diff --git a/CVE-2025-68480.patch b/CVE-2025-68480.patch
new file mode 100644
index 0000000..3315ff9
--- /dev/null
+++ b/CVE-2025-68480.patch
@@ -0,0 +1,106 @@
+From 0356a3f1c307830f8ded56d823abca5611c594c9 Mon Sep 17 00:00:00 2001
+From: Jared Deckard <jared@shademaps.com>
+Date: Thu, 18 Dec 2025 23:57:28 -0600
+Subject: [PATCH 1/4] Merge error store messages without rebuilding collections
+
+---
+ src/marshmallow/error_store.py | 29 +++++++++++++++++------------
+ 1 file changed, 17 insertions(+), 12 deletions(-)
+
+Index: marshmallow-3.20.2/src/marshmallow/error_store.py
+===================================================================
+--- marshmallow-3.20.2.orig/src/marshmallow/error_store.py
++++ marshmallow-3.20.2/src/marshmallow/error_store.py
+@@ -18,12 +18,19 @@ class ErrorStore:
+         # field error  -> store/merge error messages under field name key
+         # schema error -> if string or list, store/merge under _schema key
+         #              -> if dict, store/merge with other top-level keys
++        messages = copy_containers(messages)
+         if field_name != SCHEMA or not isinstance(messages, dict):
+             messages = {field_name: messages}
+         if index is not None:
+             messages = {index: messages}
+         self.errors = merge_errors(self.errors, messages)
+ 
++def copy_containers(errors):
++    if isinstance(errors, list):
++        return [copy_containers(val) for val in errors]
++    if isinstance(errors, dict):
++        return {key: copy_containers(val) for key, val in errors.items()}
++    return errors
+ 
+ def merge_errors(errors1, errors2):
+     """Deeply merge two error messages.
+@@ -37,24 +44,26 @@ def merge_errors(errors1, errors2):
+         return errors1
+     if isinstance(errors1, list):
+         if isinstance(errors2, list):
+-            return errors1 + errors2
++            errors1.extend(errors2)
++            return errors1
+         if isinstance(errors2, dict):
+-            return dict(errors2, **{SCHEMA: merge_errors(errors1, errors2.get(SCHEMA))})
+-        return errors1 + [errors2]
++            errors2[SCHEMA] = merge_errors(errors1, errors2.get(SCHEMA))
++            return errors2
++        errors1.append(errors2)
++        return errors1
+     if isinstance(errors1, dict):
+-        if isinstance(errors2, list):
+-            return dict(errors1, **{SCHEMA: merge_errors(errors1.get(SCHEMA), errors2)})
+         if isinstance(errors2, dict):
+-            errors = dict(errors1)
+             for key, val in errors2.items():
+-                if key in errors:
+-                    errors[key] = merge_errors(errors[key], val)
++                if key in errors1:
++                    errors1[key] = merge_errors(errors1[key], val)
+                 else:
+-                    errors[key] = val
+-            return errors
+-        return dict(errors1, **{SCHEMA: merge_errors(errors1.get(SCHEMA), errors2)})
++                    errors1[key] = val
++            return errors1
++        errors1[SCHEMA] = merge_errors(errors1.get(SCHEMA), errors2)
++        return errors1
+     if isinstance(errors2, list):
+-        return [errors1] + errors2
++        return [errors1, *errors2]
+     if isinstance(errors2, dict):
+-        return dict(errors2, **{SCHEMA: merge_errors(errors1, errors2.get(SCHEMA))})
++        errors2[SCHEMA] = merge_errors(errors1, errors2.get(SCHEMA))
++        return errors2
+     return [errors1, errors2]
+Index: marshmallow-3.20.2/tests/test_error_store.py
+===================================================================
+--- marshmallow-3.20.2.orig/tests/test_error_store.py
++++ marshmallow-3.20.2/tests/test_error_store.py
+@@ -1,7 +1,7 @@
+ from collections import namedtuple
+ 
+ from marshmallow import missing
+-from marshmallow.error_store import merge_errors
++from marshmallow.error_store import merge_errors, ErrorStore
+ 
+ 
+ def test_missing_is_falsy():
+@@ -141,3 +141,19 @@ class TestMergeErrors:
+         assert {"field1": {"field2": ["error1", "error2"]}} == merge_errors(
+             {"field1": {"field2": "error1"}}, {"field1": {"field2": "error2"}}
+         )
++
++    def test_list_not_changed(self):
++        store = ErrorStore()
++        message = ["foo"]
++        store.store_error(message)
++        store.store_error(message)
++        assert message == ["foo"]
++        assert store.errors == {"_schema": ["foo", "foo"]}
++
++    def test_dict_not_changed(self):
++        store = ErrorStore()
++        message = {"foo": ["bar"]}
++        store.store_error(message)
++        store.store_error(message)
++        assert message == {"foo": ["bar"]}
++        assert store.errors == {"foo": ["bar", "bar"]}
diff --git a/python-marshmallow.changes b/python-marshmallow.changes
index 27e3f1f..c81b26e 100644
--- a/python-marshmallow.changes
+++ b/python-marshmallow.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Fri Jan  9 15:08:39 UTC 2026 - Nico Krapp <nico.krapp@suse.com>
+
+- Add CVE-2025-68480.patch to fix CVE-2025-68480 (bsc#1255473)
+
 -------------------------------------------------------------------
 Sun Oct 27 22:54:09 UTC 2024 - Stefan Brüns <stefan.bruens@rwth-aachen.de>
 
diff --git a/python-marshmallow.spec b/python-marshmallow.spec
index 11e4510..06a8d43 100644
--- a/python-marshmallow.spec
+++ b/python-marshmallow.spec
@@ -27,6 +27,8 @@ URL:            https://marshmallow.readthedocs.io/
 Source:         https://files.pythonhosted.org/packages/source/m/marshmallow/marshmallow-%{version}.tar.gz
 # https://github.com/humitos/sphinx-version-warning/issues/22
 Patch0:         python-marshmallow-no-version-warning.patch
+# PATCH-FIX-UPSTREAM CVE-2025-68480.patch bsc#1255473
+Patch1:         CVE-2025-68480.patch
 BuildRequires:  %{python_module autodocsumm}
 BuildRequires:  %{python_module base >= 3.8}
 BuildRequires:  %{python_module pip}