Sorry, my previous test was wrong. I've verified the vulnerability on a current tumbleweed installation.