Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-9277 (GCVE-0-2026-9277)
Vulnerability from cvelistv5 – Published: 2026-05-22 13:22 – Updated: 2026-07-17 12:04| Vendor | Product | Version | |
|---|---|---|---|
| shell-quote |
Affected:
1.1.0 , < 1.8.4
(semver)
|
||
| Red Hat | Cryostat 4 on RHEL 9 |
Unaffected:
4.2.0-10 , < *
(rpm)
cpe:/a:redhat:cryostat:4::el9 |
|
| Red Hat | Cluster Observability Operator 1.5.0 |
Unaffected:
1782840519 , < *
(rpm)
cpe:/a:redhat:cluster_observability_operator:1.5::el9 |
|
| Red Hat | Cluster Observability Operator 1.5.0 |
Unaffected:
1782839981 , < *
(rpm)
cpe:/a:redhat:cluster_observability_operator:1.5::el9 |
|
| Red Hat | Cluster Observability Operator 1.5.0 |
Unaffected:
1782839193 , < *
(rpm)
cpe:/a:redhat:cluster_observability_operator:1.5::el9 |
|
| Red Hat | Cluster Observability Operator 1.5.0 |
Unaffected:
1782838753 , < *
(rpm)
cpe:/a:redhat:cluster_observability_operator:1.5::el9 |
|
| Red Hat | Cluster Observability Operator 1.5.0 |
Unaffected:
1782839279 , < *
(rpm)
cpe:/a:redhat:cluster_observability_operator:1.5::el9 |
|
| Red Hat | Cluster Observability Operator 1.5.0 |
Unaffected:
1782840539 , < *
(rpm)
cpe:/a:redhat:cluster_observability_operator:1.5::el9 |
|
| Red Hat | Cluster Observability Operator 1.5.0 |
Unaffected:
1782841925 , < *
(rpm)
cpe:/a:redhat:cluster_observability_operator:1.5::el9 |
|
| Red Hat | Cluster Observability Operator 1.5.0 |
Unaffected:
1782844225 , < *
(rpm)
cpe:/a:redhat:cluster_observability_operator:1.5::el9 |
|
| Red Hat | Cluster Observability Operator 1.5.0 |
Unaffected:
1782839658 , < *
(rpm)
cpe:/a:redhat:cluster_observability_operator:1.5::el9 |
|
| Red Hat | Cluster Observability Operator 1.5.0 |
Unaffected:
1782838476 , < *
(rpm)
cpe:/a:redhat:cluster_observability_operator:1.5::el9 |
|
| Red Hat | Cluster Observability Operator 1.5.0 |
Unaffected:
1782839996 , < *
(rpm)
cpe:/a:redhat:cluster_observability_operator:1.5::el9 |
|
| Red Hat | Cluster Observability Operator 1.5.0 |
Unaffected:
1782839494 , < *
(rpm)
cpe:/a:redhat:cluster_observability_operator:1.5::el9 |
|
| Red Hat | Red Hat Developer Hub 1.10 |
Unaffected:
1783448184 , < *
(rpm)
cpe:/a:redhat:rhdh:1.10::el9 |
|
| Red Hat | Red Hat Developer Hub 1.9 |
Unaffected:
1781187342 , < *
(rpm)
Unaffected: 1782761244 , < * (rpm) cpe:/a:redhat:rhdh:1.9::el9 |
|
| Red Hat | Red Hat Discovery 2 |
Unaffected:
1782166952 , < *
(rpm)
cpe:/a:redhat:discovery:2::el9 |
|
| Red Hat | Red Hat OpenShift Container Platform 4.20 |
Unaffected:
1782911711 , < *
(rpm)
cpe:/a:redhat:openshift:4.20::el9 |
|
| Red Hat | Red Hat OpenShift Container Platform 4.21 |
Unaffected:
1782308675 , < *
(rpm)
cpe:/a:redhat:openshift:4.21::el9 |
|
| Red Hat | Red Hat OpenShift Container Platform 4.22 |
Unaffected:
1782224390 , < *
(rpm)
cpe:/a:redhat:openshift:4.22::el9 |
|
| Red Hat | Red Hat OpenShift Service Mesh 2.6 |
Unaffected:
1780907585 , < *
(rpm)
cpe:/a:redhat:service_mesh:2.6::el8 |
|
| Red Hat | Red Hat OpenShift Service Mesh 2.6 |
Unaffected:
1780916536 , < *
(rpm)
cpe:/a:redhat:service_mesh:2.6::el8 |
|
| Red Hat | Red Hat OpenShift Service Mesh 3 |
Unaffected:
1780470245 , < *
(rpm)
cpe:/a:redhat:service_mesh:3.0::el9 |
|
| Red Hat | Red Hat OpenShift Service Mesh 3 |
Unaffected:
1780916345 , < *
(rpm)
cpe:/a:redhat:service_mesh:3.0::el9 |
|
| Red Hat | Red Hat OpenShift Service Mesh 3.1 |
Unaffected:
1780470706 , < *
(rpm)
cpe:/a:redhat:service_mesh:3.1::el9 |
|
| Red Hat | Red Hat OpenShift Service Mesh 3.1 |
Unaffected:
1780916478 , < *
(rpm)
cpe:/a:redhat:service_mesh:3.1::el9 |
|
| Red Hat | Red Hat OpenShift Service Mesh 3.2 |
Unaffected:
1780470003 , < *
(rpm)
cpe:/a:redhat:service_mesh:3.2::el9 |
|
| Red Hat | Red Hat OpenShift Service Mesh 3.2 |
Unaffected:
1780916392 , < *
(rpm)
cpe:/a:redhat:service_mesh:3.2::el9 |
|
| Red Hat | Red Hat OpenShift Service Mesh 3.3 |
Unaffected:
1780997382 , < *
(rpm)
cpe:/a:redhat:service_mesh:3.3::el9 |
|
| Red Hat | Red Hat OpenShift Service Mesh 3.3 |
Unaffected:
1780997438 , < *
(rpm)
cpe:/a:redhat:service_mesh:3.3::el9 |
|
| Red Hat | Red Hat Quay 3.10 |
Unaffected:
1782487717 , < *
(rpm)
cpe:/a:redhat:quay:3.10::el8 |
|
| Red Hat | Red Hat Quay 3.12 |
Unaffected:
1781937357 , < *
(rpm)
cpe:/a:redhat:quay:3.12::el8 |
|
| Red Hat | Red Hat Quay 3.16 |
Unaffected:
1783955846 , < *
(rpm)
cpe:/a:redhat:quay:3.16::el9 |
|
| Red Hat | Red Hat Quay 3.9 |
Unaffected:
1781878070 , < *
(rpm)
cpe:/a:redhat:quay:3.9::el8 |
|
| Red Hat | Red Hat Satellite 6.18 |
Unaffected:
1781032495 , < *
(rpm)
cpe:/a:redhat:satellite:6.18::el9 |
|
| Red Hat | Cryostat 4 |
cpe:/a:redhat:cryostat:4 |
|
| Red Hat | Gatekeeper 3 |
cpe:/a:redhat:gatekeeper:3 |
|
| Red Hat | Migration Toolkit for Containers |
cpe:/a:redhat:rhmt:1 |
|
| Red Hat | Node HealthCheck Operator |
cpe:/a:redhat:workload_availability_nhc:0 |
|
| Red Hat | OpenShift Lightspeed |
cpe:/a:redhat:openshift_lightspeed |
|
| Red Hat | OpenShift Pipelines |
cpe:/a:redhat:openshift_pipelines:1 |
|
| Red Hat | OpenShift Service Mesh 3 |
cpe:/a:redhat:service_mesh:3 |
|
| Red Hat | Red Hat AMQ Broker 7 |
cpe:/a:redhat:amq_broker:7 |
|
| Red Hat | Red Hat Ansible Automation Platform 2 |
cpe:/a:redhat:ansible_automation_platform:2 |
|
| Red Hat | Red Hat build of Apache Camel - HawtIO 4 |
cpe:/a:redhat:apache_camel_hawtio:4 |
|
| Red Hat | Red Hat Build of Podman Desktop |
cpe:/a:redhat:podman_desktop:1 |
|
| Red Hat | Red Hat Build of Podman Desktop - Tech Preview |
cpe:/a:redhat:podman_desktop:0 |
|
| Red Hat | Red Hat Data Grid 8 |
cpe:/a:redhat:jboss_data_grid:8 |
|
| Red Hat | Red Hat Enterprise Linux 10 |
cpe:/o:redhat:enterprise_linux:10 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
cpe:/o:redhat:enterprise_linux:8 |
|
| Red Hat | Red Hat Enterprise Linux 9 |
cpe:/o:redhat:enterprise_linux:9 |
|
| Red Hat | Red Hat Enterprise Linux AI (RHEL AI) 3 |
cpe:/a:redhat:enterprise_linux_ai:3 |
|
| Red Hat | Red Hat Fuse 7 |
cpe:/a:redhat:jboss_fuse:7 |
|
| Red Hat | Red Hat OpenShift AI (RHOAI) |
cpe:/a:redhat:openshift_ai |
|
| Red Hat | Red Hat OpenShift Container Platform 4 |
cpe:/a:redhat:openshift:4 |
|
| Red Hat | Red Hat OpenShift Virtualization 4 |
cpe:/a:redhat:container_native_virtualization:4 |
|
| Red Hat | Red Hat Trusted Artifact Signer |
cpe:/a:redhat:trusted_artifact_signer:1 |
|
| Red Hat | Self-service automation portal 2 |
cpe:/a:redhat:ansible_portal:2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9277",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T14:17:31.964845Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T14:17:39.549Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-05-23T03:04:40.537Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/23/2"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:cryostat:4::el9"
],
"defaultStatus": "affected",
"packageName": "cryostat/cryostat-openshift-console-plugin-rhel9",
"product": "Cryostat 4 on RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "4.2.0-10",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:cluster_observability_operator:1.5::el9"
],
"defaultStatus": "affected",
"packageName": "cluster-observability-operator/distributed-tracing-console-plugin-pf4-rhel9",
"product": "Cluster Observability Operator 1.5.0",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1782840519",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:cluster_observability_operator:1.5::el9"
],
"defaultStatus": "affected",
"packageName": "cluster-observability-operator/distributed-tracing-console-plugin-pf5-rhel9",
"product": "Cluster Observability Operator 1.5.0",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1782839981",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:cluster_observability_operator:1.5::el9"
],
"defaultStatus": "affected",
"packageName": "cluster-observability-operator/distributed-tracing-console-plugin-pf6-rhel9",
"product": "Cluster Observability Operator 1.5.0",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1782839193",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:cluster_observability_operator:1.5::el9"
],
"defaultStatus": "affected",
"packageName": "cluster-observability-operator/distributed-tracing-console-plugin-rhel9",
"product": "Cluster Observability Operator 1.5.0",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1782838753",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:cluster_observability_operator:1.5::el9"
],
"defaultStatus": "affected",
"packageName": "cluster-observability-operator/logging-console-plugin-pf4-rhel9",
"product": "Cluster Observability Operator 1.5.0",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1782839279",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:cluster_observability_operator:1.5::el9"
],
"defaultStatus": "affected",
"packageName": "cluster-observability-operator/logging-console-plugin-pf5-rhel9",
"product": "Cluster Observability Operator 1.5.0",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1782840539",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:cluster_observability_operator:1.5::el9"
],
"defaultStatus": "affected",
"packageName": "cluster-observability-operator/logging-console-plugin-rhel9",
"product": "Cluster Observability Operator 1.5.0",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1782841925",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:cluster_observability_operator:1.5::el9"
],
"defaultStatus": "affected",
"packageName": "cluster-observability-operator/monitoring-console-plugin-pf5-rhel9",
"product": "Cluster Observability Operator 1.5.0",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1782844225",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:cluster_observability_operator:1.5::el9"
],
"defaultStatus": "affected",
"packageName": "cluster-observability-operator/monitoring-console-plugin-pf6-rhel9",
"product": "Cluster Observability Operator 1.5.0",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1782839658",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:cluster_observability_operator:1.5::el9"
],
"defaultStatus": "affected",
"packageName": "cluster-observability-operator/monitoring-console-plugin-rhel9",
"product": "Cluster Observability Operator 1.5.0",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1782838476",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:cluster_observability_operator:1.5::el9"
],
"defaultStatus": "affected",
"packageName": "cluster-observability-operator/troubleshooting-panel-console-plugin-pf6-rhel9",
"product": "Cluster Observability Operator 1.5.0",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1782839996",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:cluster_observability_operator:1.5::el9"
],
"defaultStatus": "affected",
"packageName": "cluster-observability-operator/troubleshooting-panel-console-plugin-rhel9",
"product": "Cluster Observability Operator 1.5.0",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1782839494",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:rhdh:1.10::el9"
],
"defaultStatus": "affected",
"packageName": "rhdh/rhdh-hub-rhel9",
"product": "Red Hat Developer Hub 1.10",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1783448184",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:rhdh:1.9::el9"
],
"defaultStatus": "affected",
"packageName": "rhdh/rhdh-hub-rhel9",
"product": "Red Hat Developer Hub 1.9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1781187342",
"versionType": "rpm"
},
{
"lessThan": "*",
"status": "unaffected",
"version": "1782761244",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:discovery:2::el9"
],
"defaultStatus": "affected",
"packageName": "discovery/discovery-ui-rhel9",
"product": "Red Hat Discovery 2",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1782166952",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:openshift:4.20::el9"
],
"defaultStatus": "affected",
"packageName": "openshift4/ose-console-rhel9",
"product": "Red Hat OpenShift Container Platform 4.20",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1782911711",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:openshift:4.21::el9"
],
"defaultStatus": "affected",
"packageName": "openshift4/ose-console-rhel9",
"product": "Red Hat OpenShift Container Platform 4.21",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1782308675",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:openshift:4.22::el9"
],
"defaultStatus": "affected",
"packageName": "openshift4/ose-console-rhel9",
"product": "Red Hat OpenShift Container Platform 4.22",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1782224390",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:service_mesh:2.6::el8"
],
"defaultStatus": "affected",
"packageName": "openshift-service-mesh/kiali-ossmc-rhel8",
"product": "Red Hat OpenShift Service Mesh 2.6",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1780907585",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:service_mesh:2.6::el8"
],
"defaultStatus": "affected",
"packageName": "openshift-service-mesh/kiali-rhel8",
"product": "Red Hat OpenShift Service Mesh 2.6",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1780916536",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:service_mesh:3.0::el9"
],
"defaultStatus": "affected",
"packageName": "openshift-service-mesh/kiali-ossmc-rhel9",
"product": "Red Hat OpenShift Service Mesh 3",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1780470245",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:service_mesh:3.0::el9"
],
"defaultStatus": "affected",
"packageName": "openshift-service-mesh/kiali-rhel9",
"product": "Red Hat OpenShift Service Mesh 3",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1780916345",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:service_mesh:3.1::el9"
],
"defaultStatus": "affected",
"packageName": "openshift-service-mesh/kiali-ossmc-rhel9",
"product": "Red Hat OpenShift Service Mesh 3.1",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1780470706",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:service_mesh:3.1::el9"
],
"defaultStatus": "affected",
"packageName": "openshift-service-mesh/kiali-rhel9",
"product": "Red Hat OpenShift Service Mesh 3.1",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1780916478",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:service_mesh:3.2::el9"
],
"defaultStatus": "affected",
"packageName": "openshift-service-mesh/kiali-ossmc-rhel9",
"product": "Red Hat OpenShift Service Mesh 3.2",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1780470003",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:service_mesh:3.2::el9"
],
"defaultStatus": "affected",
"packageName": "openshift-service-mesh/kiali-rhel9",
"product": "Red Hat OpenShift Service Mesh 3.2",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1780916392",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:service_mesh:3.3::el9"
],
"defaultStatus": "affected",
"packageName": "openshift-service-mesh/kiali-ossmc-rhel9",
"product": "Red Hat OpenShift Service Mesh 3.3",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1780997382",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:service_mesh:3.3::el9"
],
"defaultStatus": "affected",
"packageName": "openshift-service-mesh/kiali-rhel9",
"product": "Red Hat OpenShift Service Mesh 3.3",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1780997438",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:quay:3.10::el8"
],
"defaultStatus": "affected",
"packageName": "quay/quay-rhel8",
"product": "Red Hat Quay 3.10",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1782487717",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:quay:3.12::el8"
],
"defaultStatus": "affected",
"packageName": "quay/quay-rhel8",
"product": "Red Hat Quay 3.12",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1781937357",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:quay:3.16::el9"
],
"defaultStatus": "affected",
"packageName": "quay/quay-rhel9",
"product": "Red Hat Quay 3.16",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1783955846",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:quay:3.9::el8"
],
"defaultStatus": "affected",
"packageName": "quay/quay-rhel8",
"product": "Red Hat Quay 3.9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1781878070",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:satellite:6.18::el9"
],
"defaultStatus": "affected",
"packageName": "satellite/iop-vulnerability-frontend-rhel9",
"product": "Red Hat Satellite 6.18",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1781032495",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:cryostat:4"
],
"defaultStatus": "unaffected",
"packageName": "shell-quote",
"product": "Cryostat 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:gatekeeper:3"
],
"defaultStatus": "unaffected",
"packageName": "gatekeeper/gatekeeper-rhel9",
"product": "Gatekeeper 3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhmt:1"
],
"defaultStatus": "affected",
"packageName": "rhmtc/openshift-migration-ui-rhel8",
"product": "Migration Toolkit for Containers",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:workload_availability_nhc:0"
],
"defaultStatus": "unaffected",
"packageName": "workload-availability/node-healthcheck-must-gather-rhel9",
"product": "Node HealthCheck Operator",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:workload_availability_nhc:0"
],
"defaultStatus": "unaffected",
"packageName": "workload-availability/node-healthcheck-operator-bundle",
"product": "Node HealthCheck Operator",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:workload_availability_nhc:0"
],
"defaultStatus": "unaffected",
"packageName": "workload-availability/node-healthcheck-rhel9-operator",
"product": "Node HealthCheck Operator",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift_lightspeed"
],
"defaultStatus": "affected",
"packageName": "openshift-lightspeed/lightspeed-console-plugin-419-rhel9",
"product": "OpenShift Lightspeed",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift_lightspeed"
],
"defaultStatus": "affected",
"packageName": "openshift-lightspeed/lightspeed-console-plugin-pf5-rhel9",
"product": "OpenShift Lightspeed",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift_lightspeed"
],
"defaultStatus": "affected",
"packageName": "openshift-lightspeed/lightspeed-console-plugin-rhel9",
"product": "OpenShift Lightspeed",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift_pipelines:1"
],
"defaultStatus": "unaffected",
"packageName": "openshift-pipelines/pipelines-console-plugin-rhel8",
"product": "OpenShift Pipelines",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift_pipelines:1"
],
"defaultStatus": "unaffected",
"packageName": "openshift-pipelines/pipelines-console-plugin-rhel9",
"product": "OpenShift Pipelines",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift_pipelines:1"
],
"defaultStatus": "affected",
"packageName": "openshift-pipelines/pipelines-hub-ui-rhel8",
"product": "OpenShift Pipelines",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift_pipelines:1"
],
"defaultStatus": "affected",
"packageName": "openshift-pipelines/pipelines-hub-ui-rhel9",
"product": "OpenShift Pipelines",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:service_mesh:3"
],
"defaultStatus": "unaffected",
"packageName": "openshift-service-mesh/kiali-operator-bundle",
"product": "OpenShift Service Mesh 3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:service_mesh:3"
],
"defaultStatus": "unaffected",
"packageName": "openshift-service-mesh/kiali-rhel9-operator",
"product": "OpenShift Service Mesh 3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:amq_broker:7"
],
"defaultStatus": "unaffected",
"packageName": "shell-quote",
"product": "Red Hat AMQ Broker 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2"
],
"defaultStatus": "affected",
"packageName": "ansible-automation-platform-24/lightspeed-rhel8",
"product": "Red Hat Ansible Automation Platform 2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2"
],
"defaultStatus": "affected",
"packageName": "ansible-automation-platform-25/lightspeed-rhel8",
"product": "Red Hat Ansible Automation Platform 2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2"
],
"defaultStatus": "unaffected",
"packageName": "ansible-automation-platform-26/gateway-rhel9",
"product": "Red Hat Ansible Automation Platform 2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2"
],
"defaultStatus": "affected",
"packageName": "ansible-automation-platform-26/lightspeed-rhel9",
"product": "Red Hat Ansible Automation Platform 2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2"
],
"defaultStatus": "unaffected",
"packageName": "automation-eda-controller",
"product": "Red Hat Ansible Automation Platform 2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2"
],
"defaultStatus": "unaffected",
"packageName": "automation-gateway",
"product": "Red Hat Ansible Automation Platform 2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2"
],
"defaultStatus": "unaffected",
"packageName": "automation-platform-ui",
"product": "Red Hat Ansible Automation Platform 2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:apache_camel_hawtio:4"
],
"defaultStatus": "unaffected",
"packageName": "shell-quote",
"product": "Red Hat build of Apache Camel - HawtIO 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:podman_desktop:1"
],
"defaultStatus": "affected",
"packageName": "rh-podman-desktop.git",
"product": "Red Hat Build of Podman Desktop",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:podman_desktop:0"
],
"defaultStatus": "affected",
"packageName": "rhdesktop/rh-podman-desktop-ext-bootc-rhel10",
"product": "Red Hat Build of Podman Desktop - Tech Preview",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_data_grid:8"
],
"defaultStatus": "unaffected",
"packageName": "shell-quote",
"product": "Red Hat Data Grid 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"packageName": "goose",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"packageName": "grafana",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"packageName": "pcs",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "unaffected",
"packageName": "goose",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"packageName": "grafana",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "unaffected",
"packageName": "pcs",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"defaultStatus": "affected",
"packageName": "rhelai3/bootc-cuda-rhel9",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"defaultStatus": "affected",
"packageName": "rhelai3/bootc-gaudi-rhel9",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"defaultStatus": "affected",
"packageName": "rhelai3/bootc-rocm-rhel9",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"defaultStatus": "affected",
"packageName": "rhelai3/disk-image-cuda-rhel9",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_fuse:7"
],
"defaultStatus": "affected",
"packageName": "shell-quote",
"product": "Red Hat Fuse 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "unaffected",
"packageName": "rhoai/odh-dashboard-rhel8",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "unaffected",
"packageName": "rhoai/odh-mlflow-rhel9",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "unaffected",
"packageName": "rhoai/odh-mod-arch-automl-rhel9",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "unaffected",
"packageName": "rhoai/odh-mod-arch-autorag-rhel9",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "unaffected",
"packageName": "rhoai/odh-mod-arch-eval-hub-rhel9",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "unaffected",
"packageName": "rhoai/odh-mod-arch-maas-rhel9",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "unaffected",
"packageName": "rhoai/odh-mod-arch-mlflow-rhel9",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "unaffected",
"packageName": "rhoai/odh-mod-arch-model-registry-rhel9",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "openshift4/ose-agent-installer-ui-rhel9",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "openshift4/ose-console",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:container_native_virtualization:4"
],
"defaultStatus": "affected",
"packageName": "container-native-virtualization/kubevirt-console-plugin-rhel9",
"product": "Red Hat OpenShift Virtualization 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:trusted_artifact_signer:1"
],
"defaultStatus": "unaffected",
"packageName": "rhtas/rekor-search-ui-rhel9",
"product": "Red Hat Trusted Artifact Signer",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:ansible_portal:2"
],
"defaultStatus": "affected",
"packageName": "ansible-automation-platform/automation-portal",
"product": "Self-service automation portal 2",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-22T13:22:38.873Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the shell-quote component. The quote() function did not properly validate object-token inputs, allowing line terminators to pass unescaped into the output. A remote attacker could exploit this vulnerability by providing specially crafted input, which a POSIX shell would interpret as a command separator. This could lead to command injection, enabling the attacker to execute arbitrary code on the system."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T12:04:47.826Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-9277"
},
{
"name": "RHBZ#2480741",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480741"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-9277.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:28010"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34342"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:36754"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33574"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26234"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:29197"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34791"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:29834"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:29795"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26072"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26077"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26079"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26090"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26080"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33683"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30076"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:41066"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:28571"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26225"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:28010: Cryostat 4 on RHEL 9"
},
{
"lang": "en",
"value": "RHSA-2026:34342: Cluster Observability Operator 1.5.0"
},
{
"lang": "en",
"value": "RHSA-2026:36754: Red Hat Developer Hub 1.10"
},
{
"lang": "en",
"value": "RHSA-2026:33574: Red Hat Developer Hub 1.9"
},
{
"lang": "en",
"value": "RHSA-2026:26234: Red Hat Developer Hub 1.9"
},
{
"lang": "en",
"value": "RHSA-2026:29197: Red Hat Discovery 2"
},
{
"lang": "en",
"value": "RHSA-2026:34791: Red Hat OpenShift Container Platform 4.20"
},
{
"lang": "en",
"value": "RHSA-2026:29834: Red Hat OpenShift Container Platform 4.21"
},
{
"lang": "en",
"value": "RHSA-2026:29795: Red Hat OpenShift Container Platform 4.22"
},
{
"lang": "en",
"value": "RHSA-2026:26072: Red Hat OpenShift Service Mesh 2.6"
},
{
"lang": "en",
"value": "RHSA-2026:26077: Red Hat OpenShift Service Mesh 3.1"
},
{
"lang": "en",
"value": "RHSA-2026:26079: Red Hat OpenShift Service Mesh 3.2"
},
{
"lang": "en",
"value": "RHSA-2026:26090: Red Hat OpenShift Service Mesh 3.3"
},
{
"lang": "en",
"value": "RHSA-2026:26080: Red Hat OpenShift Service Mesh 3"
},
{
"lang": "en",
"value": "RHSA-2026:33683: Red Hat Quay 3.10"
},
{
"lang": "en",
"value": "RHSA-2026:30076: Red Hat Quay 3.12"
},
{
"lang": "en",
"value": "RHSA-2026:41066: Red Hat Quay 3.16"
},
{
"lang": "en",
"value": "RHSA-2026:28571: Red Hat Quay 3.9"
},
{
"lang": "en",
"value": "RHSA-2026:26225: Red Hat Satellite 6.18"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-22T14:01:14.427Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-22T13:22:38.873Z",
"value": "Made public."
