Enterprise Server for SAP Applications 15 SP6openSUSE Leap 15.6
Fixed in:
1.52.2-150600.3.3.1
gvfs-backend-afc
SUSE Linux Enterprise Module for Desktop Applications 15 SP7SUSE Linux Enterprise Server 15 SP6-LTSSSUSE Linux Enterprise Server for SAP Applications 15 SP6openSUSE Leap 15.6
Fixed in:
1.52.2-150600.3.3.1
gvfs-backend-samba
SUSE Linux Enterprise Module for Desktop Applications 15 SP7SUSE Linux Enterprise Server 15 SP6-LTSSSUSE Linux Enterprise Server for SAP Applications 15 SP6openSUSE Leap 15.6
Fixed in:
1.52.2-150600.3.3.1
gvfs-backends
SUSE Linux Enterprise Module for Desktop Applications 15 SP7SUSE Linux Enterprise Server 15 SP6-LTSSSUSE Linux Enterprise Server for SAP Applications 15 SP6openSUSE Leap 15.6
Fixed in:
1.52.2-150600.3.3.1
gvfs-devel
SUSE Linux Enterprise Module for Desktop Applications 15 SP7SUSE Linux Enterprise Server 15 SP6-LTSSSUSE Linux Enterprise Server for SAP Applications 15 SP6openSUSE Leap 15.6
Fixed in:
1.52.2-150600.3.3.1
gvfs-fuse
SUSE Linux Enterprise Module for Desktop Applications 15 SP7SUSE Linux Enterprise Server 15 SP6-LTSSSUSE Linux Enterprise Server for SAP Applications 15 SP6openSUSE Leap 15.6
Fixed in:
1.52.2-150600.3.3.1
gvfs-lang
SUSE Linux Enterprise Module for Desktop Applications 15 SP7SUSE Linux Enterprise Server 15 SP6-LTSSSUSE Linux Enterprise Server for SAP Applications 15 SP6openSUSE Leap 15.6