}
],
"title": "shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.npmjs.com/package/shell-quote",
"defaultStatus": "unaffected",
"packageName": "shell-quote",
"product": "shell-quote",
"programFiles": [
"quote.js"
],
"repo": "https://github.com/ljharb/shell-quote",
"versions": [
{
"lessThan": "1.8.4",
"status": "affected",
"version": "1.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Akshat Sinha (@akshatgit)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jordan Harband (@ljharb)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eshell-quote\u0027s `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which in JavaScript does not match line terminators (\\n, \\r, U+2028, U+2029). A line terminator in `.op` therefore passed through unescaped into the output; POSIX shells treat a literal newline as a command separator, so any content after it would execute as a second command. The vulnerable code path is reachable in two ways: (1) direct construction of `{ op: \u0027...\\n...\u0027 }` from external input, and (2) via `parse(cmd, envFn)` when `envFn` returns object tokens whose `.op` is attacker-influenced. Both are documented API surface. Fixed by replacing the per-character escape with strict shape validation: `.op` must match the parser\u0027s control-operator allowlist; `{ op: \u0027glob\u0027, pattern }` validates `pattern` and forbids line terminators; `{ comment }` validates `comment` and forbids line terminators; any other object shape throws `TypeError`.\u003c/p\u003e"
}
],
"value": "shell-quote\u0027s `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which in JavaScript does not match line terminators (\\n, \\r, U+2028, U+2029). A line terminator in `.op` therefore passed through unescaped into the output; POSIX shells treat a literal newline as a command separator, so any content after it would execute as a second command. The vulnerable code path is reachable in two ways: (1) direct construction of `{ op: \u0027...\\n...\u0027 }` from external input, and (2) via `parse(cmd, envFn)` when `envFn` returns object tokens whose `.op` is attacker-influenced. Both are documented API surface. Fixed by replacing the per-character escape with strict shape validation: `.op` must match the parser\u0027s control-operator allowlist; `{ op: \u0027glob\u0027, pattern }` validates `pattern` and forbids line terminators; `{ comment }` validates `comment` and forbids line terminators; any other object shape throws `TypeError`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T13:22:38.873Z",
"orgId": "7ffcee3d-2c14-4c3e-b844-86c6a321a158",
"shortName": "harborist"
},
"references": [
{
"name": "GHSA-w7jw-789q-3m8p",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p"
},
{
"name": "Fix commit",
"tags": [
"patch"
],
"url": "https://github.com/ljharb/shell-quote/commit/1518179"
},
{
"tags": [
"product"
],
"url": "https://github.com/ljharb/shell-quote"
},
{
"tags": [
"product"
],
"url": "https://www.npmjs.com/package/shell-quote"
}
],
"source": {
"advisory": "GHSA-w7jw-789q-3m8p",
"discovery": "EXTERNAL"
},
"title": "shell-quote `quote()` does not validate object-token shapes, allowing command injection via line terminators in `.op`"
}
},
"cveMetadata": {
"assignerOrgId": "7ffcee3d-2c14-4c3e-b844-86c6a321a158",
"assignerShortName": "harborist",
"cveId": "CVE-2026-9277",
"datePublished": "2026-05-22T13:22:38.873Z",
"dateReserved": "2026-05-22T12:13:25.893Z",
"dateUpdated": "2026-07-17T12:04:47.826Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-9277",
"date": "2026-07-19",
"epss": "0.00848",
"percentile": "0.54011"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-9277\",\"sourceIdentifier\":\"7ffcee3d-2c14-4c3e-b844-86c6a321a158\",\"published\":\"2026-05-22T14:16:30.330\",\"lastModified\":\"2026-07-17T13:19:01.943\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"shell-quote\u0027s `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which in JavaScript does not match line terminators (\\\\n, \\\\r, U+2028, U+2029). A line terminator in `.op` therefore passed through unescaped into the output; POSIX shells treat a literal newline as a command separator, so any content after it would execute as a second command. The vulnerable code path is reachable in two ways: (1) direct construction of `{ op: \u0027...\\\\n...\u0027 }` from external input, and (2) via `parse(cmd, envFn)` when `envFn` returns object tokens whose `.op` is attacker-influenced. Both are documented API surface. Fixed by replacing the per-character escape with strict shape validation: `.op` must match the parser\u0027s control-operator allowlist; `{ op: \u0027glob\u0027, pattern }` validates `pattern` and forbids line terminators; `{ comment }` validates `comment` and forbids line terminators; any other object shape throws `TypeError`.\"}],\"affected\":[{\"source\":\"7ffcee3d-2c14-4c3e-b844-86c6a321a158\",\"affectedData\":[{\"product\":\"shell-quote\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://www.npmjs.com/package/shell-quote\",\"packageName\":\"shell-quote\",\"programFiles\":[\"quote.js\"],\"repo\":\"https://github.com/ljharb/shell-quote\",\"versions\":[{\"version\":\"1.1.0\",\"lessThan\":\"1.8.4\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"affectedData\":[{\"vendor\":\"Red Hat\",\"product\":\"Cryostat 4 on RHEL 9\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://catalog.redhat.com/software/containers/\",\"packageName\":\"cryostat/cryostat-openshift-console-plugin-rhel9\",\"cpes\":[\"cpe:/a:redhat:cryostat:4::el9\"],\"versions\":[{\"version\":\"4.2.0-10\",\"lessThan\":\"*\",\"versionType\":\"rpm\",\"status\":\"unaffected\"}]},{\"vendor\":\"Red Hat\",\"product\":\"Cluster Observability Operator 1.5.0\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://catalog.redhat.com/software/containers/\",\"packageName\":\"cluster-observability-operator/distributed-tracing-console-plugin-pf4-rhel9\",\"cpes\":[\"cpe:/a:redhat:cluster_observability_operator:1.5::el9\"],\"versions\":[{\"version\":\"1782840519\",\"lessThan\":\"*\",\"versionType\":\"rpm\",\"status\":\"unaffected\"}]},{\"vendor\":\"Red Hat\",\"product\":\"Cluster Observability Operator 1.5.0\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://catalog.redhat.com/software/containers/\",\"packageName\":\"cluster-observability-operator/distributed-tracing-console-plugin-pf5-rhel9\",\"cpes\":[\"cpe:/a:redhat:cluster_observability_operator:1.5::el9\"],\"versions\":[{\"version\":\"1782839981\",\"lessThan\":\"*\",\"versionType\":\"rpm\",\"status\":\"unaffected\"}]},{\"vendor\":\"Red Hat\",\"product\":\"Cluster Observability Operator 1.5.0\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://catalog.redhat.com/software/containers/\",\"packageName\":\"cluster-observability-operator/distributed-tracing-console-plugin-pf6-rhel9\",\"cpes\":[\"cpe:/a:redhat:cluster_observability_operator:1.5::el9\"],\"versions\":[{\"version\":\"1782839193\",\"lessThan\":\"*\",\"versionType\":\"rpm\",\"status\":\"unaffected\"}]},{\"vendor\":\"Red Hat\",\"product\":\"Cluster Observability Operator 1.5.0\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://catalog.redhat.com/software/containers/\",\"packageName\":\"cluster-observability-operator/distributed-tracing-console-plugin-rhel9\",\"cpes\":[\"cpe:/a:redhat:cluster_observability_operator:1.5::el9\"],\"versions\":[{\"version\":\"1782838753\",\"lessThan\":\"*\",\"versionType\":\"rpm\",\"status\":\"unaffected\"}]},{\"vendor\":\"Red Hat\",\"product\":\"Cluster Observability Operator 1.5.0\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://catalog.redhat.com/software/containers/\",\"packageName\":\"cluster-observability-operator/logging-console-plugin-pf4-rhel9\",\"cpes\":[\"cpe:/a:redhat:cluster_observability_operator:1.5::el9\"],\"versions\":[{\"version\":\"1782839279\",\"lessThan\":\"*\",\"versionType\":\"rpm\",\"status\":\"unaffected\"}]},{\"vendor\":\"Red Hat\",\"product\":\"Cluster Observability Operator 1.5.0\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://catalog.redhat.com/software/containers/\",\"packageName\":\"cluster-observability-operator/logging-console-plugin-pf5-rhel9\",\"cpes\":[\"cpe:/a:redhat:cluster_observability_operator:1.5::el9\"],\"versions\":[{\"version\":\"1782840539\",\"lessThan\":\"*\",\"versionType\":\"rpm\",\"status\":\"unaffected\"}]},{\"vendor\":\"Red Hat\",\"product\":\"Cluster Observability Operator 1.5.0\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://catalog.redhat.com/software/containers/\",\"packageName\":\"cluster-observability-operator/logging-console-plugin-rhel9\",\"cpes\":[\"cpe:/a:redhat:cluster_observability_operator:1.5::el9\"],\"versions\":[{\"version\":\"1782841925\",\"lessThan\":\"*\",\"versionType\":\"rpm\",\"status\":\"unaffected\"}]},{\"vendor\":\"Red Hat\",\"product\":\"Cluster Observability Operator 1.5.0\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://catalog.redhat.com/software/containers/\",\"packageName\":\"cluster-observability-operator/monitoring-console-plugin-pf5-rhel9\",\"cpes\":[\"cpe:/a:redhat:cluster_observability_operator:1.5::el9\"],\"versions\":[{\"version\":\"1782844225\",\"lessThan\":\"*\",\"versionType\":\"rpm\",\"status\":\"unaffected\"}]},{\"vendor\":\"Red Hat\",\"product\":\"Cluster Observability Operator 1.5.0\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://catalog.redhat.com/software/containers/\",\"packageName\":\"cluster-observability-operator/monitoring-console-plugin-pf6-rhel9\",\"cpes\":[\"cpe:/a:redhat:cluster_observability_operator:1.5::el9\"],\"versions\":[{\"version\":\"1782839658\",\"lessThan\":\"*\",\"versionType\":\"rpm\",\"status\":\"unaffected\"}]},{\"vendor\":\"Red Hat\",\"product\":\"Cluster Observability Operator 1.5.0\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://catalog.redhat.com/software/containers/\",\"packageName\":\"cluster-observability-operator/monitoring-console-plugin-rhel9\",\"cpes\":[\"cpe:/a:redhat:cluster_observability_operator:1.5::el9\"],\"versions\":[{\"version\":\"1782838476\",\"lessThan\":\"*\",\"versionType\":\"rpm\",\"status\":\"unaffected\"}]},{\"vendor\":\"Red Hat\",\"product\":\"Cluster Observability Operator 1.5.0\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://catalog.redhat.com/software/containers/\",\"packageName\":\"cluster-observability-operator/troubleshooting-panel-console-plugin-pf6-rhel9\",\"cpes\":[\"cpe:/a:redhat:cluster_observability_operator:1.5::el9\"],\"versions\":[{\"version\":\"1782839996\",\"lessThan\":\"*\",\"versionType\":\"rpm\",\"status\":\"unaffected\"}]},{\"vendor\":\"Red Hat\",\"product\":\"Cluster Observability Operator 1.5.0\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://catalog.redhat.com/software/containers/\",\"packageName\":\"cluster-observability-operator/troubleshooting-panel-console-plugin-rhel9\",\"cpes\":[\"cpe:/a:redhat:cluster_observability_operator:1.5::el9\"],\"versions\":[{\"version\":\"1782839494\",\"lessThan\":\"*\",\"versionType\":\"rpm\",\"status\":\"unaffected\"}]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Developer Hub 1.10\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://catalog.redhat.com/software/containers/\",\"packageName\":\"rhdh/rhdh-hub-rhel9\",\"cpes\":[\"cpe:/a:redhat:rhdh:1.10::el9\"],\"versions\":[{\"version\":\"1783448184\",\"lessThan\":\"*\",\"versionType\":\"rpm\",\"status\":\"unaffected\"}]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Developer Hub 1.9\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://catalog.redhat.com/software/containers/\",\"packageName\":\"rhdh/rhdh-hub-rhel9\",\"cpes\":[\"cpe:/a:redhat:rhdh:1.9::el9\"],\"versions\":[{\"version\":\"1781187342\",\"lessThan\":\"*\",\"versionType\":\"rpm\",\"status\":\"unaffected\"},{\"version\":\"1782761244\",\"lessThan\":\"*\",\"versionType\":\"rpm\",\"status\":\"unaffected\"}]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Discovery 2\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://catalog.redhat.com/software/containers/\",\"packageName\":\"discovery/discovery-ui-rhel9\",\"cpes\":[\"cpe:/a:redhat:discovery:2::el9\"],\"versions\":[{\"version\":\"1782166952\",\"lessThan\":\"*\",\"versionType\":\"rpm\",\"status\":\"unaffected\"}]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Container Platform 4.20\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://catalog.redhat.com/software/containers/\",\"packageName\":\"openshift4/ose-console-rhel9\",\"cpes\":[\"cpe:/a:redhat:openshift:4.20::el9\"],\"versions\":[{\"version\":\"1782911711\",\"lessThan\":\"*\",\"versionType\":\"rpm\",\"status\":\"unaffected\"}]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Container Platform 4.21\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://catalog.redhat.com/software/containers/\",\"packageName\":\"openshift4/ose-console-rhel9\",\"cpes\":[\"cpe:/a:redhat:openshift:4.21::el9\"],\"versions\":[{\"version\":\"1782308675\",\"lessThan\":\"*\",\"versionType\":\"rpm\",\"status\":\"unaffected\"}]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Container Platform 4.22\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://catalog.redhat.com/software/containers/\",\"packageName\":\"openshift4/ose-console-rhel9\",\"cpes\":[\"cpe:/a:redhat:openshift:4.22::el9\"],\"versions\":[{\"version\":\"1782224390\",\"lessThan\":\"*\",\"versionType\":\"rpm\",\"status\":\"unaffected\"}]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Service Mesh 2.6\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://catalog.redhat.com/software/containers/\",\"packageName\":\"openshift-service-mesh/kiali-ossmc-rhel8\",\"cpes\":[\"cpe:/a:redhat:service_mesh:2.6::el8\"],\"versions\":[{\"version\":\"1780907585\",\"lessThan\":\"*\",\"versionType\":\"rpm\",\"status\":\"unaffected\"}]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Service Mesh 2.6\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://catalog.redhat.com/software/containers/\",\"packageName\":\"openshift-service-mesh/kiali-rhel8\",\"cpes\":[\"cpe:/a:redhat:service_mesh:2.6::el8\"],\"versions\":[{\"version\":\"1780916536\",\"lessThan\":\"*\",\"versionType\":\"rpm\",\"status\":\"unaffected\"}]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Service Mesh 3\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://catalog.redhat.com/software/containers/\",\"packageName\":\"openshift-service-mesh/kiali-ossmc-rhel9\",\"cpes\":[\"cpe:/a:redhat:service_mesh:3.0::el9\"],\"versions\":[{\"version\":\"1780470245\",\"lessThan\":\"*\",\"versionType\":\"rpm\",\"status\":\"unaffected\"}]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Service Mesh 3\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://catalog.redhat.com/software/containers/\",\"packageName\":\"openshift-service-mesh/kiali-rhel9\",\"cpes\":[\"cpe:/a:redhat:service_mesh:3.0::el9\"],\"versions\":[{\"version\":\"1780916345\",\"lessThan\":\"*\",\"versionType\":\"rpm\",\"status\":\"unaffected\"}]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Service Mesh 3.1\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://catalog.redhat.com/software/containers/\",\"packageName\":\"openshift-service-mesh/kiali-ossmc-rhel9\",\"cpes\":[\"cpe:/a:redhat:service_mesh:3.1::el9\"],\"versions\":[{\"version\":\"1780470706\",\"lessThan\":\"*\",\"versionType\":\"rpm\",\"status\":\"unaffected\"}]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Service Mesh 3.1\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://catalog.redhat.com/software/containers/\",\"packageName\":\"openshift-service-mesh/kiali-rhel9\",\"cpes\":[\"cpe:/a:redhat:service_mesh:3.1::el9\"],\"versions\":[{\"version\":\"1780916478\",\"lessThan\":\"*\",\"versionType\":\"rpm\",\"status\":\"unaffected\"}]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Service Mesh 3.2\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://catalog.redhat.com/software/containers/\",\"packageName\":\"openshift-service-mesh/kiali-ossmc-rhel9\",\"cpes\":[\"cpe:/a:redhat:service_mesh:3.2::el9\"],\"versions\":[{\"version\":\"1780470003\",\"lessThan\":\"*\",\"versionType\":\"rpm\",\"status\":\"unaffected\"}]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Service Mesh 3.2\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://catalog.redhat.com/software/containers/\",\"packageName\":\"openshift-service-mesh/kiali-rhel9\",\"cpes\":[\"cpe:/a:redhat:service_mesh:3.2::el9\"],\"versions\":[{\"version\":\"1780916392\",\"lessThan\":\"*\",\"versionType\":\"rpm\",\"status\":\"unaffected\"}]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Service Mesh 3.3\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://catalog.redhat.com/software/containers/\",\"packageName\":\"openshift-service-mesh/kiali-ossmc-rhel9\",\"cpes\":[\"cpe:/a:redhat:service_mesh:3.3::el9\"],\"versions\":[{\"version\":\"1780997382\",\"lessThan\":\"*\",\"versionType\":\"rpm\",\"status\":\"unaffected\"}]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Service Mesh 3.3\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://catalog.redhat.com/software/containers/\",\"packageName\":\"openshift-service-mesh/kiali-rhel9\",\"cpes\":[\"cpe:/a:redhat:service_mesh:3.3::el9\"],\"versions\":[{\"version\":\"1780997438\",\"lessThan\":\"*\",\"versionType\":\"rpm\",\"status\":\"unaffected\"}]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Quay 3.10\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://catalog.redhat.com/software/containers/\",\"packageName\":\"quay/quay-rhel8\",\"cpes\":[\"cpe:/a:redhat:quay:3.10::el8\"],\"versions\":[{\"version\":\"1782487717\",\"lessThan\":\"*\",\"versionType\":\"rpm\",\"status\":\"unaffected\"}]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Quay 3.12\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://catalog.redhat.com/software/containers/\",\"packageName\":\"quay/quay-rhel8\",\"cpes\":[\"cpe:/a:redhat:quay:3.12::el8\"],\"versions\":[{\"version\":\"1781937357\",\"lessThan\":\"*\",\"versionType\":\"rpm\",\"status\":\"unaffected\"}]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Quay 3.16\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://catalog.redhat.com/software/containers/\",\"packageName\":\"quay/quay-rhel9\",\"cpes\":[\"cpe:/a:redhat:quay:3.16::el9\"],\"versions\":[{\"version\":\"1783955846\",\"lessThan\":\"*\",\"versionType\":\"rpm\",\"status\":\"unaffected\"}]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Quay 3.9\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://catalog.redhat.com/software/containers/\",\"packageName\":\"quay/quay-rhel8\",\"cpes\":[\"cpe:/a:redhat:quay:3.9::el8\"],\"versions\":[{\"version\":\"1781878070\",\"lessThan\":\"*\",\"versionType\":\"rpm\",\"status\":\"unaffected\"}]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Satellite 6.18\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://catalog.redhat.com/software/containers/\",\"packageName\":\"satellite/iop-vulnerability-frontend-rhel9\",\"cpes\":[\"cpe:/a:redhat:satellite:6.18::el9\"],\"versions\":[{\"version\":\"1781032495\",\"lessThan\":\"*\",\"versionType\":\"rpm\",\"status\":\"unaffected\"}]},{\"vendor\":\"Red Hat\",\"product\":\"Cryostat 4\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"shell-quote\",\"cpes\":[\"cpe:/a:redhat:cryostat:4\"]},{\"vendor\":\"Red Hat\",\"product\":\"Gatekeeper 3\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"gatekeeper/gatekeeper-rhel9\",\"cpes\":[\"cpe:/a:redhat:gatekeeper:3\"]},{\"vendor\":\"Red Hat\",\"product\":\"Migration Toolkit for Containers\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"rhmtc/openshift-migration-ui-rhel8\",\"cpes\":[\"cpe:/a:redhat:rhmt:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Node HealthCheck Operator\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"workload-availability/node-healthcheck-must-gather-rhel9\",\"cpes\":[\"cpe:/a:redhat:workload_availability_nhc:0\"]},{\"vendor\":\"Red Hat\",\"product\":\"Node HealthCheck Operator\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"workload-availability/node-healthcheck-operator-bundle\",\"cpes\":[\"cpe:/a:redhat:workload_availability_nhc:0\"]},{\"vendor\":\"Red Hat\",\"product\":\"Node HealthCheck Operator\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"workload-availability/node-healthcheck-rhel9-operator\",\"cpes\":[\"cpe:/a:redhat:workload_availability_nhc:0\"]},{\"vendor\":\"Red Hat\",\"product\":\"OpenShift Lightspeed\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"openshift-lightspeed/lightspeed-console-plugin-419-rhel9\",\"cpes\":[\"cpe:/a:redhat:openshift_lightspeed\"]},{\"vendor\":\"Red Hat\",\"product\":\"OpenShift Lightspeed\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"openshift-lightspeed/lightspeed-console-plugin-pf5-rhel9\",\"cpes\":[\"cpe:/a:redhat:openshift_lightspeed\"]},{\"vendor\":\"Red Hat\",\"product\":\"OpenShift Lightspeed\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"openshift-lightspeed/lightspeed-console-plugin-rhel9\",\"cpes\":[\"cpe:/a:redhat:openshift_lightspeed\"]},{\"vendor\":\"Red Hat\",\"product\":\"OpenShift Pipelines\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"openshift-pipelines/pipelines-console-plugin-rhel8\",\"cpes\":[\"cpe:/a:redhat:openshift_pipelines:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"OpenShift Pipelines\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"openshift-pipelines/pipelines-console-plugin-rhel9\",\"cpes\":[\"cpe:/a:redhat:openshift_pipelines:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"OpenShift Pipelines\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"openshift-pipelines/pipelines-hub-ui-rhel8\",\"cpes\":[\"cpe:/a:redhat:openshift_pipelines:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"OpenShift Pipelines\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"openshift-pipelines/pipelines-hub-ui-rhel9\",\"cpes\":[\"cpe:/a:redhat:openshift_pipelines:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"OpenShift Service Mesh 3\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"openshift-service-mesh/kiali-operator-bundle\",\"cpes\":[\"cpe:/a:redhat:service_mesh:3\"]},{\"vendor\":\"Red Hat\",\"product\":\"OpenShift Service Mesh 3\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"openshift-service-mesh/kiali-rhel9-operator\",\"cpes\":[\"cpe:/a:redhat:service_mesh:3\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat AMQ Broker 7\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"shell-quote\",\"cpes\":[\"cpe:/a:redhat:amq_broker:7\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Ansible Automation Platform 2\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"ansible-automation-platform-24/lightspeed-rhel8\",\"cpes\":[\"cpe:/a:redhat:ansible_automation_platform:2\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Ansible Automation Platform 2\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"ansible-automation-platform-25/lightspeed-rhel8\",\"cpes\":[\"cpe:/a:redhat:ansible_automation_platform:2\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Ansible Automation Platform 2\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"ansible-automation-platform-26/gateway-rhel9\",\"cpes\":[\"cpe:/a:redhat:ansible_automation_platform:2\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Ansible Automation Platform 2\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"ansible-automation-platform-26/lightspeed-rhel9\",\"cpes\":[\"cpe:/a:redhat:ansible_automation_platform:2\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Ansible Automation Platform 2\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"automation-eda-controller\",\"cpes\":[\"cpe:/a:redhat:ansible_automation_platform:2\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Ansible Automation Platform 2\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"automation-gateway\",\"cpes\":[\"cpe:/a:redhat:ansible_automation_platform:2\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Ansible Automation Platform 2\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"automation-platform-ui\",\"cpes\":[\"cpe:/a:redhat:ansible_automation_platform:2\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat build of Apache Camel - HawtIO 4\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"shell-quote\",\"cpes\":[\"cpe:/a:redhat:apache_camel_hawtio:4\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Build of Podman Desktop\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"rh-podman-desktop.git\",\"cpes\":[\"cpe:/a:redhat:podman_desktop:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Build of Podman Desktop - Tech Preview\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"rhdesktop/rh-podman-desktop-ext-bootc-rhel10\",\"cpes\":[\"cpe:/a:redhat:podman_desktop:0\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Data Grid 8\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"shell-quote\",\"cpes\":[\"cpe:/a:redhat:jboss_data_grid:8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 10\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"goose\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:10\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 8\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"grafana\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 8\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"pcs\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 9\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"goose\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 9\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"grafana\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 9\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"pcs\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AI (RHEL AI) 3\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"rhelai3/bootc-cuda-rhel9\",\"cpes\":[\"cpe:/a:redhat:enterprise_linux_ai:3\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AI (RHEL AI) 3\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"rhelai3/bootc-gaudi-rhel9\",\"cpes\":[\"cpe:/a:redhat:enterprise_linux_ai:3\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AI (RHEL AI) 3\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"rhelai3/bootc-rocm-rhel9\",\"cpes\":[\"cpe:/a:redhat:enterprise_linux_ai:3\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AI (RHEL AI) 3\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"rhelai3/disk-image-cuda-rhel9\",\"cpes\":[\"cpe:/a:redhat:enterprise_linux_ai:3\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Fuse 7\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"shell-quote\",\"cpes\":[\"cpe:/a:redhat:jboss_fuse:7\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift AI (RHOAI)\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"rhoai/odh-dashboard-rhel8\",\"cpes\":[\"cpe:/a:redhat:openshift_ai\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift AI (RHOAI)\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"rhoai/odh-mlflow-rhel9\",\"cpes\":[\"cpe:/a:redhat:openshift_ai\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift AI (RHOAI)\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"rhoai/odh-mod-arch-automl-rhel9\",\"cpes\":[\"cpe:/a:redhat:openshift_ai\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift AI (RHOAI)\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"rhoai/odh-mod-arch-autorag-rhel9\",\"cpes\":[\"cpe:/a:redhat:openshift_ai\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift AI (RHOAI)\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"rhoai/odh-mod-arch-eval-hub-rhel9\",\"cpes\":[\"cpe:/a:redhat:openshift_ai\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift AI (RHOAI)\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"rhoai/odh-mod-arch-maas-rhel9\",\"cpes\":[\"cpe:/a:redhat:openshift_ai\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift AI (RHOAI)\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"rhoai/odh-mod-arch-mlflow-rhel9\",\"cpes\":[\"cpe:/a:redhat:openshift_ai\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift AI (RHOAI)\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"rhoai/odh-mod-arch-model-registry-rhel9\",\"cpes\":[\"cpe:/a:redhat:openshift_ai\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Container Platform 4\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"openshift4/ose-agent-installer-ui-rhel9\",\"cpes\":[\"cpe:/a:redhat:openshift:4\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Container Platform 4\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"openshift4/ose-console\",\"cpes\":[\"cpe:/a:redhat:openshift:4\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Virtualization 4\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"container-native-virtualization/kubevirt-console-plugin-rhel9\",\"cpes\":[\"cpe:/a:redhat:container_native_virtualization:4\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Trusted Artifact Signer\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"rhtas/rekor-search-ui-rhel9\",\"cpes\":[\"cpe:/a:redhat:trusted_artifact_signer:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Self-service automation portal 2\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"ansible-automation-platform/automation-portal\",\"cpes\":[\"cpe:/a:redhat:ansible_portal:2\"]}]}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"7ffcee3d-2c14-4c3e-b844-86c6a321a158\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.2,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"7ffcee3d-2c14-4c3e-b844-86c6a321a158\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-05-22T14:17:31.964845Z\",\"id\":\"CVE-2026-9277\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"7ffcee3d-2c14-4c3e-b844-86c6a321a158\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-77\"},{\"lang\":\"en\",\"value\":\"CWE-78\"}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"references\":[{\"url\":\"https://github.com/ljharb/shell-quote\",\"source\":\"7ffcee3d-2c14-4c3e-b844-86c6a321a158\"},{\"url\":\"https://github.com/ljharb/shell-quote/commit/1518179\",\"source\":\"7ffcee3d-2c14-4c3e-b844-86c6a321a158\"},{\"url\":\"https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p\",\"source\":\"7ffcee3d-2c14-4c3e-b844-86c6a321a158\"},{\"url\":\"https://www.npmjs.com/package/shell-quote\",\"source\":\"7ffcee3d-2c14-4c3e-b844-86c6a321a158\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2026/05/23/2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:26072\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:26077\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:26079\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:26080\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:26090\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:26225\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:26234\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:28010\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:28571\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:29197\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:29795\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:29834\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:30076\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:33574\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:33683\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:34342\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:34791\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:36754\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:41066\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/security/cve/CVE-2026-9277\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2480741\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"},{\"url\":\"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-9277.json\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"}]}}",
"redhat_vex": {
"aggregate_severity": "Important",
"current_release_date": "2026-07-19T11:23:36+00:00",
"cve": "CVE-2026-9277",
"id": "CVE-2026-9277",
"initial_release_date": "2026-05-22T13:22:38.873000+00:00",
"product_status:fixed": "122",
"product_status:known_affected": "23",
"product_status:known_not_affected": "2168",
"source": "Red Hat CSAF VEX",
"status": "final",
"title": "shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-9277.json",
"version": "3"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2026/05/23/2\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-05-23T03:04:40.537Z\"}}, {\"title\": \"shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators\", \"metrics\": [{\"other\": {\"type\": \"Red Hat severity rating\", \"content\": {\"value\": \"Important\", \"namespace\": \"https://access.redhat.com/security/updates/classification/\"}}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"cpes\": [\"cpe:/a:redhat:cryostat:4::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Cryostat 4 on RHEL 9\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"4.2.0-10\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"cryostat/cryostat-openshift-console-plugin-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:cluster_observability_operator:1.5::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Cluster Observability Operator 1.5.0\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1782840519\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"cluster-observability-operator/distributed-tracing-console-plugin-pf4-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:cluster_observability_operator:1.5::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Cluster Observability Operator 1.5.0\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1782839981\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"cluster-observability-operator/distributed-tracing-console-plugin-pf5-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:cluster_observability_operator:1.5::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Cluster Observability Operator 1.5.0\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1782839193\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"cluster-observability-operator/distributed-tracing-console-plugin-pf6-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:cluster_observability_operator:1.5::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Cluster Observability Operator 1.5.0\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1782838753\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"cluster-observability-operator/distributed-tracing-console-plugin-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:cluster_observability_operator:1.5::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Cluster Observability Operator 1.5.0\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1782839279\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"cluster-observability-operator/logging-console-plugin-pf4-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:cluster_observability_operator:1.5::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Cluster Observability Operator 1.5.0\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1782840539\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"cluster-observability-operator/logging-console-plugin-pf5-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:cluster_observability_operator:1.5::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Cluster Observability Operator 1.5.0\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1782841925\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"cluster-observability-operator/logging-console-plugin-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:cluster_observability_operator:1.5::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Cluster Observability Operator 1.5.0\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1782844225\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"cluster-observability-operator/monitoring-console-plugin-pf5-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:cluster_observability_operator:1.5::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Cluster Observability Operator 1.5.0\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1782839658\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"cluster-observability-operator/monitoring-console-plugin-pf6-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:cluster_observability_operator:1.5::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Cluster Observability Operator 1.5.0\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1782838476\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"cluster-observability-operator/monitoring-console-plugin-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:cluster_observability_operator:1.5::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Cluster Observability Operator 1.5.0\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1782839996\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"cluster-observability-operator/troubleshooting-panel-console-plugin-pf6-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:cluster_observability_operator:1.5::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Cluster Observability Operator 1.5.0\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1782839494\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"cluster-observability-operator/troubleshooting-panel-console-plugin-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:rhdh:1.10::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Developer Hub 1.10\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1783448184\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"rhdh/rhdh-hub-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:rhdh:1.9::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Developer Hub 1.9\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1781187342\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}, {\"status\": \"unaffected\", \"version\": \"1782761244\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"rhdh/rhdh-hub-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:discovery:2::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Discovery 2\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1782166952\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"discovery/discovery-ui-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4.20::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4.20\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1782911711\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"openshift4/ose-console-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4.21::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4.21\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1782308675\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"openshift4/ose-console-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4.22::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4.22\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1782224390\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"openshift4/ose-console-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:service_mesh:2.6::el8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Service Mesh 2.6\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1780907585\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"openshift-service-mesh/kiali-ossmc-rhel8\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:service_mesh:2.6::el8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Service Mesh 2.6\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1780916536\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"openshift-service-mesh/kiali-rhel8\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:service_mesh:3.0::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Service Mesh 3\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1780470245\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"openshift-service-mesh/kiali-ossmc-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:service_mesh:3.0::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Service Mesh 3\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1780916345\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"openshift-service-mesh/kiali-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:service_mesh:3.1::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Service Mesh 3.1\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1780470706\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"openshift-service-mesh/kiali-ossmc-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:service_mesh:3.1::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Service Mesh 3.1\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1780916478\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"openshift-service-mesh/kiali-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:service_mesh:3.2::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Service Mesh 3.2\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1780470003\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"openshift-service-mesh/kiali-ossmc-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:service_mesh:3.2::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Service Mesh 3.2\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1780916392\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"openshift-service-mesh/kiali-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:service_mesh:3.3::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Service Mesh 3.3\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1780997382\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"openshift-service-mesh/kiali-ossmc-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:service_mesh:3.3::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Service Mesh 3.3\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1780997438\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"openshift-service-mesh/kiali-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:quay:3.10::el8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Quay 3.10\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1782487717\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"quay/quay-rhel8\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:quay:3.12::el8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Quay 3.12\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1781937357\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"quay/quay-rhel8\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:quay:3.16::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Quay 3.16\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1783955846\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"quay/quay-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:quay:3.9::el8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Quay 3.9\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1781878070\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"quay/quay-rhel8\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:satellite:6.18::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Satellite 6.18\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1781032495\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"satellite/iop-vulnerability-frontend-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:cryostat:4\"], \"vendor\": \"Red Hat\", \"product\": \"Cryostat 4\", \"packageName\": \"shell-quote\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:gatekeeper:3\"], \"vendor\": \"Red Hat\", \"product\": \"Gatekeeper 3\", \"packageName\": \"gatekeeper/gatekeeper-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:rhmt:1\"], \"vendor\": \"Red Hat\", \"product\": \"Migration Toolkit for Containers\", \"packageName\": \"rhmtc/openshift-migration-ui-rhel8\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:workload_availability_nhc:0\"], \"vendor\": \"Red Hat\", \"product\": \"Node HealthCheck Operator\", \"packageName\": \"workload-availability/node-healthcheck-must-gather-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:workload_availability_nhc:0\"], \"vendor\": \"Red Hat\", \"product\": \"Node HealthCheck Operator\", \"packageName\": \"workload-availability/node-healthcheck-operator-bundle\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:workload_availability_nhc:0\"], \"vendor\": \"Red Hat\", \"product\": \"Node HealthCheck Operator\", \"packageName\": \"workload-availability/node-healthcheck-rhel9-operator\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift_lightspeed\"], \"vendor\": \"Red Hat\", \"product\": \"OpenShift Lightspeed\", \"packageName\": \"openshift-lightspeed/lightspeed-console-plugin-419-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift_lightspeed\"], \"vendor\": \"Red Hat\", \"product\": \"OpenShift Lightspeed\", \"packageName\": \"openshift-lightspeed/lightspeed-console-plugin-pf5-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift_lightspeed\"], \"vendor\": \"Red Hat\", \"product\": \"OpenShift Lightspeed\", \"packageName\": \"openshift-lightspeed/lightspeed-console-plugin-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift_pipelines:1\"], \"vendor\": \"Red Hat\", \"product\": \"OpenShift Pipelines\", \"packageName\": \"openshift-pipelines/pipelines-console-plugin-rhel8\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift_pipelines:1\"], \"vendor\": \"Red Hat\", \"product\": \"OpenShift Pipelines\", \"packageName\": \"openshift-pipelines/pipelines-console-plugin-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift_pipelines:1\"], \"vendor\": \"Red Hat\", \"product\": \"OpenShift Pipelines\", \"packageName\": \"openshift-pipelines/pipelines-hub-ui-rhel8\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift_pipelines:1\"], \"vendor\": \"Red Hat\", \"product\": \"OpenShift Pipelines\", \"packageName\": \"openshift-pipelines/pipelines-hub-ui-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:service_mesh:3\"], \"vendor\": \"Red Hat\", \"product\": \"OpenShift Service Mesh 3\", \"packageName\": \"openshift-service-mesh/kiali-operator-bundle\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:service_mesh:3\"], \"vendor\": \"Red Hat\", \"product\": \"OpenShift Service Mesh 3\", \"packageName\": \"openshift-service-mesh/kiali-rhel9-operator\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:amq_broker:7\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat AMQ Broker 7\", \"packageName\": \"shell-quote\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:ansible_automation_platform:2\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Ansible Automation Platform 2\", \"packageName\": \"ansible-automation-platform-24/lightspeed-rhel8\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:ansible_automation_platform:2\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Ansible Automation Platform 2\", \"packageName\": \"ansible-automation-platform-25/lightspeed-rhel8\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:ansible_automation_platform:2\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Ansible Automation Platform 2\", \"packageName\": \"ansible-automation-platform-26/gateway-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:ansible_automation_platform:2\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Ansible Automation Platform 2\", \"packageName\": \"ansible-automation-platform-26/lightspeed-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:ansible_automation_platform:2\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Ansible Automation Platform 2\", \"packageName\": \"automation-eda-controller\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:ansible_automation_platform:2\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Ansible Automation Platform 2\", \"packageName\": \"automation-gateway\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:ansible_automation_platform:2\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Ansible Automation Platform 2\", \"packageName\": \"automation-platform-ui\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:apache_camel_hawtio:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Apache Camel - HawtIO 4\", \"packageName\": \"shell-quote\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:podman_desktop:1\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Build of Podman Desktop\", \"packageName\": \"rh-podman-desktop.git\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:podman_desktop:0\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Build of Podman Desktop - Tech Preview\", \"packageName\": \"rhdesktop/rh-podman-desktop-ext-bootc-rhel10\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:jboss_data_grid:8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Data Grid 8\", \"packageName\": \"shell-quote\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:10\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 10\", \"packageName\": \"goose\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 8\", \"packageName\": \"grafana\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 8\", \"packageName\": \"pcs\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"packageName\": \"goose\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"packageName\": \"grafana\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"packageName\": \"pcs\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:enterprise_linux_ai:3\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux AI (RHEL AI) 3\", \"packageName\": \"rhelai3/bootc-cuda-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:enterprise_linux_ai:3\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux AI (RHEL AI) 3\", \"packageName\": \"rhelai3/bootc-gaudi-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:enterprise_linux_ai:3\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux AI (RHEL AI) 3\", \"packageName\": \"rhelai3/bootc-rocm-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:enterprise_linux_ai:3\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux AI (RHEL AI) 3\", \"packageName\": \"rhelai3/disk-image-cuda-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:jboss_fuse:7\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Fuse 7\", \"packageName\": \"shell-quote\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift_ai\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift AI (RHOAI)\", \"packageName\": \"rhoai/odh-dashboard-rhel8\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift_ai\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift AI (RHOAI)\", \"packageName\": \"rhoai/odh-mlflow-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift_ai\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift AI (RHOAI)\", \"packageName\": \"rhoai/odh-mod-arch-automl-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift_ai\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift AI (RHOAI)\", \"packageName\": \"rhoai/odh-mod-arch-autorag-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift_ai\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift AI (RHOAI)\", \"packageName\": \"rhoai/odh-mod-arch-eval-hub-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift_ai\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift AI (RHOAI)\", \"packageName\": \"rhoai/odh-mod-arch-maas-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift_ai\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift AI (RHOAI)\", \"packageName\": \"rhoai/odh-mod-arch-mlflow-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift_ai\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift AI (RHOAI)\", \"packageName\": \"rhoai/odh-mod-arch-model-registry-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"openshift4/ose-agent-installer-ui-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"openshift4/ose-console\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:container_native_virtualization:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Virtualization 4\", \"packageName\": \"container-native-virtualization/kubevirt-console-plugin-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:trusted_artifact_signer:1\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Trusted Artifact Signer\", \"packageName\": \"rhtas/rekor-search-ui-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:ansible_portal:2\"], \"vendor\": \"Red Hat\", \"product\": \"Self-service automation portal 2\", \"packageName\": \"ansible-automation-platform/automation-portal\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-05-22T14:01:14.427Z\", \"value\": \"Reported to Red Hat.\"}, {\"lang\": \"en\", \"time\": \"2026-05-22T13:22:38.873Z\", \"value\": \"Made public.\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"RHSA-2026:28010: Cryostat 4 on RHEL 9\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:34342: Cluster Observability Operator 1.5.0\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:36754: Red Hat Developer Hub 1.10\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:33574: Red Hat Developer Hub 1.9\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:26234: Red Hat Developer Hub 1.9\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:29197: Red Hat Discovery 2\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:34791: Red Hat OpenShift Container Platform 4.20\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:29834: Red Hat OpenShift Container Platform 4.21\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:29795: Red Hat OpenShift Container Platform 4.22\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:26072: Red Hat OpenShift Service Mesh 2.6\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:26077: Red Hat OpenShift Service Mesh 3.1\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:26079: Red Hat OpenShift Service Mesh 3.2\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:26090: Red Hat OpenShift Service Mesh 3.3\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:26080: Red Hat OpenShift Service Mesh 3\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:33683: Red Hat Quay 3.10\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:30076: Red Hat Quay 3.12\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:41066: Red Hat Quay 3.16\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:28571: Red Hat Quay 3.9\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:26225: Red Hat Satellite 6.18\"}], \"x_adpType\": \"supplier\", \"datePublic\": \"2026-05-22T13:22:38.873Z\", \"references\": [{\"url\": \"https://access.redhat.com/security/cve/CVE-2026-9277\", \"tags\": [\"vdb-entry\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2480741\", \"name\": \"RHBZ#2480741\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-9277.json\", \"tags\": [\"x_sadp-csaf-vex\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:28010\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:34342\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:36754\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:33574\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:26234\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:29197\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:34791\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:29834\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:29795\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:26072\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:26077\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:26079\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:26090\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:26080\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:33683\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:30076\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:41066\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:28571\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:26225\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}], \"x_generator\": {\"engine\": \"sadp-cli 1.0.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A flaw was found in the shell-quote component. The quote() function did not properly validate object-token inputs, allowing line terminators to pass unescaped into the output. A remote attacker could exploit this vulnerability by providing specially crafted input, which a POSIX shell would interpret as a command separator. This could lead to command injection, enabling the attacker to execute arbitrary code on the system.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-78\", \"description\": \"Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\", \"shortName\": \"redhat-SADP\", \"dateUpdated\": \"2026-07-17T12:04:47.826Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-9277\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-22T14:17:31.964845Z\"}}}], \"references\": [{\"url\": \"https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-22T14:17:25.193Z\"}}], \"cna\": {\"title\": \"shell-quote `quote()` does not validate object-token shapes, allowing command injection via line terminators in `.op`\", \"source\": {\"advisory\": \"GHSA-w7jw-789q-3m8p\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Akshat Sinha (@akshatgit)\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"Jordan Harband (@ljharb)\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}, {\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 9.2, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/ljharb/shell-quote\", \"product\": \"shell-quote\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.1.0\", \"lessThan\": \"1.8.4\", \"versionType\": \"semver\"}], \"packageName\": \"shell-quote\", \"programFiles\": [\"quote.js\"], \"collectionURL\": \"https://www.npmjs.com/package/shell-quote\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p\", \"name\": \"GHSA-w7jw-789q-3m8p\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://github.com/ljharb/shell-quote/commit/1518179\", \"name\": \"Fix commit\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/ljharb/shell-quote\", \"tags\": [\"product\"]}, {\"url\": \"https://www.npmjs.com/package/shell-quote\", \"tags\": [\"product\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"shell-quote\u0027s `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which in JavaScript does not match line terminators (\\\\n, \\\\r, U+2028, U+2029). A line terminator in `.op` therefore passed through unescaped into the output; POSIX shells treat a literal newline as a command separator, so any content after it would execute as a second command. The vulnerable code path is reachable in two ways: (1) direct construction of `{ op: \u0027...\\\\n...\u0027 }` from external input, and (2) via `parse(cmd, envFn)` when `envFn` returns object tokens whose `.op` is attacker-influenced. Both are documented API surface. Fixed by replacing the per-character escape with strict shape validation: `.op` must match the parser\u0027s control-operator allowlist; `{ op: \u0027glob\u0027, pattern }` validates `pattern` and forbids line terminators; `{ comment }` validates `comment` and forbids line terminators; any other object shape throws `TypeError`.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eshell-quote\u0027s `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which in JavaScript does not match line terminators (\\\\n, \\\\r, U+2028, U+2029). A line terminator in `.op` therefore passed through unescaped into the output; POSIX shells treat a literal newline as a command separator, so any content after it would execute as a second command. The vulnerable code path is reachable in two ways: (1) direct construction of `{ op: \u0027...\\\\n...\u0027 }` from external input, and (2) via `parse(cmd, envFn)` when `envFn` returns object tokens whose `.op` is attacker-influenced. Both are documented API surface. Fixed by replacing the per-character escape with strict shape validation: `.op` must match the parser\u0027s control-operator allowlist; `{ op: \u0027glob\u0027, pattern }` validates `pattern` and forbids line terminators; `{ comment }` validates `comment` and forbids line terminators; any other object shape throws `TypeError`.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-78\", \"description\": \"CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-77\", \"description\": \"CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"7ffcee3d-2c14-4c3e-b844-86c6a321a158\", \"shortName\": \"harborist\", \"dateUpdated\": \"2026-05-22T13:22:38.873Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-9277\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-07-17T12:04:47.826Z\", \"dateReserved\": \"2026-05-22T12:13:25.893Z\", \"assignerOrgId\": \"7ffcee3d-2c14-4c3e-b844-86c6a321a158\", \"datePublished\": \"2026-05-22T13:22:38.873Z\", \"assignerShortName\": \"harborist\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
RHSA-2026:36754
Vulnerability from csaf_redhat - Published: 2026-07-08 13:07 - Updated: 2026-07-19 13:46A flaw was found in fast-uri. A remote attacker could exploit this vulnerability by crafting a malicious Uniform Resource Identifier (URI) that contains percent-encoded authority delimiters. The fast-uri library incorrectly decodes these delimiters during normalization and then re-emits them as raw separators, which can change the URI's intended authority. This issue allows applications that perform host allowlist checks, redirect validation, or outbound request routing to be steered to a different authority than specified, potentially bypassing security controls.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64 | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64 | — | ||
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64 | — | ||
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64 | — | ||
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64 | — |
A flaw was found in undici. When using Socks5ProxyAgent, undici incorrectly reuses a single connection pool across different origins. This can lead to cross-origin request routing, where sensitive credentials and data intended for one destination are sent to another. Consequently, responses from unintended origins may be trusted, and secure HTTPS connections could be silently downgraded to unencrypted HTTP, resulting in information disclosure and data integrity issues.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64 | — |
Workaround
|
A flaw was found in the shell-quote component. The quote() function did not properly validate object-token inputs, allowing line terminators to pass unescaped into the output. A remote attacker could exploit this vulnerability by providing specially crafted input, which a POSIX shell would interpret as a command separator. This could lead to command injection, enabling the attacker to execute arbitrary code on the system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64 | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64 | — | ||
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64 | — | ||
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64 | — | ||
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64 | — |
A flaw was found in json-2-csv. An attacker can bypass the `preventCsvInjection` option to inject malicious formulas into CSV (Comma Separated Values) files. When these manipulated CSV files are opened in spreadsheet applications, the injected formulas can execute, potentially leading to arbitrary code execution or information disclosure.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64 | — |
Workaround
|
A flaw was found in undici. When undici's ProxyAgent is configured with a SOCKS5 proxy Uniform Resource Identifier (URI), it silently ignores Transport Layer Security (TLS) options, such as custom Certificate Authorities (CAs). This allows a remote attacker to perform a Man-in-the-Middle (MITM) attack, intercepting and tampering with HTTPS communications. The connection falls back to Node.js's default trust store, bypassing intended security configurations and potentially leading to information disclosure or arbitrary code execution.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64 | — |
Workaround
|
A flaw was found in form-data, a library for creating readable multipart/form-data streams. A remote attacker can exploit this vulnerability by injecting carriage return (CR), line feed (LF), or double-quote (") characters into the `field` argument of `FormData#append` or the `filename` option. This allows the attacker to inject additional headers or smuggle entire additional multipart parts into requests, potentially enabling them to add or override form fields and compromise data integrity.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64 | — |
Workaround
|
A flaw was found in undici. A malicious WebSocket server can exploit this by streaming numerous small or empty continuation frames. This can bypass per-frame and cumulative-size validation, leading to unbounded memory growth in the client process. The primary consequence is memory exhaustion, resulting in a denial of service (DoS) for affected applications using the undici WebSocket client or WebSocketStream API.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64 | — |
Workaround
|
A flaw was found in vm2, an open-source virtual machine (VM) sandbox for Node.js. This vulnerability allows an attacker to escape the sandbox environment by exploiting the `inspect` function. Successful exploitation can lead to arbitrary code execution on the host system, compromising the integrity and confidentiality of the system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64 | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64 | — | ||
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64 | — | ||
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64 | — | ||
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64 | — |
A flaw was found in golang.org/x/net/html. When arbitrary HTML is parsed and then rendered, it can result in an unexpected HTML tree. This allows an attacker to bypass HTML sanitization mechanisms, leading to Cross-Site Scripting (XSS) attacks in applications. Such attacks can result in information disclosure or arbitrary code execution.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64 | — |
Workaround
|
A flaw was found in the `net/mail` package of the Go programming language. An attacker could provide specially crafted inputs to the `ParseAddress`, `ParseAddressList`, or `ParseDate` functions. This could lead to excessive consumption of CPU and memory resources, resulting in a Denial of Service (DoS) for applications processing these inputs.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64 | — |
Workaround
|
A flaw was found in ip-address, a JavaScript library for parsing and manipulating IPv4 and IPv6 addresses. This vulnerability allows a remote attacker to perform cross-site scripting (XSS) by providing untrusted input to the Address6 constructor. When an application renders the output of Address6.group(), Address6.link(), or the AddressError.parseMessage as HTML without proper escaping, the attacker-controlled content can be executed in the user's browser.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64 | — |
Workaround
|
A flaw was found in the `net/mail` package within the Go standard library. A remote attacker could provide specially crafted, pathological email addresses. When these malformed email addresses are parsed by the `consumePhrase` function, it can lead to excessive resource consumption due to quadratic string concatenation, resulting in a Denial of Service (DoS) condition.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64 | — |
Workaround
|
A flaw was found in Axios, a promise-based HTTP client, specifically in its Node.js HTTP adapter. When Axios is configured to use an authenticated proxy and follows a redirect, it may inadvertently send the Proxy-Authorization header, containing proxy credentials, to the redirect target. This can lead to the disclosure of sensitive proxy credentials to an unintended remote server.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64 | — |
Workaround
|
A flaw was found in Axios. During specific proxy-to-direct redirect flows in the Node.js HTTP adapter, a remote attacker could exploit this vulnerability. The Proxy-Authorization header, which contains proxy credentials and is intended only for the outbound proxy, may be forwarded to the final redirected origin. This can lead to the disclosure of sensitive proxy credentials to an unintended third party.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64 | — |
Workaround
|
A flaw was found in Axios, a promise-based HTTP client. When using the fetch adapter, Axios did not properly enforce configured request and response size limits. This vulnerability allows a remote attacker, through a malicious or compromised server, or by supplying a large data URL, to send or receive oversized data bodies. This can lead to resource exhaustion in server-side applications, resulting in a Denial of Service (DoS).
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64 | — |
Workaround
|
A flaw was found in Axios, a promise-based HTTP client. This vulnerability occurs because Axios does not properly normalize IPv4-mapped IPv6 addresses. When a NO_PROXY setting is configured to block direct access to specific IPv4 addresses, an attacker can bypass this restriction by using the IPv4-mapped IPv6 form of the address in a request URL. This allows the request to be routed through the proxy, potentially exposing internal services or sensitive information that should otherwise be inaccessible.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64 | — |
Workaround
|
A flaw was found in Axios. This vulnerability, a Prototype Pollution "Gadget" attack, allows an attacker to escalate any existing Object.prototype pollution in an application's dependency tree into a full Man-in-the-Middle (MITM) attack. This enables the attacker to intercept, read, and modify all HTTP traffic, including sensitive authentication credentials. The flaw occurs because the `config.proxy` setting is susceptible to prototype pollution, allowing an attacker to inject a malicious proxy server.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64 | — |
Workaround
|
A flaw was found in Axios, a promise-based HTTP client. This vulnerability involves prototype pollution gadgets in the request configuration processing. If another vulnerability has already polluted the Object.prototype.transformResponse, affected Axios versions may incorrectly interpret this inherited value as part of the request configuration or as an option validator. Axios does not itself create the prototype pollution. Exploitability requires a separate prototype-pollution vulnerability or equivalent attacker control over Object.prototype before Axios creates a request.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64 | — |
Workaround
|
A flaw was found in Axios. A remote attacker, by influencing the XSRF cookie name in a browser environment, could cause the application to construct a regular expression that leads to excessive processing. This can result in a client-side Denial of Service (DoS), where the affected browser tab may freeze, impacting the availability of the application for the user.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64 | — |
Workaround
|
A flaw was found in ws, an open source WebSocket client and server for Node.js. The `websocket.close()` implementation is vulnerable to uninitialized memory disclosure when a `TypedArray` is passed as the reason argument. This can lead to the disclosure of sensitive information from uninitialized memory.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64 | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64 | — | ||
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64 | — | ||
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64 | — | ||
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64 | — |
A flaw was found in vm2, an open-source virtual machine (VM) sandbox for Node.js. A remote attacker can exploit this vulnerability by combining specific Buffer function calls and Node.js's ERR_INVALID_ARG_TYPE error. This allows the attacker to obtain the host's TypeError constructor, leading to an escape from the sandbox. Consequently, this enables attackers to run arbitrary code on the host system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64 | — |
Workaround
|
A flaw was found in vm2, an open-source virtual machine (VM) sandbox for Node.js. An attacker within the sandbox could exploit incomplete symbol interception and missing security checks to gain control over the host system. This could allow the attacker to execute arbitrary code outside the sandbox environment, leading to a complete compromise of the host.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64 | — |
Workaround
|
A flaw was found in vm2, an open-source virtual machine (VM) sandbox for Node.js. A remote attacker could bypass a security check designed to prevent the combination of nested environments and disabled module loading. This bypass occurs because a strict equality check for the `require` option can be circumvented by simply omitting the option, leading to an unintended configuration. Successful exploitation of this vulnerability could allow an attacker to escape the sandbox and achieve arbitrary code execution on the host system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64 | — |
Workaround
|
A flaw was found in vm2, a Node.js sandbox. This vulnerability allows sandboxed code to bypass network restrictions by utilizing internal HTTP built-ins, such as _http_client and _http_server. An attacker can exploit this to make outbound HTTP requests or open listening HTTP sockets, even when public network modules are explicitly denied. This could lead to unauthorized information disclosure or further compromise of the system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64 | — |
Workaround
|
A flaw was found in vm2, an open-source virtual machine (VM) sandbox for Node.js. This vulnerability allows sandboxed code to bypass intended security restrictions by exploiting missing entries in the denylist for dangerous Node.js built-in functions, specifically `process` and `inspector/promises`. A remote attacker can leverage this to execute arbitrary code in the host process, leading to a complete compromise of the system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64 | — |
Workaround
|
A flaw was found in vm2, an open-source virtual machine (VM) sandbox for Node.js. Prior to version 3.11.4, NodeVM, a component of vm2, improperly exposed certain process-wide observability builtins, such as diagnostics_channel, async_hooks, and perf_hooks. These builtins, which are designed for monitoring and debugging, were not adequately blocked by the dangerous builtin denylist. This oversight allowed sandboxed code to observe sensitive host application data, leading to information disclosure across the vm2 security boundary.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64 | — |
Workaround
|
A flaw was found in vm2, an open-source virtual machine (VM) sandbox for Node.js. This vulnerability allows an attacker to escape the sandbox environment by writing malicious code. Successful exploitation can lead to arbitrary code execution on the host system, compromising the integrity and confidentiality of the system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64 | — |
Workaround
|
A flaw was found in vm2, an open-source virtual machine (VM) sandbox for Node.js. This sandbox escape vulnerability allows an attacker to execute arbitrary code in the host process. This occurs when untrusted code is executed with asynchronous (async) support on runtimes that expose WebAssembly JavaScript Promise Integration (JSPI). Specifically, a JSPI-backed Promise can bypass expected Promise-species hardening, exposing a host-originated rejection object to attacker-controlled logic and breaking the sandbox boundary.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64 | — |
Workaround
|
A flaw was found in ws, an open source WebSocket client and server. A remote attacker can exploit this memory exhaustion vulnerability by sending a high volume of exceptionally small fragments and data chunks. This action forces the affected component to allocate and hold structural wrappers that consume excessive memory. Consequently, this leads to process termination and a denial of service (DoS) for the remote peer.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64 | — |
Workaround
|
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat Developer Hub 1.10.2 has been released.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Developer Hub (RHDH) is Red Hat\u0027s enterprise-grade, self-managed, customizable developer portal based on Backstage.io. RHDH is supported on OpenShift and other major Kubernetes clusters (AKS, EKS, GKE). The core features of RHDH include a single pane of glass, a centralized software catalog, self-service via golden path templates, and Tech Docs. RHDH is extensible by plugins.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:36754",
"url": "https://access.redhat.com/errata/RHSA-2026:36754"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-12143",
"url": "https://access.redhat.com/security/cve/CVE-2026-12143"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-12151",
"url": "https://access.redhat.com/security/cve/CVE-2026-12151"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-24781",
"url": "https://access.redhat.com/security/cve/CVE-2026-24781"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27136",
"url": "https://access.redhat.com/security/cve/CVE-2026-27136"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-39820",
"url": "https://access.redhat.com/security/cve/CVE-2026-39820"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-42338",
"url": "https://access.redhat.com/security/cve/CVE-2026-42338"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-42499",
"url": "https://access.redhat.com/security/cve/CVE-2026-42499"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44486",
"url": "https://access.redhat.com/security/cve/CVE-2026-44486"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44487",
"url": "https://access.redhat.com/security/cve/CVE-2026-44487"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44488",
"url": "https://access.redhat.com/security/cve/CVE-2026-44488"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44492",
"url": "https://access.redhat.com/security/cve/CVE-2026-44492"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44494",
"url": "https://access.redhat.com/security/cve/CVE-2026-44494"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44495",
"url": "https://access.redhat.com/security/cve/CVE-2026-44495"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44496",
"url": "https://access.redhat.com/security/cve/CVE-2026-44496"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-45736",
"url": "https://access.redhat.com/security/cve/CVE-2026-45736"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-47131",
"url": "https://access.redhat.com/security/cve/CVE-2026-47131"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-47135",
"url": "https://access.redhat.com/security/cve/CVE-2026-47135"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-47137",
"url": "https://access.redhat.com/security/cve/CVE-2026-47137"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-47139",
"url": "https://access.redhat.com/security/cve/CVE-2026-47139"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-47140",
"url": "https://access.redhat.com/security/cve/CVE-2026-47140"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-47141",
"url": "https://access.redhat.com/security/cve/CVE-2026-47141"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-47208",
"url": "https://access.redhat.com/security/cve/CVE-2026-47208"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-47210",
"url": "https://access.redhat.com/security/cve/CVE-2026-47210"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-48779",
"url": "https://access.redhat.com/security/cve/CVE-2026-48779"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-6322",
"url": "https://access.redhat.com/security/cve/CVE-2026-6322"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-6734",
"url": "https://access.redhat.com/security/cve/CVE-2026-6734"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-9277",
"url": "https://access.redhat.com/security/cve/CVE-2026-9277"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-9673",
"url": "https://access.redhat.com/security/cve/CVE-2026-9673"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-9697",
"url": "https://access.redhat.com/security/cve/CVE-2026-9697"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://catalog.redhat.com/search?gs\u0026searchType=containers\u0026q=rhdh",
"url": "https://catalog.redhat.com/search?gs\u0026searchType=containers\u0026q=rhdh"
},
{
"category": "external",
"summary": "https://developers.redhat.com/rhdh/overview",
"url": "https://developers.redhat.com/rhdh/overview"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_developer_hub",
"url": "https://docs.redhat.com/en/documentation/red_hat_developer_hub"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/RHDHBUGS-3286",
"url": "https://issues.redhat.com/browse/RHDHBUGS-3286"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/RHDHBUGS-3288",
"url": "https://issues.redhat.com/browse/RHDHBUGS-3288"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/RHDHBUGS-3290",
"url": "https://issues.redhat.com/browse/RHDHBUGS-3290"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/RHDHBUGS-3291",
"url": "https://issues.redhat.com/browse/RHDHBUGS-3291"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/RHDHBUGS-3293",
"url": "https://issues.redhat.com/browse/RHDHBUGS-3293"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/RHDHBUGS-3398",
"url": "https://issues.redhat.com/browse/RHDHBUGS-3398"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_36754.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Developer Hub 1.10.2 release.",
"tracking": {
"current_release_date": "2026-07-19T13:46:32+00:00",
"generator": {
"date": "2026-07-19T13:46:32+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.7"
}
},
"id": "RHSA-2026:36754",
"initial_release_date": "2026-07-08T13:07:12+00:00",
"revision_history": [
{
"date": "2026-07-08T13:07:12+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-07-18T05:32:03+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-19T13:46:32+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Developer Hub 1.10",
"product": {
"name": "Red Hat Developer Hub 1.10",
"product_id": "Red Hat Developer Hub 1.10",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhdh:1.10::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat Developer Hub"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"product": {
"name": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"product_id": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhdh-hub-rhel9@sha256%3A61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02?arch=amd64\u0026repository_url=registry.redhat.io/rhdh/rhdh-hub-rhel9\u0026tag=1783448184"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"product": {
"name": "registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"product_id": "registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhdh-must-gather-rhel9@sha256%3Aaacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1?arch=amd64\u0026repository_url=registry.redhat.io/rhdh/rhdh-must-gather-rhel9\u0026tag=1783447888"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64",
"product": {
"name": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64",
"product_id": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhdh-rhel9-operator@sha256%3A0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b?arch=amd64\u0026repository_url=registry.redhat.io/rhdh/rhdh-rhel9-operator\u0026tag=1783447707"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"product": {
"name": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"product_id": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhdh-operator-bundle@sha256%3Ad4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a?arch=amd64\u0026repository_url=registry.redhat.io/rhdh/rhdh-operator-bundle\u0026tag=1783453583"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"product": {
"name": "registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"product_id": "registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhdh-rag-content-rhel9@sha256%3Abea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65?arch=amd64\u0026repository_url=registry.redhat.io/rhdh/rhdh-rag-content-rhel9\u0026tag=1783446803"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64 as a component of Red Hat Developer Hub 1.10",
"product_id": "Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
},
"product_reference": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"relates_to_product_reference": "Red Hat Developer Hub 1.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64 as a component of Red Hat Developer Hub 1.10",
"product_id": "Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64"
},
"product_reference": "registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"relates_to_product_reference": "Red Hat Developer Hub 1.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64 as a component of Red Hat Developer Hub 1.10",
"product_id": "Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64"
},
"product_reference": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"relates_to_product_reference": "Red Hat Developer Hub 1.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64 as a component of Red Hat Developer Hub 1.10",
"product_id": "Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64"
},
"product_reference": "registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"relates_to_product_reference": "Red Hat Developer Hub 1.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64 as a component of Red Hat Developer Hub 1.10",
"product_id": "Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
},
"product_reference": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64",
"relates_to_product_reference": "Red Hat Developer Hub 1.10"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-6322",
"cwe": {
"id": "CWE-140",
"name": "Improper Neutralization of Delimiters"
},
"discovery_date": "2026-05-05T11:01:00.332189+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2466684"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in fast-uri. A remote attacker could exploit this vulnerability by crafting a malicious Uniform Resource Identifier (URI) that contains percent-encoded authority delimiters. The fast-uri library incorrectly decodes these delimiters during normalization and then re-emits them as raw separators, which can change the URI\u0027s intended authority. This issue allows applications that perform host allowlist checks, redirect validation, or outbound request routing to be steered to a different authority than specified, potentially bypassing security controls.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "fast-uri: fast-uri: URI authority bypass due to improper delimiter handling",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important flaw in the `fast-uri` library allows an attacker to bypass security controls in Red Hat products that process Uniform Resource Identifiers (URIs). By crafting a malicious URI with percent-encoded authority delimiters, an attacker can cause the library to incorrectly interpret the URI\u0027s authority, potentially redirecting applications to an unintended domain. This could lead to a bypass of host allowlist checks, redirect validation, or outbound request routing.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-6322"
},
{
"category": "external",
"summary": "RHBZ#2466684",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466684"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-6322",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-6322"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-6322",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6322"
},
{
"category": "external",
"summary": "https://cna.openjsf.org/security-advisories.html",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"category": "external",
"summary": "https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc",
"url": "https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc"
}
],
"release_date": "2026-05-05T10:29:16.378000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T13:07:12+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36754"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "fast-uri: fast-uri: URI authority bypass due to improper delimiter handling"
},
{
"cve": "CVE-2026-6734",
"cwe": {
"id": "CWE-940",
"name": "Improper Verification of Source of a Communication Channel"
},
"discovery_date": "2026-06-17T19:04:00.272340+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2490024"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in undici. When using Socks5ProxyAgent, undici incorrectly reuses a single connection pool across different origins. This can lead to cross-origin request routing, where sensitive credentials and data intended for one destination are sent to another. Consequently, responses from unintended origins may be trusted, and secure HTTPS connections could be silently downgraded to unencrypted HTTP, resulting in information disclosure and data integrity issues.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is rated as an Important security flaw. The `undici` library, when configured with `Socks5ProxyAgent` to handle requests for multiple origins, incorrectly reuses connection pools. This can lead to sensitive data and credentials being misrouted to unintended destinations, potentially downgrading HTTPS connections to HTTP and compromising data integrity and confidentiality. Red Hat products utilizing `undici` with `Socks5ProxyAgent` in multi-origin scenarios are affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-6734"
},
{
"category": "external",
"summary": "RHBZ#2490024",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490024"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-6734",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-6734"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-6734",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6734"
},
{
"category": "external",
"summary": "https://cna.openjsf.org/security-advisories.html",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"category": "external",
"summary": "https://github.com/nodejs/undici/security/advisories/GHSA-hm92-r4w5-c3mj",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-hm92-r4w5-c3mj"
}
],
"release_date": "2026-06-17T16:36:55.439000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T13:07:12+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36754"
},
{
"category": "workaround",
"details": "The single most impactful mitigation is applying network egress controls to restrict which external destinations affected applications can reach. Because the vulnerability causes requests to be misrouted to wrong origins, limiting the set of reachable origins directly reduces the attack surface. These controls collectively limit the blast radius of the connection pool misrouting \u2014 the attacker must compromise one of the explicitly allowed destinations rather than any arbitrary origin \u2014 but they do not fix the underlying logic bug.",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing"
},
{
"cve": "CVE-2026-9277",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"discovery_date": "2026-05-22T14:01:14.427751+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480741"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the shell-quote component. The quote() function did not properly validate object-token inputs, allowing line terminators to pass unescaped into the output. A remote attacker could exploit this vulnerability by providing specially crafted input, which a POSIX shell would interpret as a command separator. This could lead to command injection, enabling the attacker to execute arbitrary code on the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9277"
},
{
"category": "external",
"summary": "RHBZ#2480741",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480741"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9277",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9277"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9277",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9277"
},
{
"category": "external",
"summary": "https://github.com/ljharb/shell-quote",
"url": "https://github.com/ljharb/shell-quote"
},
{
"category": "external",
"summary": "https://github.com/ljharb/shell-quote/commit/1518179",
"url": "https://github.com/ljharb/shell-quote/commit/1518179"
},
{
"category": "external",
"summary": "https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p",
"url": "https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p"
},
{
"category": "external",
"summary": "https://www.npmjs.com/package/shell-quote",
"url": "https://www.npmjs.com/package/shell-quote"
}
],
"release_date": "2026-05-22T13:22:38.873000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T13:07:12+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36754"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators"
},
{
"cve": "CVE-2026-9673",
"cwe": {
"id": "CWE-1236",
"name": "Improper Neutralization of Formula Elements in a CSV File"
},
"discovery_date": "2026-05-28T06:01:00.245616+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482486"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in json-2-csv. An attacker can bypass the `preventCsvInjection` option to inject malicious formulas into CSV (Comma Separated Values) files. When these manipulated CSV files are opened in spreadsheet applications, the injected formulas can execute, potentially leading to arbitrary code execution or information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "json-2-csv: json-2-csv: CSV Injection vulnerability allows arbitrary code execution via `preventCsvInjection` bypass.",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Moderate vulnerability in `json-2-csv` allows for CSV Injection due to a bypass in the `preventCsvInjection` option. While exploitation requires a user to open a specially crafted CSV file in a spreadsheet application, successful attacks could lead to arbitrary code execution or information disclosure. This affects Red Hat Developer Hub and Red Hat Ansible Automation Platform when processing untrusted data that is subsequently exported to CSV and opened by a user.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9673"
},
{
"category": "external",
"summary": "RHBZ#2482486",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482486"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9673",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9673"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9673",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9673"
},
{
"category": "external",
"summary": "https://gist.github.com/whoamins/299745a2d36b482b44e9613b78e40613",
"url": "https://gist.github.com/whoamins/299745a2d36b482b44e9613b78e40613"
},
{
"category": "external",
"summary": "https://github.com/mrodrig/json-2-csv/blob/main/src/json2csv.ts%23L410",
"url": "https://github.com/mrodrig/json-2-csv/blob/main/src/json2csv.ts%23L410"
},
{
"category": "external",
"summary": "https://github.com/mrodrig/json-2-csv/commit/0fdd0bb6d0273178cd940afc323ccbce19688229",
"url": "https://github.com/mrodrig/json-2-csv/commit/0fdd0bb6d0273178cd940afc323ccbce19688229"
},
{
"category": "external",
"summary": "https://security.snyk.io/vuln/SNYK-JS-JSON2CSV-14221326",
"url": "https://security.snyk.io/vuln/SNYK-JS-JSON2CSV-14221326"
}
],
"release_date": "2026-05-28T05:00:02.387000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T13:07:12+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36754"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "json-2-csv: json-2-csv: CSV Injection vulnerability allows arbitrary code execution via `preventCsvInjection` bypass."
},
{
"cve": "CVE-2026-9697",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"discovery_date": "2026-06-17T19:03:30.813843+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2490018"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in undici. When undici\u0027s ProxyAgent is configured with a SOCKS5 proxy Uniform Resource Identifier (URI), it silently ignores Transport Layer Security (TLS) options, such as custom Certificate Authorities (CAs). This allows a remote attacker to perform a Man-in-the-Middle (MITM) attack, intercepting and tampering with HTTPS communications. The connection falls back to Node.js\u0027s default trust store, bypassing intended security configurations and potentially leading to information disclosure or arbitrary code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important vulnerability. Applications using `undici`\u0027s `ProxyAgent` with a SOCKS5 proxy URI will silently ignore user-configured TLS options, including custom Certificate Authorities. This bypasses intended security controls for HTTPS communication, enabling a remote attacker to perform Man-in-the-Middle attacks, potentially leading to information disclosure or arbitrary code execution in affected Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9697"
},
{
"category": "external",
"summary": "RHBZ#2490018",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490018"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9697",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9697"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9697",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9697"
},
{
"category": "external",
"summary": "https://cna.openjsf.org/security-advisories.html",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"category": "external",
"summary": "https://github.com/nodejs/undici/security/advisories/GHSA-vmh5-mc38-953g",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-vmh5-mc38-953g"
}
],
"release_date": "2026-06-17T16:46:42.706000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T13:07:12+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36754"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy"
},
{
"cve": "CVE-2026-12143",
"cwe": {
"id": "CWE-93",
"name": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)"
},
"discovery_date": "2026-06-12T19:00:57.360953+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2488480"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in form-data, a library for creating readable multipart/form-data streams. A remote attacker can exploit this vulnerability by injecting carriage return (CR), line feed (LF), or double-quote (\") characters into the `field` argument of `FormData#append` or the `filename` option. This allows the attacker to inject additional headers or smuggle entire additional multipart parts into requests, potentially enabling them to add or override form fields and compromise data integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "form-data: form-data: Form field override via CRLF injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important impact flaw in the form-data library: a remote attacker can inject arbitrary headers or additional multipart parts via CRLF injection in field names or filenames, potentially overriding sensitive form fields and affecting data integrity.\n\nFor RHOAI and RHEL AI, severity is Moderate because affected versions appear only as a transitive npm dependency in RHOAI (dashboard, mod-arch plugins, MLflow UI) and RHEL AI 3.4 bootc images, and those products use fixed field names for uploads rather than passing untrusted user input as multipart field names or filenames. The documented exploit path is therefore not reachable in default deployments. Practical impact is limited to non-default or custom integrations that forward multipart requests using attacker-controlled field names.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-12143"
},
{
"category": "external",
"summary": "RHBZ#2488480",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488480"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-12143",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-12143"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-12143",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12143"
},
{
"category": "external",
"summary": "https://cwe.mitre.org/data/definitions/93.html",
"url": "https://cwe.mitre.org/data/definitions/93.html"
},
{
"category": "external",
"summary": "https://github.com/form-data/form-data/commit/64190db548c0179e37206858e39f27cf513e9435",
"url": "https://github.com/form-data/form-data/commit/64190db548c0179e37206858e39f27cf513e9435"
},
{
"category": "external",
"summary": "https://github.com/form-data/form-data/commit/be3f3cf553978bac15a5182f1f3c3d2d38ccf229",
"url": "https://github.com/form-data/form-data/commit/be3f3cf553978bac15a5182f1f3c3d2d38ccf229"
},
{
"category": "external",
"summary": "https://github.com/form-data/form-data/commit/c7133499c2ee1b80c678e411244f4442bf902045",
"url": "https://github.com/form-data/form-data/commit/c7133499c2ee1b80c678e411244f4442bf902045"
},
{
"category": "external",
"summary": "https://github.com/form-data/form-data/security/advisories/GHSA-hmw2-7cc7-3qxx",
"url": "https://github.com/form-data/form-data/security/advisories/GHSA-hmw2-7cc7-3qxx"
},
{
"category": "external",
"summary": "https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#multipart-form-data",
"url": "https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#multipart-form-data"
},
{
"category": "external",
"summary": "https://www.npmjs.com/package/form-data",
"url": "https://www.npmjs.com/package/form-data"
}
],
"release_date": "2026-06-12T18:01:30.362000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T13:07:12+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36754"
},
{
"category": "workaround",
"details": "Applications using the `form-data` library should implement strict input validation and sanitization for all field names and filenames derived from untrusted sources. This prevents the injection of control characters (CR, LF, \") that could lead to header injection or form field overrides. Deployments that exclusively use fixed or trusted field names are not impacted.",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "form-data: form-data: Form field override via CRLF injection"
},
{
"cve": "CVE-2026-12151",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-06-17T17:01:45.297604+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2489980"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in undici. A malicious WebSocket server can exploit this by streaming numerous small or empty continuation frames. This can bypass per-frame and cumulative-size validation, leading to unbounded memory growth in the client process. The primary consequence is memory exhaustion, resulting in a denial of service (DoS) for affected applications using the undici WebSocket client or WebSocketStream API.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important denial of service flaw in the `undici` WebSocket client allows a remote attacker to cause unbounded memory growth. By sending numerous small or empty WebSocket frames, an unauthenticated attacker can exhaust system memory, leading to a denial of service in Red Hat products that use the affected client.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-12151"
},
{
"category": "external",
"summary": "RHBZ#2489980",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489980"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-12151",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-12151"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-12151",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12151"
},
{
"category": "external",
"summary": "https://cna.openjsf.org/security-advisories.html",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"category": "external",
"summary": "https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q"
}
],
"release_date": "2026-06-17T16:05:38.785000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T13:07:12+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36754"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames"
},
{
"cve": "CVE-2026-24781",
"cwe": {
"id": "CWE-653",
"name": "Improper Isolation or Compartmentalization"
},
"discovery_date": "2026-05-04T19:03:41.437468+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2466531"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in vm2, an open-source virtual machine (VM) sandbox for Node.js. This vulnerability allows an attacker to escape the sandbox environment by exploiting the `inspect` function. Successful exploitation can lead to arbitrary code execution on the host system, compromising the integrity and confidentiality of the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "vm2: vm2: Arbitrary code execution via sandbox breakout through inspect function",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-24781"
},
{
"category": "external",
"summary": "RHBZ#2466531",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466531"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-24781",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24781"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-24781",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24781"
},
{
"category": "external",
"summary": "https://github.com/patriksimek/vm2/commit/8d30d93213c1898b3e035298b89a814970dd1189",
"url": "https://github.com/patriksimek/vm2/commit/8d30d93213c1898b3e035298b89a814970dd1189"
},
{
"category": "external",
"summary": "https://github.com/patriksimek/vm2/commit/bdd3d15e57bc4ec5e70365cd79f7cb0256e5f88c",
"url": "https://github.com/patriksimek/vm2/commit/bdd3d15e57bc4ec5e70365cd79f7cb0256e5f88c"
},
{
"category": "external",
"summary": "https://github.com/patriksimek/vm2/commit/fd266d084e0a3322d0f71ba2a8dc4c96cd030228",
"url": "https://github.com/patriksimek/vm2/commit/fd266d084e0a3322d0f71ba2a8dc4c96cd030228"
},
{
"category": "external",
"summary": "https://github.com/patriksimek/vm2/releases/tag/v3.11.0",
"url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.0"
},
{
"category": "external",
"summary": "https://github.com/patriksimek/vm2/security/advisories/GHSA-v37h-5mfm-c47c",
"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-v37h-5mfm-c47c"
}
],
"release_date": "2026-05-04T16:33:32.869000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T13:07:12+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36754"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "vm2: vm2: Arbitrary code execution via sandbox breakout through inspect function"
},
{
"cve": "CVE-2026-27136",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-05-22T16:00:56.609820+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480757"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang.org/x/net/html. When arbitrary HTML is parsed and then rendered, it can result in an unexpected HTML tree. This allows an attacker to bypass HTML sanitization mechanisms, leading to Cross-Site Scripting (XSS) attacks in applications. Such attacks can result in information disclosure or arbitrary code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/net/html: golang: golang.org/x/net/html: Cross-Site Scripting via HTML parsing bypass",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in `golang.org/x/net/html` is rated as Important. It allows for Cross-Site Scripting (XSS) attacks by enabling an attacker to bypass HTML sanitization mechanisms when arbitrary HTML is parsed and rendered. This can lead to information disclosure or arbitrary code execution in affected applications. Exploitation typically requires user interaction, where a user processes specially crafted malicious HTML content.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27136"
},
{
"category": "external",
"summary": "RHBZ#2480757",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480757"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27136",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27136"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27136",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27136"
},
{
"category": "external",
"summary": "https://go.dev/cl/781685",
"url": "https://go.dev/cl/781685"
},
{
"category": "external",
"summary": "https://go.dev/issue/79575",
"url": "https://go.dev/issue/79575"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8",
"url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-5030",
"url": "https://pkg.go.dev/vuln/GO-2026-5030"
}
],
"release_date": "2026-05-22T15:01:22.111000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T13:07:12+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36754"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/net/html: golang: golang.org/x/net/html: Cross-Site Scripting via HTML parsing bypass"
},
{
"cve": "CVE-2026-39820",
"cwe": {
"id": "CWE-606",
"name": "Unchecked Input for Loop Condition"
},
"discovery_date": "2026-05-07T20:01:27.800929+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2467820"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the `net/mail` package of the Go programming language. An attacker could provide specially crafted inputs to the `ParseAddress`, `ParseAddressList`, or `ParseDate` functions. This could lead to excessive consumption of CPU and memory resources, resulting in a Denial of Service (DoS) for applications processing these inputs.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "net/mail: golang: Go net/mail: Denial of Service via crafted email inputs",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important denial of service vulnerability in the Go `net/mail` package. Applications processing untrusted email inputs via `ParseAddress`, `ParseAddressList`, or `ParseDate` functions are susceptible to excessive resource consumption, which can lead to service unavailability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-39820"
},
{
"category": "external",
"summary": "RHBZ#2467820",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467820"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-39820",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39820"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-39820",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39820"
},
{
"category": "external",
"summary": "https://go.dev/cl/759940",
"url": "https://go.dev/cl/759940"
},
{
"category": "external",
"summary": "https://go.dev/issue/78566",
"url": "https://go.dev/issue/78566"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M",
"url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4986",
"url": "https://pkg.go.dev/vuln/GO-2026-4986"
}
],
"release_date": "2026-05-07T19:41:19.854000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T13:07:12+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36754"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "net/mail: golang: Go net/mail: Denial of Service via crafted email inputs"
},
{
"cve": "CVE-2026-42338",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-05-12T21:01:14.436876+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2476810"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in ip-address, a JavaScript library for parsing and manipulating IPv4 and IPv6 addresses. This vulnerability allows a remote attacker to perform cross-site scripting (XSS) by providing untrusted input to the Address6 constructor. When an application renders the output of Address6.group(), Address6.link(), or the AddressError.parseMessage as HTML without proper escaping, the attacker-controlled content can be executed in the user\u0027s browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in the `ip-address` JavaScript library is rated as Important. It allows for cross-site scripting (XSS) when an application processes untrusted input through the `Address6` constructor and subsequently renders the unescaped output of methods like `Address6.group()`, `Address6.link()`, or `AddressError.parseMessage` directly as HTML. While the library itself is affected, exploitation is contingent on specific application-level rendering practices that may not be common in Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42338"
},
{
"category": "external",
"summary": "RHBZ#2476810",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2476810"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42338",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42338"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42338",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42338"
},
{
"category": "external",
"summary": "https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g",
"url": "https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g"
}
],
"release_date": "2026-05-12T19:43:16.470000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T13:07:12+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36754"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input"
},
{
"cve": "CVE-2026-42499",
"cwe": {
"id": "CWE-1046",
"name": "Creation of Immutable Text Using String Concatenation"
},
"discovery_date": "2026-05-07T20:00:51.685602+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2467809"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the `net/mail` package within the Go standard library. A remote attacker could provide specially crafted, pathological email addresses. When these malformed email addresses are parsed by the `consumePhrase` function, it can lead to excessive resource consumption due to quadratic string concatenation, resulting in a Denial of Service (DoS) condition.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "net/mail: golang: net/mail: Denial of Service via pathological email address parsing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important denial of service vulnerability in the `net/mail` package of the Go standard library. A remote attacker can exploit this flaw by sending specially crafted email addresses, leading to excessive resource consumption and a denial of service in Go applications that parse email addresses using the affected library.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42499"
},
{
"category": "external",
"summary": "RHBZ#2467809",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467809"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42499",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42499"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42499",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42499"
},
{
"category": "external",
"summary": "https://go.dev/cl/771520",
"url": "https://go.dev/cl/771520"
},
{
"category": "external",
"summary": "https://go.dev/issue/78987",
"url": "https://go.dev/issue/78987"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M",
"url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4977",
"url": "https://pkg.go.dev/vuln/GO-2026-4977"
}
],
"release_date": "2026-05-07T19:41:18.615000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T13:07:12+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36754"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "net/mail: golang: net/mail: Denial of Service via pathological email address parsing"
},
{
"cve": "CVE-2026-44486",
"cwe": {
"id": "CWE-201",
"name": "Insertion of Sensitive Information Into Sent Data"
},
"discovery_date": "2026-06-11T17:01:30.944384+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487947"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client, specifically in its Node.js HTTP adapter. When Axios is configured to use an authenticated proxy and follows a redirect, it may inadvertently send the Proxy-Authorization header, containing proxy credentials, to the redirect target. This can lead to the disclosure of sensitive proxy credentials to an unintended remote server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Information disclosure of proxy credentials via HTTP redirects",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important information disclosure flaw in the Axios Node.js HTTP adapter. Red Hat products utilizing Axios in a Node.js environment with an authenticated proxy and automatic redirects enabled are susceptible. The vulnerability arises when a request, initially sent through an authenticated proxy, is redirected to a target that no longer uses the proxy, potentially leaking `Proxy-Authorization` headers containing sensitive credentials to an untrusted remote server. This risk is heightened in deployments where applications interact with untrusted HTTP origins.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44486"
},
{
"category": "external",
"summary": "RHBZ#2487947",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487947"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44486",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44486"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44486",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44486"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-j5f8-grm9-p9fc",
"url": "https://github.com/axios/axios/security/advisories/GHSA-j5f8-grm9-p9fc"
}
],
"release_date": "2026-06-11T15:39:07.714000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T13:07:12+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36754"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Information disclosure of proxy credentials via HTTP redirects"
},
{
"cve": "CVE-2026-44487",
"cwe": {
"id": "CWE-201",
"name": "Insertion of Sensitive Information Into Sent Data"
},
"discovery_date": "2026-06-11T17:01:34.091476+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487948"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios. During specific proxy-to-direct redirect flows in the Node.js HTTP adapter, a remote attacker could exploit this vulnerability. The Proxy-Authorization header, which contains proxy credentials and is intended only for the outbound proxy, may be forwarded to the final redirected origin. This can lead to the disclosure of sensitive proxy credentials to an unintended third party.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Information disclosure of proxy credentials via redirect flows",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important information disclosure flaw in Axios affecting Node.js environments. When an application uses Axios with an authenticated HTTP proxy and follows redirects from an HTTP to a non-proxied HTTPS destination, the Proxy-Authorization header may be inadvertently sent to the final origin server. This could lead to the exposure of sensitive proxy credentials to an unintended third party.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44487"
},
{
"category": "external",
"summary": "RHBZ#2487948",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487948"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44487",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44487"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44487",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44487"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-p92q-9vqr-4j8v",
"url": "https://github.com/axios/axios/security/advisories/GHSA-p92q-9vqr-4j8v"
}
],
"release_date": "2026-06-11T15:38:25.150000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T13:07:12+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36754"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Information disclosure of proxy credentials via redirect flows"
},
{
"cve": "CVE-2026-44488",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-06-11T17:01:36.836488+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487949"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client. When using the fetch adapter, Axios did not properly enforce configured request and response size limits. This vulnerability allows a remote attacker, through a malicious or compromised server, or by supplying a large data URL, to send or receive oversized data bodies. This can lead to resource exhaustion in server-side applications, resulting in a Denial of Service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Denial of Service due to unenforced request and response size limits",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Important: A denial of service flaw was found in Axios, a JavaScript HTTP client library. This issue arises when applications utilize the `fetch` adapter, as configured request and response size limits are not properly enforced. A remote attacker could exploit this by sending or receiving excessively large data bodies, leading to resource exhaustion and potential denial of service in affected server-side applications.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44488"
},
{
"category": "external",
"summary": "RHBZ#2487949",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487949"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44488",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44488"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44488",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44488"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf",
"url": "https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf"
}
],
"release_date": "2026-06-11T15:37:38.013000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T13:07:12+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36754"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Denial of Service due to unenforced request and response size limits"
},
{
"cve": "CVE-2026-44492",
"cwe": {
"id": "CWE-289",
"name": "Authentication Bypass by Alternate Name"
},
"discovery_date": "2026-06-11T17:00:56.761751+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487938"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client. This vulnerability occurs because Axios does not properly normalize IPv4-mapped IPv6 addresses. When a NO_PROXY setting is configured to block direct access to specific IPv4 addresses, an attacker can bypass this restriction by using the IPv4-mapped IPv6 form of the address in a request URL. This allows the request to be routed through the proxy, potentially exposing internal services or sensitive information that should otherwise be inaccessible.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important flaw in Axios, a JavaScript HTTP client library, that allows for a proxy bypass. When a `NO_PROXY` environment variable is configured to prevent direct connections to specific IPv4 addresses, an attacker can craft a request URL using the IPv4-mapped IPv6 address format. This bypasses the intended `NO_PROXY` exclusion, routing the request through the configured proxy and potentially exposing internal services or sensitive information, such as cloud instance metadata credentials.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44492"
},
{
"category": "external",
"summary": "RHBZ#2487938",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487938"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44492",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44492"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44492",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44492"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-pjwm-pj3p-43mv",
"url": "https://github.com/axios/axios/security/advisories/GHSA-pjwm-pj3p-43mv"
}
],
"release_date": "2026-06-11T15:29:13.890000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T13:07:12+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36754"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization"
},
{
"cve": "CVE-2026-44494",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-06-11T17:01:12.945664+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487942"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios. This vulnerability, a Prototype Pollution \"Gadget\" attack, allows an attacker to escalate any existing Object.prototype pollution in an application\u0027s dependency tree into a full Man-in-the-Middle (MITM) attack. This enables the attacker to intercept, read, and modify all HTTP traffic, including sensitive authentication credentials. The flaw occurs because the `config.proxy` setting is susceptible to prototype pollution, allowing an attacker to inject a malicious proxy server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important flaw in the Axios library allows an attacker to escalate existing prototype pollution vulnerabilities within an application\u0027s dependency tree into a full Man-in-the-Middle (MITM) attack. By injecting a malicious proxy configuration into the `Object.prototype`, an attacker can intercept, read, and modify all HTTP traffic, including sensitive authentication credentials, without direct user interaction. This poses a significant risk to data confidentiality and integrity in Red Hat products that utilize the Axios library.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44494"
},
{
"category": "external",
"summary": "RHBZ#2487942",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487942"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44494",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44494"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44494",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44494"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-35jp-ww65-95wh",
"url": "https://github.com/axios/axios/security/advisories/GHSA-35jp-ww65-95wh"
}
],
"release_date": "2026-06-11T15:32:03.155000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T13:07:12+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36754"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution"
},
{
"cve": "CVE-2026-44495",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-06-11T17:00:53.999811+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487937"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client. This vulnerability involves prototype pollution gadgets in the request configuration processing. If another vulnerability has already polluted the Object.prototype.transformResponse, affected Axios versions may incorrectly interpret this inherited value as part of the request configuration or as an option validator. Axios does not itself create the prototype pollution. Exploitability requires a separate prototype-pollution vulnerability or equivalent attacker control over Object.prototype before Axios creates a request.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Information disclosure due to prototype pollution vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important vulnerability in Axios, a promise-based HTTP client, can lead to information disclosure, including credential theft and response hijacking, or denial of service. Exploitation requires a separate prototype pollution vulnerability in the same JavaScript process, allowing an attacker to control `Object.prototype.transformResponse`. Red Hat products using affected Axios versions are at risk if another component introduces such pollution.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44495"
},
{
"category": "external",
"summary": "RHBZ#2487937",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487937"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44495",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44495"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44495",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44495"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-3g43-6gmg-66jw",
"url": "https://github.com/axios/axios/security/advisories/GHSA-3g43-6gmg-66jw"
}
],
"release_date": "2026-06-11T15:33:12.433000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T13:07:12+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36754"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Information disclosure due to prototype pollution vulnerability"
},
{
"cve": "CVE-2026-44496",
"cwe": {
"id": "CWE-1333",
"name": "Inefficient Regular Expression Complexity"
},
"discovery_date": "2026-06-11T17:01:15.856386+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487943"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios. A remote attacker, by influencing the XSRF cookie name in a browser environment, could cause the application to construct a regular expression that leads to excessive processing. This can result in a client-side Denial of Service (DoS), where the affected browser tab may freeze, impacting the availability of the application for the user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important flaw in Axios can lead to a client-side Denial of Service. An attacker capable of influencing the XSRF cookie name within a browser environment could trigger excessive regular expression processing, causing the affected browser tab to freeze and degrade user availability. This issue specifically impacts browser-based applications and does not affect Node.js HTTP adapter usage, React Native, or web workers.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44496"
},
{
"category": "external",
"summary": "RHBZ#2487943",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487943"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44496",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44496"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44496",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44496"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-hfxv-24rg-xrqf",
"url": "https://github.com/axios/axios/security/advisories/GHSA-hfxv-24rg-xrqf"
}
],
"release_date": "2026-06-11T15:34:28.492000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T13:07:12+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36754"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name"
},
{
"cve": "CVE-2026-45736",
"cwe": {
"id": "CWE-824",
"name": "Access of Uninitialized Pointer"
},
"discovery_date": "2026-05-15T16:00:55.786944+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2477914"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in ws, an open source WebSocket client and server for Node.js. The `websocket.close()` implementation is vulnerable to uninitialized memory disclosure when a `TypedArray` is passed as the reason argument. This can lead to the disclosure of sensitive information from uninitialized memory.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ws: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray`",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important vulnerability in the `ws` WebSocket library for Node.js could lead to sensitive information disclosure. The flaw occurs when a `TypedArray` is specifically provided as the `reason` argument to the `websocket.close()` function, potentially exposing uninitialized memory. Red Hat products utilizing this library may be affected if their implementations allow for such a crafted `close()` call.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-45736"
},
{
"category": "external",
"summary": "RHBZ#2477914",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477914"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-45736",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45736"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-45736",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45736"
},
{
"category": "external",
"summary": "https://github.com/websockets/ws/commit/c0327ec15a54d701eb6ccefaa8bef328cfc03086",
"url": "https://github.com/websockets/ws/commit/c0327ec15a54d701eb6ccefaa8bef328cfc03086"
},
{
"category": "external",
"summary": "https://github.com/websockets/ws/security/advisories/GHSA-58qx-3vcg-4xpx",
"url": "https://github.com/websockets/ws/security/advisories/GHSA-58qx-3vcg-4xpx"
}
],
"release_date": "2026-05-15T14:53:57.263000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T13:07:12+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36754"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ws: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray`"
},
{
"cve": "CVE-2026-47131",
"cwe": {
"id": "CWE-843",
"name": "Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)"
},
"discovery_date": "2026-06-12T15:01:52.744009+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2488393"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in vm2, an open-source virtual machine (VM) sandbox for Node.js. A remote attacker can exploit this vulnerability by combining specific Buffer function calls and Node.js\u0027s ERR_INVALID_ARG_TYPE error. This allows the attacker to obtain the host\u0027s TypeError constructor, leading to an escape from the sandbox. Consequently, this enables attackers to run arbitrary code on the host system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "vm2: vm2: Arbitrary code execution via sandbox escape vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The Red Hat Product Security team has rated the impact of this vulnerability as Moderate in Red Hat Developer Hub and Ansible Automation Platform.The affected package is present in both products as a transitive dependency; however, the vulnerable sandbox functionality is not invoked in any production code path. The active sandboxing mechanism used by both products does not rely on this package, and user-supplied input cannot reach the vulnerable code under a standard deployment. Exploitation would require an attacker to independently route arbitrary JavaScript into the sandbox runtime, a condition not present in the default configuration of either product.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-47131"
},
{
"category": "external",
"summary": "RHBZ#2488393",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488393"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-47131",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-47131"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-47131",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47131"
},
{
"category": "external",
"summary": "https://github.com/patriksimek/vm2/commit/27c525f4615e2b983f122e2bed327d810126f5c8",
"url": "https://github.com/patriksimek/vm2/commit/27c525f4615e2b983f122e2bed327d810126f5c8"
},
{
"category": "external",
"summary": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4",
"url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4"
},
{
"category": "external",
"summary": "https://github.com/patriksimek/vm2/security/advisories/GHSA-v6mx-mf47-r5wg",
"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-v6mx-mf47-r5wg"
}
],
"release_date": "2026-06-12T14:14:17.037000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T13:07:12+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36754"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "vm2: vm2: Arbitrary code execution via sandbox escape vulnerability"
},
{
"cve": "CVE-2026-47135",
"cwe": {
"id": "CWE-1100",
"name": "Insufficient Isolation of System-Dependent Functions"
},
"discovery_date": "2026-06-12T15:02:02.154869+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2488396"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in vm2, an open-source virtual machine (VM) sandbox for Node.js. An attacker within the sandbox could exploit incomplete symbol interception and missing security checks to gain control over the host system. This could allow the attacker to execute arbitrary code outside the sandbox environment, leading to a complete compromise of the host.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "vm2: vm2: Sandbox escape allows arbitrary code execution on the host system",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability has been rated as Moderate for Red Hat Developer Hub and Red Hat Ansible Automation Platform. The vm2 sandbox exists as a transitive dependency in Red Hat Developer Hub and is only utilized during build time. The sandbox is therefore not exposed on the production code path. Exploitation of this vulnerability requires attackers to write cross-realm symbol keys to host objects which is not possible in the default configuration of Red Hat Developer Hub.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-47135"
},
{
"category": "external",
"summary": "RHBZ#2488396",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488396"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-47135",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-47135"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-47135",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47135"
},
{
"category": "external",
"summary": "https://github.com/patriksimek/vm2/commit/928aef51898b5c52a05f05a40c4cfeb52e172878",
"url": "https://github.com/patriksimek/vm2/commit/928aef51898b5c52a05f05a40c4cfeb52e172878"
},
{
"category": "external",
"summary": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4",
"url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4"
},
{
"category": "external",
"summary": "https://github.com/patriksimek/vm2/security/advisories/GHSA-m5q2-4fm3-vfqp",
"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-m5q2-4fm3-vfqp"
}
],
"release_date": "2026-06-12T14:14:42.022000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T13:07:12+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36754"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "vm2: vm2: Sandbox escape allows arbitrary code execution on the host system"
},
{
"cve": "CVE-2026-47137",
"cwe": {
"id": "CWE-480",
"name": "Use of Incorrect Operator"
},
"discovery_date": "2026-06-12T15:01:24.611905+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2488385"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in vm2, an open-source virtual machine (VM) sandbox for Node.js. A remote attacker could bypass a security check designed to prevent the combination of nested environments and disabled module loading. This bypass occurs because a strict equality check for the `require` option can be circumvented by simply omitting the option, leading to an unintended configuration. Successful exploitation of this vulnerability could allow an attacker to escape the sandbox and achieve arbitrary code execution on the host system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "vm2: vm2: Sandbox escape leading to arbitrary code execution via security bypass",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The Red Hat Product Security team has rated the impact of this vulnerability as Moderate in Red Hat Developer Hub and Ansible Automation Platform.The affected package is present in both products as a transitive dependency; however, the vulnerable sandbox functionality is not invoked in any production code path. The active sandboxing mechanism used by both products does not rely on this package, and user-supplied input cannot reach the vulnerable code under a standard deployment. Exploitation would require an attacker to independently route arbitrary JavaScript into the sandbox runtime, a condition not present in the default configuration of either product.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-47137"
},
{
"category": "external",
"summary": "RHBZ#2488385",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488385"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-47137",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-47137"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-47137",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47137"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-g644-9gfx-q4q4",
"url": "https://github.com/advisories/GHSA-g644-9gfx-q4q4"
},
{
"category": "external",
"summary": "https://github.com/patriksimek/vm2/commit/01a7552add345d5a6862623884e6b79a85bf0568",
"url": "https://github.com/patriksimek/vm2/commit/01a7552add345d5a6862623884e6b79a85bf0568"
},
{
"category": "external",
"summary": "https://github.com/patriksimek/vm2/commit/86ab819f202c3a8dad88cef5705f2e416c5188d7",
"url": "https://github.com/patriksimek/vm2/commit/86ab819f202c3a8dad88cef5705f2e416c5188d7"
},
{
"category": "external",
"summary": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4",
"url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4"
},
{
"category": "external",
"summary": "https://github.com/patriksimek/vm2/security/advisories/GHSA-m4wx-m65x-ghrr",
"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-m4wx-m65x-ghrr"
}
],
"release_date": "2026-06-12T14:15:34.795000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T13:07:12+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36754"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "vm2: vm2: Sandbox escape leading to arbitrary code execution via security bypass"
},
{
"cve": "CVE-2026-47139",
"cwe": {
"id": "CWE-1100",
"name": "Insufficient Isolation of System-Dependent Functions"
},
"discovery_date": "2026-06-12T15:01:31.104545+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2488387"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in vm2, a Node.js sandbox. This vulnerability allows sandboxed code to bypass network restrictions by utilizing internal HTTP built-ins, such as _http_client and _http_server. An attacker can exploit this to make outbound HTTP requests or open listening HTTP sockets, even when public network modules are explicitly denied. This could lead to unauthorized information disclosure or further compromise of the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "vm2: vm2: Sandbox escape via internal HTTP built-ins leading to network restriction bypass",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability has been rated as Moderate for Red Hat Developer Hub and Red Hat Ansible Automation Platform. The vm2 sandbox exists as a transitive dependency in Red Hat Developer Hub and is only utilized during build time. The sandbox is therefore not exposed on the production code path. Exploitation of this vulnerability requires attackers to access internal HTTP built-ins which is not possible in the default configuration of Red Hat Developer Hub.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-47139"
},
{
"category": "external",
"summary": "RHBZ#2488387",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488387"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-47139",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-47139"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-47139",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47139"
},
{
"category": "external",
"summary": "https://github.com/patriksimek/vm2/commit/436053e30eecbabd487e2fd2959c137ac34e2bb1",
"url": "https://github.com/patriksimek/vm2/commit/436053e30eecbabd487e2fd2959c137ac34e2bb1"
},
{
"category": "external",
"summary": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4",
"url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4"
},
{
"category": "external",
"summary": "https://github.com/patriksimek/vm2/security/advisories/GHSA-r9pm-gxmw-wv6p",
"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-r9pm-gxmw-wv6p"
}
],
"release_date": "2026-06-12T14:15:44.652000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T13:07:12+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36754"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "vm2: vm2: Sandbox escape via internal HTTP built-ins leading to network restriction bypass"
},
{
"cve": "CVE-2026-47140",
"cwe": {
"id": "CWE-184",
"name": "Incomplete List of Disallowed Inputs"
},
"discovery_date": "2026-06-12T15:01:11.705175+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2488381"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in vm2, an open-source virtual machine (VM) sandbox for Node.js. This vulnerability allows sandboxed code to bypass intended security restrictions by exploiting missing entries in the denylist for dangerous Node.js built-in functions, specifically `process` and `inspector/promises`. A remote attacker can leverage this to execute arbitrary code in the host process, leading to a complete compromise of the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "vm2: vm2: Arbitrary code execution due to incomplete sandbox restrictions",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The Red Hat Product Security team has rated the impact of this vulnerability as Moderate in Red Hat Developer Hub and Ansible Automation Platform.The affected package is present in both products as a transitive dependency; however, the vulnerable sandbox functionality is not invoked in any production code path. The active sandboxing mechanism used by both products does not rely on this package, and user-supplied input cannot reach the vulnerable code under a standard deployment. Exploitation would require an attacker to independently route arbitrary JavaScript into the sandbox runtime, a condition not present in the default configuration of either product.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-47140"
},
{
"category": "external",
"summary": "RHBZ#2488381",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488381"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-47140",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-47140"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-47140",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47140"
},
{
"category": "external",
"summary": "https://github.com/patriksimek/vm2/commit/a1ed47a98d1cc36cb48c0d566d55889688e0b59b",
"url": "https://github.com/patriksimek/vm2/commit/a1ed47a98d1cc36cb48c0d566d55889688e0b59b"
},
{
"category": "external",
"summary": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4",
"url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4"
},
{
"category": "external",
"summary": "https://github.com/patriksimek/vm2/security/advisories/GHSA-rp36-8xq3-r6c4",
"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-rp36-8xq3-r6c4"
}
],
"release_date": "2026-06-12T14:16:10.727000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T13:07:12+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36754"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "vm2: vm2: Arbitrary code execution due to incomplete sandbox restrictions"
},
{
"cve": "CVE-2026-47141",
"cwe": {
"id": "CWE-653",
"name": "Improper Isolation or Compartmentalization"
},
"discovery_date": "2026-06-12T15:01:05.444374+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2488379"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in vm2, an open-source virtual machine (VM) sandbox for Node.js. Prior to version 3.11.4, NodeVM, a component of vm2, improperly exposed certain process-wide observability builtins, such as diagnostics_channel, async_hooks, and perf_hooks. These builtins, which are designed for monitoring and debugging, were not adequately blocked by the dangerous builtin denylist. This oversight allowed sandboxed code to observe sensitive host application data, leading to information disclosure across the vm2 security boundary.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "vm2: vm2: NodeVM observability builtins leak host process and HTTP request data",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability has been rated as Moderate for Red Hat Developer Hub and Red Hat Ansible Automation Platform. The vm2 sandbox exists as a transitive dependency in Red Hat Developer Hub and is only utilized during build time. The sandbox is therefore not exposed on the production code path. Exploitation of this vulnerability requires attackers to access process-wide observability builtins which is not possible in the default configuration of Red Hat Developer Hub.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-47141"
},
{
"category": "external",
"summary": "RHBZ#2488379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488379"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-47141",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-47141"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-47141",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47141"
},
{
"category": "external",
"summary": "https://github.com/patriksimek/vm2/commit/e1c48fce05189f48e71efbd32af0754efa4066bb",
"url": "https://github.com/patriksimek/vm2/commit/e1c48fce05189f48e71efbd32af0754efa4066bb"
},
{
"category": "external",
"summary": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4",
"url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4"
},
{
"category": "external",
"summary": "https://github.com/patriksimek/vm2/security/advisories/GHSA-9g8x-92q2-p28f",
"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-9g8x-92q2-p28f"
}
],
"release_date": "2026-06-12T14:17:35.970000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T13:07:12+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36754"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "vm2: vm2: NodeVM observability builtins leak host process and HTTP request data"
},
{
"cve": "CVE-2026-47208",
"discovery_date": "2026-06-12T15:01:14.630546+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2488382"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in vm2, an open-source virtual machine (VM) sandbox for Node.js. This vulnerability allows an attacker to escape the sandbox environment by writing malicious code. Successful exploitation can lead to arbitrary code execution on the host system, compromising the integrity and confidentiality of the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "vm2: vm2: Sandbox Breakout Using Promise Species",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Exploitation requires an attacker to supply untrusted malicious code to the vm2 sandbox, which is easily achieved since the component\u0027s main purpose is to execute untrusted code.\n\nEscaping the sandbox completely bypasses the intended security boundaries, leading directly to arbitrary code execution on the host system and a full compromise of confidentiality and integrity",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-47208"
},
{
"category": "external",
"summary": "RHBZ#2488382",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488382"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-47208",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-47208"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-47208",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47208"
},
{
"category": "external",
"summary": "https://github.com/patriksimek/vm2/commit/a462655009669c3124ee39498121651597529ea8",
"url": "https://github.com/patriksimek/vm2/commit/a462655009669c3124ee39498121651597529ea8"
},
{
"category": "external",
"summary": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4",
"url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4"
},
{
"category": "external",
"summary": "https://github.com/patriksimek/vm2/security/advisories/GHSA-76w7-j9cq-rx2j",
"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-76w7-j9cq-rx2j"
}
],
"release_date": "2026-06-12T14:16:22.726000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T13:07:12+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36754"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "vm2: vm2: Sandbox Breakout Using Promise Species"
},
{
"cve": "CVE-2026-47210",
"cwe": {
"id": "CWE-653",
"name": "Improper Isolation or Compartmentalization"
},
"discovery_date": "2026-06-12T15:01:38.846673+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2488389"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in vm2, an open-source virtual machine (VM) sandbox for Node.js. This sandbox escape vulnerability allows an attacker to execute arbitrary code in the host process. This occurs when untrusted code is executed with asynchronous (async) support on runtimes that expose WebAssembly JavaScript Promise Integration (JSPI). Specifically, a JSPI-backed Promise can bypass expected Promise-species hardening, exposing a host-originated rejection object to attacker-controlled logic and breaking the sandbox boundary.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "vm2: vm2: Arbitrary code execution via sandbox escape when executing untrusted code with async support.",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The Red Hat Product Security team has rated the impact of this vulnerability as Moderate in Red Hat Developer Hub and Ansible Automation Platform.The affected package is present in both products as a transitive dependency; however, the vulnerable sandbox functionality is not invoked in any production code path. The active sandboxing mechanism used by both products does not rely on this package, and user-supplied input cannot reach the vulnerable code under a standard deployment. Exploitation would require an attacker to independently route arbitrary JavaScript into the sandbox runtime, a condition not present in the default configuration of either product.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-47210"
},
{
"category": "external",
"summary": "RHBZ#2488389",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488389"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-47210",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-47210"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-47210",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47210"
},
{
"category": "external",
"summary": "https://github.com/patriksimek/vm2/commit/6915fa4d9bcebd47b9a4f39a1adc1aa94ef6ffc6",
"url": "https://github.com/patriksimek/vm2/commit/6915fa4d9bcebd47b9a4f39a1adc1aa94ef6ffc6"
},
{
"category": "external",
"summary": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4",
"url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4"
},
{
"category": "external",
"summary": "https://github.com/patriksimek/vm2/security/advisories/GHSA-6j2x-vhqr-qr7q",
"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-6j2x-vhqr-qr7q"
}
],
"release_date": "2026-06-12T14:17:22.653000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T13:07:12+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36754"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "vm2: vm2: Arbitrary code execution via sandbox escape when executing untrusted code with async support."
},
{
"cve": "CVE-2026-48779",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2026-06-16T22:01:24.571224+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2489661"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in ws, an open source WebSocket client and server. A remote attacker can exploit this memory exhaustion vulnerability by sending a high volume of exceptionally small fragments and data chunks. This action forces the affected component to allocate and hold structural wrappers that consume excessive memory. Consequently, this leads to process termination and a denial of service (DoS) for the remote peer.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ws: ws: Denial of Service via memory exhaustion from small WebSocket fragments",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important denial of service vulnerability in the `ws` WebSocket library. A remote attacker can exploit this flaw by sending a high volume of small, fragmented data, leading to excessive memory consumption and subsequent process termination. This can result in service disruption for Red Hat products that utilize `ws` for WebSocket communication.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48779"
},
{
"category": "external",
"summary": "RHBZ#2489661",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489661"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48779",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48779"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48779",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48779"
},
{
"category": "external",
"summary": "https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7",
"url": "https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7"
},
{
"category": "external",
"summary": "https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53",
"url": "https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53"
},
{
"category": "external",
"summary": "https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94",
"url": "https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94"
},
{
"category": "external",
"summary": "https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8",
"url": "https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8"
},
{
"category": "external",
"summary": "https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p",
"url": "https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p"
}
],
"release_date": "2026-06-16T21:26:22.537000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T13:07:12+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36754"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:61883f5228095e3a3fd5b7daf60e29a5ffd053844f8661a2b5282a77c086dc02_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-must-gather-rhel9@sha256:aacbef97f59305a91db44c3c92c34509027b3d2a4ece07716e6fe8b217dd5ee1_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:d4208a03e389fe82e7da2d27c491251e6d43a0b473aa80d3e6a351c77582a92a_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rag-content-rhel9@sha256:bea9305c453e377dfe6abf20076aec408efe2cbcf05f5a1c04c9b2d2f288bd65_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:0856143fa78dbbd74c1c068c75c265451698913608009f40600bb7c46928739b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ws: ws: Denial of Service via memory exhaustion from small WebSocket fragments"
}
]
}
RHSA-2026:41066
Vulnerability from csaf_redhat - Published: 2026-07-16 19:46 - Updated: 2026-07-19 13:46A flaw was found in fast-uri. A remote attacker could exploit this vulnerability by crafting a malicious Uniform Resource Identifier (URI) that contains percent-encoded authority delimiters. The fast-uri library incorrectly decodes these delimiters during normalization and then re-emits them as raw separators, which can change the URI's intended authority. This issue allows applications that perform host allowlist checks, redirect validation, or outbound request routing to be steered to a different authority than specified, potentially bypassing security controls.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64 | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x | — |
A flaw was found in the shell-quote component. The quote() function did not properly validate object-token inputs, allowing line terminators to pass unescaped into the output. A remote attacker could exploit this vulnerability by providing specially crafted input, which a POSIX shell would interpret as a command separator. This could lead to command injection, enabling the attacker to execute arbitrary code on the system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64 | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x | — |
A flaw was found in kafka-python. A malicious or machine-in-the-middle broker could exploit a denial-of-service vulnerability during SCRAM authentication. By providing an excessively large iteration count, the broker can cause the client's event loop to freeze. This prevents critical operations such as sending messages, polling for new messages, and maintaining heartbeats, ultimately leading to consumer group eviction and persistent connection failures.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x | — |
Workaround
|
A flaw was found in form-data, a library for creating readable multipart/form-data streams. A remote attacker can exploit this vulnerability by injecting carriage return (CR), line feed (LF), or double-quote (") characters into the `field` argument of `FormData#append` or the `filename` option. This allows the attacker to inject additional headers or smuggle entire additional multipart parts into requests, potentially enabling them to add or override form fields and compromise data integrity.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x | — |
Workaround
|
A flaw was found in fast-uri. This vulnerability occurs because fast-uri fails to properly convert Unicode (Internationalized Domain Name - IDN) hostnames for HTTP-family URLs. This can lead to a situation where security policies, such as denylists or redirect validations, are bypassed when applications use fast-uri to enforce these policies before passing the URL to another parser. A remote attacker could exploit this to circumvent security controls and potentially access unauthorized resources or perform malicious redirects.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x | — |
Workaround
|
A flaw was found in Go's `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x | — |
Workaround
|
A flaw was found in Red Hat Quay's Proxy Cache configuration feature. When an organization administrator configures an upstream registry for proxy caching, Quay makes a network connection to the specified registry hostname without verifying that it points to a legitimate external service. An attacker with organization administrator privileges could supply a crafted hostname to force the Quay server to make requests to internal network services, cloud infrastructure endpoints, or other resources that should not be accessible from the Quay application.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64 | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x | — |
A flaw was found in the `net/mail` package of the Go programming language. An attacker could provide specially crafted inputs to the `ParseAddress`, `ParseAddressList`, or `ParseDate` functions. This could lead to excessive consumption of CPU and memory resources, resulting in a Denial of Service (DoS) for applications processing these inputs.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x | — |
Workaround
|
A flaw was found in golang.org/x/net/idna. ToASCII and ToUnicode incorrectly accept Punycode-encoded labels that decode to an ASCII-only hostname (for example, xn--example-.com returns example.com instead of an error). Applications that validate the ASCII form then convert to Unicode may grant access to a restricted hostname the ASCII check would have rejected.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x | — |
Workaround
|
A flaw was found in golang.org/x/crypto/ssh. A remote attacker could exploit this vulnerability when an SSH server authentication callback returned a PartialSuccessError with non-nil permissions. This flaw caused these permissions to be silently discarded, potentially bypassing certificate restrictions, such as a force-command, after a second authentication factor succeeded. This could lead to unauthorized command execution or access.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x | — |
Workaround
|
A flaw was found in golang.org/x/crypto/ssh. The RSA and DSA public key parsers in the affected component did not enforce size limits on key parameters. This vulnerability allows an unauthenticated client to provide a crafted public key with an excessively large modulus or DSA parameter during public key authentication. Successful exploitation could lead to a denial of service (DoS) due to prolonged CPU consumption during signature verification.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x | — |
Workaround
|
A flaw was found in golang.org/x/crypto/ssh. A remote malicious SSH peer can exploit this by sending unsolicited global request responses, which fills an internal buffer and blocks the connection's read loop. This prevents the associated resources from being released, leading to a resource leak per connection. The consequence is a Denial of Service (DoS) for the affected system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x | — |
Workaround
|
A flaw was found in golang.org/x/crypto/ssh. The Verify() method, responsible for FIDO/U2F security key types, did not properly check for user presence. This allowed signatures to be accepted without requiring a physical touch on the hardware security key. As a result, an attacker could potentially use a hardware security key in an unattended manner, bypassing a critical security control designed to ensure user intent.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64 | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x | — |
A flaw was found in golang.org/x/crypto/ssh/agent. When a key was added to a remote agent, security restrictions, known as constraint extensions, were not properly processed during the request. This allowed these restrictions to be silently removed when keys were forwarded, leading to the unrestricted use of the key on the remote host. This vulnerability could enable an attacker to bypass intended security controls and perform unauthorized actions.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x | — |
Workaround
|
A flaw was found in golang.org/x/crypto/ssh. SSH servers configured to use CertChecker as a public key callback, without explicitly setting IsUserAuthority or IsHostAuthority, are vulnerable. A remote attacker can exploit this by presenting a specially crafted certificate, causing the server to panic and resulting in a Denial of Service (DoS).
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x | — |
Workaround
|
A flaw was found in Axios, a widely used HTTP client. This vulnerability, known as a Prototype Pollution "Gadget" attack, allows a remote attacker to subtly alter JSON API responses. By manipulating a specific function, an attacker can selectively modify data within these responses. This could lead to significant security breaches, including unauthorized privilege escalation, fraudulent balance manipulation, or bypassing critical authorization checks.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x | — |
Workaround
|
A flaw was found in Prometheus, an open-source monitoring system. The `client_secret` field within the Azure Active Directory (AD) remote write OAuth configuration was incorrectly handled as a plain string instead of a secure Secret type. This misconfiguration allowed any user or process with access to the `/-/config` HTTP API endpoint to view the Azure OAuth client secret in plaintext. This vulnerability leads to information disclosure, potentially compromising the security of integrated Azure AD services.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64 | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x | — |
A flaw was found in Prometheus. An unauthenticated attacker can exploit the remote read endpoint (`/api/v1/read`) by sending a specially crafted, small snappy-compressed payload. This payload causes a disproportionately large memory allocation, leading to memory exhaustion and a Denial of Service (DoS) by crashing the Prometheus process.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64 | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x | — |
A flaw was found in the `net/mail` package within the Go standard library. A remote attacker could provide specially crafted, pathological email addresses. When these malformed email addresses are parsed by the `consumePhrase` function, it can lead to excessive resource consumption due to quadratic string concatenation, resulting in a Denial of Service (DoS) condition.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x | — |
Workaround
|
A flaw was found in the Golang MIME (Multipurpose Internet Mail Extensions) package. A remote attacker could exploit this vulnerability by sending a maliciously-crafted MIME header containing many invalid encoded-words. This could lead to excessive CPU consumption, resulting in a Denial of Service (DoS) for the affected system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x | — |
Workaround
|
A flaw was found in golang.org/x/crypto/ssh/knownhosts. This vulnerability occurs because the system did not correctly check for the revocation status of a SignatureKey belonging to a Certificate Authority (CA). A remote attacker could potentially exploit this by presenting a revoked key, leading to the system accepting it as valid. This could allow an attacker to bypass security checks and potentially gain unauthorized access or spoof legitimate entities.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64 | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x | — |
A flaw was found in urllib3, an HTTP client library for Python. This vulnerability allows a remote attacker to cause excessive resource consumption, such as high CPU usage and massive memory allocation, on the client side. This occurs when urllib3 attempts to decompress an entire HTTP response, even if only a partial read was requested, or when draining the connection after a partial decompression. This can lead to a Denial of Service (DoS) condition.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64 | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x | — |
A flaw was found in Axios, a promise-based HTTP client, specifically in its Node.js HTTP adapter. When Axios is configured to use an authenticated proxy and follows a redirect, it may inadvertently send the Proxy-Authorization header, containing proxy credentials, to the redirect target. This can lead to the disclosure of sensitive proxy credentials to an unintended remote server.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x | — |
Workaround
|
A flaw was found in Axios. During specific proxy-to-direct redirect flows in the Node.js HTTP adapter, a remote attacker could exploit this vulnerability. The Proxy-Authorization header, which contains proxy credentials and is intended only for the outbound proxy, may be forwarded to the final redirected origin. This can lead to the disclosure of sensitive proxy credentials to an unintended third party.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x | — |
Workaround
|
A flaw was found in Axios, a promise-based HTTP client. When using the fetch adapter, Axios did not properly enforce configured request and response size limits. This vulnerability allows a remote attacker, through a malicious or compromised server, or by supplying a large data URL, to send or receive oversized data bodies. This can lead to resource exhaustion in server-side applications, resulting in a Denial of Service (DoS).
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x | — |
Workaround
|
A flaw was found in Axios, a promise-based HTTP client. This vulnerability occurs because Axios does not properly normalize IPv4-mapped IPv6 addresses. When a NO_PROXY setting is configured to block direct access to specific IPv4 addresses, an attacker can bypass this restriction by using the IPv4-mapped IPv6 form of the address in a request URL. This allows the request to be routed through the proxy, potentially exposing internal services or sensitive information that should otherwise be inaccessible.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x | — |
Workaround
|
A flaw was found in Axios. This vulnerability, a Prototype Pollution "Gadget" attack, allows an attacker to escalate any existing Object.prototype pollution in an application's dependency tree into a full Man-in-the-Middle (MITM) attack. This enables the attacker to intercept, read, and modify all HTTP traffic, including sensitive authentication credentials. The flaw occurs because the `config.proxy` setting is susceptible to prototype pollution, allowing an attacker to inject a malicious proxy server.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x | — |
Workaround
|
A flaw was found in Axios, a promise-based HTTP client. This vulnerability involves prototype pollution gadgets in the request configuration processing. If another vulnerability has already polluted the Object.prototype.transformResponse, affected Axios versions may incorrectly interpret this inherited value as part of the request configuration or as an option validator. Axios does not itself create the prototype pollution. Exploitability requires a separate prototype-pollution vulnerability or equivalent attacker control over Object.prototype before Axios creates a request.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x | — |
Workaround
|
A flaw was found in Axios. A remote attacker, by influencing the XSRF cookie name in a browser environment, could cause the application to construct a regular expression that leads to excessive processing. This can result in a client-side Denial of Service (DoS), where the affected browser tab may freeze, impacting the availability of the application for the user.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x | — |
Workaround
|
A flaw was found in the `sanitize-html` library. Under its default configuration, an attacker can embed malicious content within a disallowed `xmp` element. This vulnerability allows the attacker to bypass the HTML sanitization process, leading to stored Cross-Site Scripting (XSS). Successful exploitation can result in arbitrary code execution or information disclosure when a user views the affected content.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x | — |
Workaround
|
A flaw was found in the `decode-uri-component` library. This vulnerability allows a remote attacker to trigger a Denial of Service (DoS) by submitting specially crafted input. The `decode()` function, when processing a large number of encoded URI components, consumes excessive CPU resources, which can lead to the application becoming unresponsive and unavailable.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x | — |
Workaround
|
A flaw was found in golang.org/x/crypto/ssh. A remote attacker could send specially crafted inputs to the AES-GCM packet decoder. This could lead to an incorrectly placed cast from bytes to an integer, causing a server-side panic and resulting in a Denial of Service (DoS) for the affected system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x | — |
Workaround
|
A flaw was found in PyJWT, a Python library for JSON Web Token (JWT) implementation. When decoding JWTs, the library fails to validate the use of JSON Web Keys (JWK) in the HMAC algorithm while also supporting asymmetric algorithms. This allows a remote attacker to use the issuer's public key as the secret key for the HMAC algorithm, leading to the ability to forge JWTs. This vulnerability can result in authentication bypass or unauthorized access.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64 | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64 | — | ||
| Unresolved product id: Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x | — |
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat Quay 3.16.5 is now available with bug fixes.",
"title": "Topic"
},
{
"category": "general",
"text": "Quay 3.16.5",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:41066",
"url": "https://access.redhat.com/errata/RHSA-2026:41066"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-10143",
"url": "https://access.redhat.com/security/cve/CVE-2026-10143"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-12143",
"url": "https://access.redhat.com/security/cve/CVE-2026-12143"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-13676",
"url": "https://access.redhat.com/security/cve/CVE-2026-13676"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-32281",
"url": "https://access.redhat.com/security/cve/CVE-2026-32281"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-32591",
"url": "https://access.redhat.com/security/cve/CVE-2026-32591"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-39820",
"url": "https://access.redhat.com/security/cve/CVE-2026-39820"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-39821",
"url": "https://access.redhat.com/security/cve/CVE-2026-39821"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-39828",
"url": "https://access.redhat.com/security/cve/CVE-2026-39828"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-39829",
"url": "https://access.redhat.com/security/cve/CVE-2026-39829"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-39830",
"url": "https://access.redhat.com/security/cve/CVE-2026-39830"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-39831",
"url": "https://access.redhat.com/security/cve/CVE-2026-39831"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-39832",
"url": "https://access.redhat.com/security/cve/CVE-2026-39832"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-39835",
"url": "https://access.redhat.com/security/cve/CVE-2026-39835"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-42044",
"url": "https://access.redhat.com/security/cve/CVE-2026-42044"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-42151",
"url": "https://access.redhat.com/security/cve/CVE-2026-42151"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-42154",
"url": "https://access.redhat.com/security/cve/CVE-2026-42154"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-42499",
"url": "https://access.redhat.com/security/cve/CVE-2026-42499"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-42504",
"url": "https://access.redhat.com/security/cve/CVE-2026-42504"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-42508",
"url": "https://access.redhat.com/security/cve/CVE-2026-42508"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44432",
"url": "https://access.redhat.com/security/cve/CVE-2026-44432"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44486",
"url": "https://access.redhat.com/security/cve/CVE-2026-44486"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44487",
"url": "https://access.redhat.com/security/cve/CVE-2026-44487"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44488",
"url": "https://access.redhat.com/security/cve/CVE-2026-44488"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44492",
"url": "https://access.redhat.com/security/cve/CVE-2026-44492"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44494",
"url": "https://access.redhat.com/security/cve/CVE-2026-44494"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44495",
"url": "https://access.redhat.com/security/cve/CVE-2026-44495"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44496",
"url": "https://access.redhat.com/security/cve/CVE-2026-44496"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44990",
"url": "https://access.redhat.com/security/cve/CVE-2026-44990"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-45822",
"url": "https://access.redhat.com/security/cve/CVE-2026-45822"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-46597",
"url": "https://access.redhat.com/security/cve/CVE-2026-46597"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-48526",
"url": "https://access.redhat.com/security/cve/CVE-2026-48526"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-6322",
"url": "https://access.redhat.com/security/cve/CVE-2026-6322"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-9277",
"url": "https://access.redhat.com/security/cve/CVE-2026-9277"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_41066.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Quay 3.16.5",
"tracking": {
"current_release_date": "2026-07-19T13:46:38+00:00",
"generator": {
"date": "2026-07-19T13:46:38+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.7"
}
},
"id": "RHSA-2026:41066",
"initial_release_date": "2026-07-16T19:46:27+00:00",
"revision_history": [
{
"date": "2026-07-16T19:46:27+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-07-18T05:32:03+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-19T13:46:38+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Quay 3.16",
"product": {
"name": "Red Hat Quay 3.16",
"product_id": "Red Hat Quay 3.16",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:quay:3.16::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat Quay"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"product": {
"name": "registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"product_id": "registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"product_identification_helper": {
"purl": "pkg:oci/quay-container-security-operator-bundle@sha256%3A892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-container-security-operator-bundle\u0026tag=1783749869"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"product": {
"name": "registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"product_id": "registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"product_identification_helper": {
"purl": "pkg:oci/quay-container-security-operator-rhel9@sha256%3A45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-container-security-operator-rhel9\u0026tag=1783748085"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"product": {
"name": "registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"product_id": "registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"product_identification_helper": {
"purl": "pkg:oci/quay-bridge-operator-bundle@sha256%3A1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-bridge-operator-bundle\u0026tag=1783749615"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"product": {
"name": "registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"product_id": "registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"product_identification_helper": {
"purl": "pkg:oci/quay-bridge-operator-rhel9@sha256%3A7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-bridge-operator-rhel9\u0026tag=1783748414"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"product": {
"name": "registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"product_id": "registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"product_identification_helper": {
"purl": "pkg:oci/quay-builder-qemu-rhcos-rhel8@sha256%3A6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8\u0026tag=1783748503"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"product": {
"name": "registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"product_id": "registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"product_identification_helper": {
"purl": "pkg:oci/quay-builder-rhel9@sha256%3A75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-builder-rhel9\u0026tag=1783748231"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"product": {
"name": "registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"product_id": "registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"product_identification_helper": {
"purl": "pkg:oci/clair-rhel9@sha256%3Aad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143?arch=amd64\u0026repository_url=registry.redhat.io/quay/clair-rhel9\u0026tag=1783749100"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"product": {
"name": "registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"product_id": "registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"product_identification_helper": {
"purl": "pkg:oci/quay-operator-bundle@sha256%3Aca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-operator-bundle\u0026tag=1783961339"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"product": {
"name": "registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"product_id": "registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"product_identification_helper": {
"purl": "pkg:oci/quay-operator-rhel9@sha256%3Ab17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-operator-rhel9\u0026tag=1783748063"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"product": {
"name": "registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"product_id": "registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"product_identification_helper": {
"purl": "pkg:oci/quay-rhel9@sha256%3A71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-rhel9\u0026tag=1783955846"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"product": {
"name": "registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"product_id": "registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/quay-container-security-operator-rhel9@sha256%3A6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42?arch=ppc64le\u0026repository_url=registry.redhat.io/quay/quay-container-security-operator-rhel9\u0026tag=1783748085"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"product": {
"name": "registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"product_id": "registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/quay-bridge-operator-rhel9@sha256%3A3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358?arch=ppc64le\u0026repository_url=registry.redhat.io/quay/quay-bridge-operator-rhel9\u0026tag=1783748414"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"product": {
"name": "registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"product_id": "registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/quay-builder-rhel9@sha256%3A30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544?arch=ppc64le\u0026repository_url=registry.redhat.io/quay/quay-builder-rhel9\u0026tag=1783748231"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"product": {
"name": "registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"product_id": "registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/clair-rhel9@sha256%3A7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94?arch=ppc64le\u0026repository_url=registry.redhat.io/quay/clair-rhel9\u0026tag=1783749100"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"product": {
"name": "registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"product_id": "registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/quay-operator-rhel9@sha256%3A3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238?arch=ppc64le\u0026repository_url=registry.redhat.io/quay/quay-operator-rhel9\u0026tag=1783748063"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"product": {
"name": "registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"product_id": "registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/quay-rhel9@sha256%3A197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9?arch=ppc64le\u0026repository_url=registry.redhat.io/quay/quay-rhel9\u0026tag=1783955846"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"product": {
"name": "registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"product_id": "registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"product_identification_helper": {
"purl": "pkg:oci/quay-container-security-operator-rhel9@sha256%3Aa557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840?arch=s390x\u0026repository_url=registry.redhat.io/quay/quay-container-security-operator-rhel9\u0026tag=1783748085"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"product": {
"name": "registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"product_id": "registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"product_identification_helper": {
"purl": "pkg:oci/quay-bridge-operator-rhel9@sha256%3Af51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293?arch=s390x\u0026repository_url=registry.redhat.io/quay/quay-bridge-operator-rhel9\u0026tag=1783748414"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"product": {
"name": "registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"product_id": "registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"product_identification_helper": {
"purl": "pkg:oci/quay-builder-rhel9@sha256%3A50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484?arch=s390x\u0026repository_url=registry.redhat.io/quay/quay-builder-rhel9\u0026tag=1783748231"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"product": {
"name": "registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"product_id": "registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"product_identification_helper": {
"purl": "pkg:oci/clair-rhel9@sha256%3Aa4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158?arch=s390x\u0026repository_url=registry.redhat.io/quay/clair-rhel9\u0026tag=1783749100"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"product": {
"name": "registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"product_id": "registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"product_identification_helper": {
"purl": "pkg:oci/quay-operator-rhel9@sha256%3Ac65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4?arch=s390x\u0026repository_url=registry.redhat.io/quay/quay-operator-rhel9\u0026tag=1783748063"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"product": {
"name": "registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"product_id": "registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"product_identification_helper": {
"purl": "pkg:oci/quay-rhel9@sha256%3A5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b?arch=s390x\u0026repository_url=registry.redhat.io/quay/quay-rhel9\u0026tag=1783955846"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64",
"product": {
"name": "registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64",
"product_id": "registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64",
"product_identification_helper": {
"purl": "pkg:oci/quay-rhel9@sha256%3Afe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230?arch=arm64\u0026repository_url=registry.redhat.io/quay/quay-rhel9\u0026tag=1783955846"
}
}
}
],
"category": "architecture",
"name": "arm64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le as a component of Red Hat Quay 3.16",
"product_id": "Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le"
},
"product_reference": "registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"relates_to_product_reference": "Red Hat Quay 3.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x as a component of Red Hat Quay 3.16",
"product_id": "Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x"
},
"product_reference": "registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"relates_to_product_reference": "Red Hat Quay 3.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64 as a component of Red Hat Quay 3.16",
"product_id": "Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64"
},
"product_reference": "registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"relates_to_product_reference": "Red Hat Quay 3.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64 as a component of Red Hat Quay 3.16",
"product_id": "Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64"
},
"product_reference": "registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"relates_to_product_reference": "Red Hat Quay 3.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le as a component of Red Hat Quay 3.16",
"product_id": "Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le"
},
"product_reference": "registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"relates_to_product_reference": "Red Hat Quay 3.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64 as a component of Red Hat Quay 3.16",
"product_id": "Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64"
},
"product_reference": "registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"relates_to_product_reference": "Red Hat Quay 3.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x as a component of Red Hat Quay 3.16",
"product_id": "Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x"
},
"product_reference": "registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"relates_to_product_reference": "Red Hat Quay 3.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64 as a component of Red Hat Quay 3.16",
"product_id": "Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64"
},
"product_reference": "registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"relates_to_product_reference": "Red Hat Quay 3.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le as a component of Red Hat Quay 3.16",
"product_id": "Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le"
},
"product_reference": "registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"relates_to_product_reference": "Red Hat Quay 3.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x as a component of Red Hat Quay 3.16",
"product_id": "Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x"
},
"product_reference": "registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"relates_to_product_reference": "Red Hat Quay 3.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64 as a component of Red Hat Quay 3.16",
"product_id": "Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64"
},
"product_reference": "registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"relates_to_product_reference": "Red Hat Quay 3.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64 as a component of Red Hat Quay 3.16",
"product_id": "Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64"
},
"product_reference": "registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"relates_to_product_reference": "Red Hat Quay 3.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64 as a component of Red Hat Quay 3.16",
"product_id": "Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64"
},
"product_reference": "registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"relates_to_product_reference": "Red Hat Quay 3.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le as a component of Red Hat Quay 3.16",
"product_id": "Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le"
},
"product_reference": "registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"relates_to_product_reference": "Red Hat Quay 3.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x as a component of Red Hat Quay 3.16",
"product_id": "Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x"
},
"product_reference": "registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"relates_to_product_reference": "Red Hat Quay 3.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64 as a component of Red Hat Quay 3.16",
"product_id": "Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64"
},
"product_reference": "registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"relates_to_product_reference": "Red Hat Quay 3.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le as a component of Red Hat Quay 3.16",
"product_id": "Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le"
},
"product_reference": "registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"relates_to_product_reference": "Red Hat Quay 3.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64 as a component of Red Hat Quay 3.16",
"product_id": "Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64"
},
"product_reference": "registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"relates_to_product_reference": "Red Hat Quay 3.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x as a component of Red Hat Quay 3.16",
"product_id": "Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
},
"product_reference": "registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"relates_to_product_reference": "Red Hat Quay 3.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le as a component of Red Hat Quay 3.16",
"product_id": "Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le"
},
"product_reference": "registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"relates_to_product_reference": "Red Hat Quay 3.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x as a component of Red Hat Quay 3.16",
"product_id": "Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x"
},
"product_reference": "registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"relates_to_product_reference": "Red Hat Quay 3.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64 as a component of Red Hat Quay 3.16",
"product_id": "Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64"
},
"product_reference": "registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"relates_to_product_reference": "Red Hat Quay 3.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64 as a component of Red Hat Quay 3.16",
"product_id": "Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
},
"product_reference": "registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64",
"relates_to_product_reference": "Red Hat Quay 3.16"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-6322",
"cwe": {
"id": "CWE-140",
"name": "Improper Neutralization of Delimiters"
},
"discovery_date": "2026-05-05T11:01:00.332189+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2466684"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in fast-uri. A remote attacker could exploit this vulnerability by crafting a malicious Uniform Resource Identifier (URI) that contains percent-encoded authority delimiters. The fast-uri library incorrectly decodes these delimiters during normalization and then re-emits them as raw separators, which can change the URI\u0027s intended authority. This issue allows applications that perform host allowlist checks, redirect validation, or outbound request routing to be steered to a different authority than specified, potentially bypassing security controls.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "fast-uri: fast-uri: URI authority bypass due to improper delimiter handling",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important flaw in the `fast-uri` library allows an attacker to bypass security controls in Red Hat products that process Uniform Resource Identifiers (URIs). By crafting a malicious URI with percent-encoded authority delimiters, an attacker can cause the library to incorrectly interpret the URI\u0027s authority, potentially redirecting applications to an unintended domain. This could lead to a bypass of host allowlist checks, redirect validation, or outbound request routing.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"known_not_affected": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-6322"
},
{
"category": "external",
"summary": "RHBZ#2466684",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466684"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-6322",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-6322"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-6322",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6322"
},
{
"category": "external",
"summary": "https://cna.openjsf.org/security-advisories.html",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"category": "external",
"summary": "https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc",
"url": "https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc"
}
],
"release_date": "2026-05-05T10:29:16.378000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-16T19:46:27+00:00",
"details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:41066"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "fast-uri: fast-uri: URI authority bypass due to improper delimiter handling"
},
{
"cve": "CVE-2026-9277",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"discovery_date": "2026-05-22T14:01:14.427751+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480741"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the shell-quote component. The quote() function did not properly validate object-token inputs, allowing line terminators to pass unescaped into the output. A remote attacker could exploit this vulnerability by providing specially crafted input, which a POSIX shell would interpret as a command separator. This could lead to command injection, enabling the attacker to execute arbitrary code on the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"known_not_affected": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9277"
},
{
"category": "external",
"summary": "RHBZ#2480741",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480741"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9277",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9277"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9277",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9277"
},
{
"category": "external",
"summary": "https://github.com/ljharb/shell-quote",
"url": "https://github.com/ljharb/shell-quote"
},
{
"category": "external",
"summary": "https://github.com/ljharb/shell-quote/commit/1518179",
"url": "https://github.com/ljharb/shell-quote/commit/1518179"
},
{
"category": "external",
"summary": "https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p",
"url": "https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p"
},
{
"category": "external",
"summary": "https://www.npmjs.com/package/shell-quote",
"url": "https://www.npmjs.com/package/shell-quote"
}
],
"release_date": "2026-05-22T13:22:38.873000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-16T19:46:27+00:00",
"details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:41066"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators"
},
{
"cve": "CVE-2026-10143",
"cwe": {
"id": "CWE-606",
"name": "Unchecked Input for Loop Condition"
},
"discovery_date": "2026-06-10T21:02:14.712750+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487722"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in kafka-python. A malicious or machine-in-the-middle broker could exploit a denial-of-service vulnerability during SCRAM authentication. By providing an excessively large iteration count, the broker can cause the client\u0027s event loop to freeze. This prevents critical operations such as sending messages, polling for new messages, and maintaining heartbeats, ultimately leading to consumer group eviction and persistent connection failures.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "kafka-python: kafka-python: Denial of Service via excessive SCRAM authentication iteration count",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"known_not_affected": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-10143"
},
{
"category": "external",
"summary": "RHBZ#2487722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487722"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-10143",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-10143"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-10143",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10143"
},
{
"category": "external",
"summary": "https://github.com/dpkp/kafka-python/commit/6e4831444f972d169cdd11f5c8d50333cea3f19b",
"url": "https://github.com/dpkp/kafka-python/commit/6e4831444f972d169cdd11f5c8d50333cea3f19b"
},
{
"category": "external",
"summary": "https://github.com/dpkp/kafka-python/pull/3019",
"url": "https://github.com/dpkp/kafka-python/pull/3019"
},
{
"category": "external",
"summary": "https://github.com/dpkp/kafka-python/pull/3026",
"url": "https://github.com/dpkp/kafka-python/pull/3026"
},
{
"category": "external",
"summary": "https://www.vulncheck.com/advisories/kafka-python-prior-to-dos-via-scram-iteration-count-in-scram-py",
"url": "https://www.vulncheck.com/advisories/kafka-python-prior-to-dos-via-scram-iteration-count-in-scram-py"
}
],
"release_date": "2026-06-10T20:22:39.262000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-16T19:46:27+00:00",
"details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:41066"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "kafka-python: kafka-python: Denial of Service via excessive SCRAM authentication iteration count"
},
{
"cve": "CVE-2026-12143",
"cwe": {
"id": "CWE-93",
"name": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)"
},
"discovery_date": "2026-06-12T19:00:57.360953+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2488480"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in form-data, a library for creating readable multipart/form-data streams. A remote attacker can exploit this vulnerability by injecting carriage return (CR), line feed (LF), or double-quote (\") characters into the `field` argument of `FormData#append` or the `filename` option. This allows the attacker to inject additional headers or smuggle entire additional multipart parts into requests, potentially enabling them to add or override form fields and compromise data integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "form-data: form-data: Form field override via CRLF injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important impact flaw in the form-data library: a remote attacker can inject arbitrary headers or additional multipart parts via CRLF injection in field names or filenames, potentially overriding sensitive form fields and affecting data integrity.\n\nFor RHOAI and RHEL AI, severity is Moderate because affected versions appear only as a transitive npm dependency in RHOAI (dashboard, mod-arch plugins, MLflow UI) and RHEL AI 3.4 bootc images, and those products use fixed field names for uploads rather than passing untrusted user input as multipart field names or filenames. The documented exploit path is therefore not reachable in default deployments. Practical impact is limited to non-default or custom integrations that forward multipart requests using attacker-controlled field names.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"known_not_affected": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-12143"
},
{
"category": "external",
"summary": "RHBZ#2488480",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488480"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-12143",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-12143"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-12143",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12143"
},
{
"category": "external",
"summary": "https://cwe.mitre.org/data/definitions/93.html",
"url": "https://cwe.mitre.org/data/definitions/93.html"
},
{
"category": "external",
"summary": "https://github.com/form-data/form-data/commit/64190db548c0179e37206858e39f27cf513e9435",
"url": "https://github.com/form-data/form-data/commit/64190db548c0179e37206858e39f27cf513e9435"
},
{
"category": "external",
"summary": "https://github.com/form-data/form-data/commit/be3f3cf553978bac15a5182f1f3c3d2d38ccf229",
"url": "https://github.com/form-data/form-data/commit/be3f3cf553978bac15a5182f1f3c3d2d38ccf229"
},
{
"category": "external",
"summary": "https://github.com/form-data/form-data/commit/c7133499c2ee1b80c678e411244f4442bf902045",
"url": "https://github.com/form-data/form-data/commit/c7133499c2ee1b80c678e411244f4442bf902045"
},
{
"category": "external",
"summary": "https://github.com/form-data/form-data/security/advisories/GHSA-hmw2-7cc7-3qxx",
"url": "https://github.com/form-data/form-data/security/advisories/GHSA-hmw2-7cc7-3qxx"
},
{
"category": "external",
"summary": "https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#multipart-form-data",
"url": "https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#multipart-form-data"
},
{
"category": "external",
"summary": "https://www.npmjs.com/package/form-data",
"url": "https://www.npmjs.com/package/form-data"
}
],
"release_date": "2026-06-12T18:01:30.362000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-16T19:46:27+00:00",
"details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:41066"
},
{
"category": "workaround",
"details": "Applications using the `form-data` library should implement strict input validation and sanitization for all field names and filenames derived from untrusted sources. This prevents the injection of control characters (CR, LF, \") that could lead to header injection or form field overrides. Deployments that exclusively use fixed or trusted field names are not impacted.",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "form-data: form-data: Form field override via CRLF injection"
},
{
"cve": "CVE-2026-13676",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-06-29T14:01:55.592330+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2494197"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in fast-uri. This vulnerability occurs because fast-uri fails to properly convert Unicode (Internationalized Domain Name - IDN) hostnames for HTTP-family URLs. This can lead to a situation where security policies, such as denylists or redirect validations, are bypassed when applications use fast-uri to enforce these policies before passing the URL to another parser. A remote attacker could exploit this to circumvent security controls and potentially access unauthorized resources or perform malicious redirects.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "fast-uri: fast-uri: Security policy bypass due to improper Unicode hostname canonicalization",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important flaw in `fast-uri` allows a remote attacker to bypass host-based security policies. Applications that rely on `fast-uri` for URL parsing and policy enforcement, such as denylists or redirect validations, can be circumvented due to inconsistent handling of Unicode hostnames. This discrepancy between `fast-uri` and other URL parsers could lead to unauthorized resource access or malicious redirects in affected Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"known_not_affected": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-13676"
},
{
"category": "external",
"summary": "RHBZ#2494197",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2494197"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-13676",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-13676"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-13676",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13676"
},
{
"category": "external",
"summary": "https://cna.openjsf.org/security-advisories.html",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"category": "external",
"summary": "https://github.com/fastify/fast-uri/security/advisories/GHSA-4c8g-83qw-93j6",
"url": "https://github.com/fastify/fast-uri/security/advisories/GHSA-4c8g-83qw-93j6"
}
],
"release_date": "2026-06-29T13:22:44.674000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-16T19:46:27+00:00",
"details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:41066"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "fast-uri: fast-uri: Security policy bypass due to improper Unicode hostname canonicalization"
},
{
"cve": "CVE-2026-32281",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2026-04-08T02:01:00.930989+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456333"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go\u0027s `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw occurs during the validation of otherwise trusted certificate chains that contain a large number of policy mappings, leading to excessive resource consumption. Exploitation requires an attacker to present a specially crafted, yet trusted, certificate chain which would require the attacker has already compromised a trusted certificate root. Red Hat continuously monitors certificate authorities and curates the set which is trusted by default for Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"known_not_affected": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32281"
},
{
"category": "external",
"summary": "RHBZ#2456333",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456333"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32281",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32281"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"category": "external",
"summary": "https://go.dev/cl/758061",
"url": "https://go.dev/cl/758061"
},
{
"category": "external",
"summary": "https://go.dev/issue/78281",
"url": "https://go.dev/issue/78281"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4946",
"url": "https://pkg.go.dev/vuln/GO-2026-4946"
}
],
"release_date": "2026-04-08T01:06:58.354000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-16T19:46:27+00:00",
"details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:41066"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation"
},
{
"acknowledgments": [
{
"names": [
"Antony Di Scala",
"Michael Whale"
]
}
],
"cve": "CVE-2026-32591",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2026-03-12T15:09:38.210000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2446965"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Red Hat Quay\u0027s Proxy Cache configuration feature. When an organization administrator configures an upstream registry for proxy caching, Quay makes a network connection to the specified registry hostname without verifying that it points to a legitimate external service. An attacker with organization administrator privileges could supply a crafted hostname to force the Quay server to make requests to internal network services, cloud infrastructure endpoints, or other resources that should not be accessible from the Quay application.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mirror-registry: quay: server-side request forgery in proxy cache upstream registry configuration",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Exploitation requires the attacker to be authenticated as an organization administrator.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"known_not_affected": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32591"
},
{
"category": "external",
"summary": "RHBZ#2446965",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446965"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32591",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32591"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32591",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32591"
}
],
"release_date": "2026-04-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-16T19:46:27+00:00",
"details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:41066"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mirror-registry: quay: server-side request forgery in proxy cache upstream registry configuration"
},
{
"cve": "CVE-2026-39820",
"cwe": {
"id": "CWE-606",
"name": "Unchecked Input for Loop Condition"
},
"discovery_date": "2026-05-07T20:01:27.800929+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2467820"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the `net/mail` package of the Go programming language. An attacker could provide specially crafted inputs to the `ParseAddress`, `ParseAddressList`, or `ParseDate` functions. This could lead to excessive consumption of CPU and memory resources, resulting in a Denial of Service (DoS) for applications processing these inputs.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "net/mail: golang: Go net/mail: Denial of Service via crafted email inputs",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important denial of service vulnerability in the Go `net/mail` package. Applications processing untrusted email inputs via `ParseAddress`, `ParseAddressList`, or `ParseDate` functions are susceptible to excessive resource consumption, which can lead to service unavailability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"known_not_affected": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-39820"
},
{
"category": "external",
"summary": "RHBZ#2467820",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467820"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-39820",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39820"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-39820",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39820"
},
{
"category": "external",
"summary": "https://go.dev/cl/759940",
"url": "https://go.dev/cl/759940"
},
{
"category": "external",
"summary": "https://go.dev/issue/78566",
"url": "https://go.dev/issue/78566"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M",
"url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4986",
"url": "https://pkg.go.dev/vuln/GO-2026-4986"
}
],
"release_date": "2026-05-07T19:41:19.854000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-16T19:46:27+00:00",
"details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:41066"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "net/mail: golang: Go net/mail: Denial of Service via crafted email inputs"
},
{
"cve": "CVE-2026-39821",
"cwe": {
"id": "CWE-1289",
"name": "Improper Validation of Unsafe Equivalence in Input"
},
"discovery_date": "2026-05-22T16:00:52.844126+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480756"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang.org/x/net/idna. ToASCII and ToUnicode incorrectly accept Punycode-encoded labels that decode to an ASCII-only hostname (for example, xn--example-.com returns example.com instead of an error). Applications that validate the ASCII form then convert to Unicode may grant access to a restricted hostname the ASCII check would have rejected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/net/idna: golang: net/http: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "golang.org/x/net/idna is vulnerable to privilege escalation through incorrect Punycode label handling in ToASCII and ToUnicode. An attacker who can supply a Punycode hostname that passes an ASCII-only authorization check may have it normalized to a restricted ASCII name the application intended to block. Red Hat exposure is broad across products shipping the Go toolchain or bundling golang.org/x/net, including RHEL and RHEL-AI golang RPMs, hummingbird Go runtimes, OpenShift and ODF container builds, and Ceph/OpenShift components compiled against affected x/net versions.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"known_not_affected": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-39821"
},
{
"category": "external",
"summary": "RHBZ#2480756",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480756"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-39821",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39821"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-39821",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39821"
},
{
"category": "external",
"summary": "https://go.dev/cl/767220",
"url": "https://go.dev/cl/767220"
},
{
"category": "external",
"summary": "https://go.dev/issue/78760",
"url": "https://go.dev/issue/78760"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8",
"url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-5026",
"url": "https://pkg.go.dev/vuln/GO-2026-5026"
}
],
"release_date": "2026-05-22T15:01:21.462000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-16T19:46:27+00:00",
"details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:41066"
},
{
"category": "workaround",
"details": "Upgrade to a fixed golang.org/x/net release that includes the idna correction, via updated golang or dependent package rebuilds.",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/net/idna: golang: net/http: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing"
},
{
"cve": "CVE-2026-39828",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2026-05-22T04:01:46.775641+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480687"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang.org/x/crypto/ssh. A remote attacker could exploit this vulnerability when an SSH server authentication callback returned a PartialSuccessError with non-nil permissions. This flaw caused these permissions to be silently discarded, potentially bypassing certificate restrictions, such as a force-command, after a second authentication factor succeeded. This could lead to unauthorized command execution or access.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important security flaw in the `golang.org/x/crypto/ssh` library. When an SSH server utilizing this library is configured with specific authentication callbacks that return a `PartialSuccessError` with non-nil permissions, an attacker could bypass intended certificate restrictions, such as `force-command`. This bypass could lead to unauthorized command execution or access on affected Red Hat systems configured with multi-factor authentication and certificate-based access controls.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"known_not_affected": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-39828"
},
{
"category": "external",
"summary": "RHBZ#2480687",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480687"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-39828",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39828"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-39828",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39828"
},
{
"category": "external",
"summary": "https://go.dev/cl/781621",
"url": "https://go.dev/cl/781621"
},
{
"category": "external",
"summary": "https://go.dev/issue/79562",
"url": "https://go.dev/issue/79562"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI",
"url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-5014",
"url": "https://pkg.go.dev/vuln/GO-2026-5014"
}
],
"release_date": "2026-05-22T02:31:26.883000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-16T19:46:27+00:00",
"details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:41066"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions"
},
{
"cve": "CVE-2026-39829",
"cwe": {
"id": "CWE-1284",
"name": "Improper Validation of Specified Quantity in Input"
},
"discovery_date": "2026-05-22T04:01:30.092249+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480681"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang.org/x/crypto/ssh. The RSA and DSA public key parsers in the affected component did not enforce size limits on key parameters. This vulnerability allows an unauthenticated client to provide a crafted public key with an excessively large modulus or DSA parameter during public key authentication. Successful exploitation could lead to a denial of service (DoS) due to prolonged CPU consumption during signature verification.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in golang.org/x/crypto/ssh is rated as Important. An unauthenticated remote attacker could trigger a denial of service by providing a specially crafted public key with excessively large parameters during SSH public key authentication. This could lead to prolonged CPU consumption on the server, impacting service availability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"known_not_affected": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-39829"
},
{
"category": "external",
"summary": "RHBZ#2480681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480681"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-39829",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39829"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-39829",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39829"
},
{
"category": "external",
"summary": "https://go.dev/cl/781641",
"url": "https://go.dev/cl/781641"
},
{
"category": "external",
"summary": "https://go.dev/cl/781661",
"url": "https://go.dev/cl/781661"
},
{
"category": "external",
"summary": "https://go.dev/issue/79565",
"url": "https://go.dev/issue/79565"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI",
"url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-5018",
"url": "https://pkg.go.dev/vuln/GO-2026-5018"
}
],
"release_date": "2026-05-22T02:31:27.324000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-16T19:46:27+00:00",
"details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:41066"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters"
},
{
"cve": "CVE-2026-39830",
"cwe": {
"id": "CWE-772",
"name": "Missing Release of Resource after Effective Lifetime"
},
"discovery_date": "2026-05-22T04:01:38.517202+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480684"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang.org/x/crypto/ssh. A remote malicious SSH peer can exploit this by sending unsolicited global request responses, which fills an internal buffer and blocks the connection\u0027s read loop. This prevents the associated resources from being released, leading to a resource leak per connection. The consequence is a Denial of Service (DoS) for the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important denial of service flaw in `golang.org/x/crypto/ssh`. A remote, unauthenticated attacker can exploit this vulnerability by sending unsolicited global request responses to an affected SSH server, leading to resource exhaustion and a denial of service. The impact is considered Important due to the potential for unauthenticated remote disruption of services utilizing the vulnerable SSH library.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"known_not_affected": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-39830"
},
{
"category": "external",
"summary": "RHBZ#2480684",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480684"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-39830",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39830"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-39830",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39830"
},
{
"category": "external",
"summary": "https://go.dev/cl/781640",
"url": "https://go.dev/cl/781640"
},
{
"category": "external",
"summary": "https://go.dev/cl/781664",
"url": "https://go.dev/cl/781664"
},
{
"category": "external",
"summary": "https://go.dev/issue/79564",
"url": "https://go.dev/issue/79564"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI",
"url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-5017",
"url": "https://pkg.go.dev/vuln/GO-2026-5017"
}
],
"release_date": "2026-05-22T02:31:27.208000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-16T19:46:27+00:00",
"details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:41066"
},
{
"category": "workaround",
"details": "To mitigate this denial of service vulnerability, restrict network access to any service that utilizes the `golang.org/x/crypto/ssh` library and is exposed to untrusted networks. Implement firewall rules to allow connections only from trusted hosts or networks. This action limits the ability of malicious peers to send unsolicited global request responses. A restart of the affected service may be necessary for the new network rules to be applied effectively.",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses"
},
{
"cve": "CVE-2026-39831",
"cwe": {
"id": "CWE-347",
"name": "Improper Verification of Cryptographic Signature"
},
"discovery_date": "2026-05-22T04:01:12.861178+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480675"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang.org/x/crypto/ssh. The Verify() method, responsible for FIDO/U2F security key types, did not properly check for user presence. This allowed signatures to be accepted without requiring a physical touch on the hardware security key. As a result, an attacker could potentially use a hardware security key in an unattended manner, bypassing a critical security control designed to ensure user intent.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Security key bypass due to missing user presence check",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"known_not_affected": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-39831"
},
{
"category": "external",
"summary": "RHBZ#2480675",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480675"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-39831",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39831"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-39831",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39831"
},
{
"category": "external",
"summary": "https://go.dev/cl/781662",
"url": "https://go.dev/cl/781662"
},
{
"category": "external",
"summary": "https://go.dev/issue/79566",
"url": "https://go.dev/issue/79566"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI",
"url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-5019",
"url": "https://pkg.go.dev/vuln/GO-2026-5019"
}
],
"release_date": "2026-05-22T02:31:27.436000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-16T19:46:27+00:00",
"details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:41066"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Security key bypass due to missing user presence check"
},
{
"cve": "CVE-2026-39832",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2026-05-22T04:01:41.402561+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480685"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang.org/x/crypto/ssh/agent. When a key was added to a remote agent, security restrictions, known as constraint extensions, were not properly processed during the request. This allowed these restrictions to be silently removed when keys were forwarded, leading to the unrestricted use of the key on the remote host. This vulnerability could enable an attacker to bypass intended security controls and perform unauthorized actions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: Security bypass due to improper handling of key restrictions",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important vulnerability in `golang.org/x/crypto/ssh/agent` allows for a security bypass when SSH keys with destination restrictions are forwarded via an SSH agent. This flaw could lead to unintended exposure of SSH keys, enabling an attacker to use the forwarded key without the specified restrictions on remote hosts. Red Hat products utilizing `golang.org/x/crypto/ssh/agent` for key forwarding may be affected if users rely on constraint extensions for limiting key usage.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"known_not_affected": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-39832"
},
{
"category": "external",
"summary": "RHBZ#2480685",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480685"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-39832",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39832"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-39832",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39832"
},
{
"category": "external",
"summary": "https://go.dev/cl/778642",
"url": "https://go.dev/cl/778642"
},
{
"category": "external",
"summary": "https://go.dev/issue/79435",
"url": "https://go.dev/issue/79435"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI",
"url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-5006",
"url": "https://pkg.go.dev/vuln/GO-2026-5006"
}
],
"release_date": "2026-05-22T02:31:26.660000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-16T19:46:27+00:00",
"details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:41066"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: Security bypass due to improper handling of key restrictions"
},
{
"cve": "CVE-2026-39835",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"discovery_date": "2026-05-22T04:01:27.279943+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480680"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang.org/x/crypto/ssh. SSH servers configured to use CertChecker as a public key callback, without explicitly setting IsUserAuthority or IsHostAuthority, are vulnerable. A remote attacker can exploit this by presenting a specially crafted certificate, causing the server to panic and resulting in a Denial of Service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/crypto/ssh: golang: golang.org/x/crypto/ssh: Denial of Service via crafted SSH certificate",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important denial of service flaw in `golang.org/x/crypto/ssh` affecting SSH servers that utilize `CertChecker` as a public key callback without explicitly configuring `IsUserAuthority` or `IsHostAuthority`. A remote, unauthenticated attacker can trigger a server panic by presenting a specially crafted certificate, leading to service disruption. Exploitation requires a specific, non-default configuration of the `CertChecker`.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"known_not_affected": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-39835"
},
{
"category": "external",
"summary": "RHBZ#2480680",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480680"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-39835",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39835"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-39835",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39835"
},
{
"category": "external",
"summary": "https://go.dev/cl/781660",
"url": "https://go.dev/cl/781660"
},
{
"category": "external",
"summary": "https://go.dev/issue/79563",
"url": "https://go.dev/issue/79563"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI",
"url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-5015",
"url": "https://pkg.go.dev/vuln/GO-2026-5015"
}
],
"release_date": "2026-05-22T02:31:26.982000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-16T19:46:27+00:00",
"details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:41066"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/crypto/ssh: golang: golang.org/x/crypto/ssh: Denial of Service via crafted SSH certificate"
},
{
"cve": "CVE-2026-42044",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-04-24T19:01:13.418725+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2461624"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a widely used HTTP client. This vulnerability, known as a Prototype Pollution \"Gadget\" attack, allows a remote attacker to subtly alter JSON API responses. By manipulating a specific function, an attacker can selectively modify data within these responses. This could lead to significant security breaches, including unauthorized privilege escalation, fraudulent balance manipulation, or bypassing critical authorization checks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"known_not_affected": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42044"
},
{
"category": "external",
"summary": "RHBZ#2461624",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461624"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42044",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42044"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42044",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42044"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23",
"url": "https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23"
}
],
"release_date": "2026-04-24T17:49:49.517000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-16T19:46:27+00:00",
"details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:41066"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget"
},
{
"cve": "CVE-2026-42151",
"cwe": {
"id": "CWE-256",
"name": "Plaintext Storage of a Password"
},
"discovery_date": "2026-05-04T19:02:26.983660+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2466507"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Prometheus, an open-source monitoring system. The `client_secret` field within the Azure Active Directory (AD) remote write OAuth configuration was incorrectly handled as a plain string instead of a secure Secret type. This misconfiguration allowed any user or process with access to the `/-/config` HTTP API endpoint to view the Azure OAuth client secret in plaintext. This vulnerability leads to information disclosure, potentially compromising the security of integrated Azure AD services.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "github.com/prometheus/prometheus: Prometheus: Information disclosure of Azure OAuth client secret via config API",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important information disclosure flaw in Prometheus affects instances configured to use Azure AD remote write with OAuth authentication. The client secret, intended to be a secure credential, is exposed in plaintext through the `/-/config` HTTP API endpoint. This could allow an attacker with access to this endpoint to retrieve the secret, potentially compromising integrated Azure AD services.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"known_not_affected": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42151"
},
{
"category": "external",
"summary": "RHBZ#2466507",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466507"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42151",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42151"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42151",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42151"
},
{
"category": "external",
"summary": "https://github.com/prometheus/prometheus/pull/18587",
"url": "https://github.com/prometheus/prometheus/pull/18587"
},
{
"category": "external",
"summary": "https://github.com/prometheus/prometheus/pull/18590",
"url": "https://github.com/prometheus/prometheus/pull/18590"
},
{
"category": "external",
"summary": "https://github.com/prometheus/prometheus/releases/tag/v3.11.3",
"url": "https://github.com/prometheus/prometheus/releases/tag/v3.11.3"
},
{
"category": "external",
"summary": "https://github.com/prometheus/prometheus/releases/tag/v3.5.3",
"url": "https://github.com/prometheus/prometheus/releases/tag/v3.5.3"
},
{
"category": "external",
"summary": "https://github.com/prometheus/prometheus/security/advisories/GHSA-wg65-39gg-5wfj",
"url": "https://github.com/prometheus/prometheus/security/advisories/GHSA-wg65-39gg-5wfj"
}
],
"release_date": "2026-05-04T18:12:16.917000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-16T19:46:27+00:00",
"details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:41066"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "github.com/prometheus/prometheus: Prometheus: Information disclosure of Azure OAuth client secret via config API"
},
{
"cve": "CVE-2026-42154",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-05-04T19:02:19.626646+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2466505"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Prometheus. An unauthenticated attacker can exploit the remote read endpoint (`/api/v1/read`) by sending a specially crafted, small snappy-compressed payload. This payload causes a disproportionately large memory allocation, leading to memory exhaustion and a Denial of Service (DoS) by crashing the Prometheus process.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "github.com/prometheus/prometheus: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important denial of service vulnerability in Prometheus, allowing an unauthenticated remote attacker to crash the Prometheus process. This could lead to service unavailability in Red Hat products that deploy Prometheus for monitoring, as the remote read endpoint does not properly validate snappy-compressed request lengths.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"known_not_affected": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42154"
},
{
"category": "external",
"summary": "RHBZ#2466505",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466505"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42154",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42154"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42154",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42154"
},
{
"category": "external",
"summary": "https://github.com/prometheus/prometheus/pull/18584",
"url": "https://github.com/prometheus/prometheus/pull/18584"
},
{
"category": "external",
"summary": "https://github.com/prometheus/prometheus/pull/18585",
"url": "https://github.com/prometheus/prometheus/pull/18585"
},
{
"category": "external",
"summary": "https://github.com/prometheus/prometheus/releases/tag/v3.11.3",
"url": "https://github.com/prometheus/prometheus/releases/tag/v3.11.3"
},
{
"category": "external",
"summary": "https://github.com/prometheus/prometheus/releases/tag/v3.5.3",
"url": "https://github.com/prometheus/prometheus/releases/tag/v3.5.3"
},
{
"category": "external",
"summary": "https://github.com/prometheus/prometheus/security/advisories/GHSA-8rm2-7qqf-34qm",
"url": "https://github.com/prometheus/prometheus/security/advisories/GHSA-8rm2-7qqf-34qm"
}
],
"release_date": "2026-05-04T18:13:12.340000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-16T19:46:27+00:00",
"details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:41066"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "github.com/prometheus/prometheus: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint"
},
{
"cve": "CVE-2026-42499",
"cwe": {
"id": "CWE-1046",
"name": "Creation of Immutable Text Using String Concatenation"
},
"discovery_date": "2026-05-07T20:00:51.685602+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2467809"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the `net/mail` package within the Go standard library. A remote attacker could provide specially crafted, pathological email addresses. When these malformed email addresses are parsed by the `consumePhrase` function, it can lead to excessive resource consumption due to quadratic string concatenation, resulting in a Denial of Service (DoS) condition.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "net/mail: golang: net/mail: Denial of Service via pathological email address parsing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important denial of service vulnerability in the `net/mail` package of the Go standard library. A remote attacker can exploit this flaw by sending specially crafted email addresses, leading to excessive resource consumption and a denial of service in Go applications that parse email addresses using the affected library.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"known_not_affected": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42499"
},
{
"category": "external",
"summary": "RHBZ#2467809",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467809"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42499",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42499"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42499",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42499"
},
{
"category": "external",
"summary": "https://go.dev/cl/771520",
"url": "https://go.dev/cl/771520"
},
{
"category": "external",
"summary": "https://go.dev/issue/78987",
"url": "https://go.dev/issue/78987"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M",
"url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4977",
"url": "https://pkg.go.dev/vuln/GO-2026-4977"
}
],
"release_date": "2026-05-07T19:41:18.615000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-16T19:46:27+00:00",
"details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:41066"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "net/mail: golang: net/mail: Denial of Service via pathological email address parsing"
},
{
"cve": "CVE-2026-42504",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2026-06-02T23:01:00.320527+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2484204"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Golang MIME (Multipurpose Internet Mail Extensions) package. A remote attacker could exploit this vulnerability by sending a maliciously-crafted MIME header containing many invalid encoded-words. This could lead to excessive CPU consumption, resulting in a Denial of Service (DoS) for the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mime: golang: Golang MIME: Denial of Service via maliciously-crafted MIME header",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is rated as an Important severity flaw. A remote attacker could trigger a Denial of Service by sending a crafted MIME header with numerous invalid encoded-words to an application utilizing the affected Golang MIME package. This could lead to excessive CPU consumption on the system processing the malformed header, impacting service availability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"known_not_affected": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42504"
},
{
"category": "external",
"summary": "RHBZ#2484204",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2484204"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42504",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42504"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42504",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42504"
},
{
"category": "external",
"summary": "https://go.dev/cl/774481",
"url": "https://go.dev/cl/774481"
},
{
"category": "external",
"summary": "https://go.dev/issue/79217",
"url": "https://go.dev/issue/79217"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw",
"url": "https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-5038",
"url": "https://pkg.go.dev/vuln/GO-2026-5038"
}
],
"release_date": "2026-06-02T22:01:37.219000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-16T19:46:27+00:00",
"details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:41066"
},
{
"category": "workaround",
"details": "To mitigate this issue, restrict network access to services that process MIME headers from untrusted sources. Implement input validation and sanitization for all incoming data, especially MIME headers, to prevent maliciously crafted content from being processed by applications utilizing the vulnerable Golang MIME package.",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mime: golang: Golang MIME: Denial of Service via maliciously-crafted MIME header"
},
{
"cve": "CVE-2026-42508",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"discovery_date": "2026-05-22T04:01:49.515058+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480688"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang.org/x/crypto/ssh/knownhosts. This vulnerability occurs because the system did not correctly check for the revocation status of a SignatureKey belonging to a Certificate Authority (CA). A remote attacker could potentially exploit this by presenting a revoked key, leading to the system accepting it as valid. This could allow an attacker to bypass security checks and potentially gain unauthorized access or spoof legitimate entities.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/crypto/ssh/knownhosts: golang: golang.org/x/crypto/ssh/knownhosts: Revocation bypass via unchecked SignatureKey",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Important: A flaw in `golang.org/x/crypto/ssh/knownhosts` allows a remote attacker to bypass security checks. This vulnerability arises because the system fails to properly verify the revocation status of a Certificate Authority (CA) `SignatureKey`. In Red Hat environments, this could enable an attacker to present a revoked key, leading to its acceptance as valid and potentially granting unauthorized access or facilitating the spoofing of legitimate entities.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"known_not_affected": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42508"
},
{
"category": "external",
"summary": "RHBZ#2480688",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480688"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42508",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42508"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42508",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42508"
},
{
"category": "external",
"summary": "https://go.dev/cl/781220",
"url": "https://go.dev/cl/781220"
},
{
"category": "external",
"summary": "https://go.dev/issue/79568",
"url": "https://go.dev/issue/79568"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI",
"url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-5021",
"url": "https://pkg.go.dev/vuln/GO-2026-5021"
}
],
"release_date": "2026-05-22T02:31:27.644000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-16T19:46:27+00:00",
"details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:41066"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/crypto/ssh/knownhosts: golang: golang.org/x/crypto/ssh/knownhosts: Revocation bypass via unchecked SignatureKey"
},
{
"cve": "CVE-2026-44432",
"cwe": {
"id": "CWE-409",
"name": "Improper Handling of Highly Compressed Data (Data Amplification)"
},
"discovery_date": "2026-05-13T17:01:01.083841+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2477154"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in urllib3, an HTTP client library for Python. This vulnerability allows a remote attacker to cause excessive resource consumption, such as high CPU usage and massive memory allocation, on the client side. This occurs when urllib3 attempts to decompress an entire HTTP response, even if only a partial read was requested, or when draining the connection after a partial decompression. This can lead to a Denial of Service (DoS) condition.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "urllib3: urllib3: Denial of Service due to excessive HTTP response decompression",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"known_not_affected": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44432"
},
{
"category": "external",
"summary": "RHBZ#2477154",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477154"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44432",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44432"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44432",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44432"
},
{
"category": "external",
"summary": "https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j",
"url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j"
}
],
"release_date": "2026-05-13T15:17:12.611000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-16T19:46:27+00:00",
"details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:41066"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "urllib3: urllib3: Denial of Service due to excessive HTTP response decompression"
},
{
"cve": "CVE-2026-44486",
"cwe": {
"id": "CWE-201",
"name": "Insertion of Sensitive Information Into Sent Data"
},
"discovery_date": "2026-06-11T17:01:30.944384+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487947"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client, specifically in its Node.js HTTP adapter. When Axios is configured to use an authenticated proxy and follows a redirect, it may inadvertently send the Proxy-Authorization header, containing proxy credentials, to the redirect target. This can lead to the disclosure of sensitive proxy credentials to an unintended remote server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Information disclosure of proxy credentials via HTTP redirects",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important information disclosure flaw in the Axios Node.js HTTP adapter. Red Hat products utilizing Axios in a Node.js environment with an authenticated proxy and automatic redirects enabled are susceptible. The vulnerability arises when a request, initially sent through an authenticated proxy, is redirected to a target that no longer uses the proxy, potentially leaking `Proxy-Authorization` headers containing sensitive credentials to an untrusted remote server. This risk is heightened in deployments where applications interact with untrusted HTTP origins.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"known_not_affected": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44486"
},
{
"category": "external",
"summary": "RHBZ#2487947",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487947"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44486",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44486"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44486",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44486"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-j5f8-grm9-p9fc",
"url": "https://github.com/axios/axios/security/advisories/GHSA-j5f8-grm9-p9fc"
}
],
"release_date": "2026-06-11T15:39:07.714000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-16T19:46:27+00:00",
"details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:41066"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Information disclosure of proxy credentials via HTTP redirects"
},
{
"cve": "CVE-2026-44487",
"cwe": {
"id": "CWE-201",
"name": "Insertion of Sensitive Information Into Sent Data"
},
"discovery_date": "2026-06-11T17:01:34.091476+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487948"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios. During specific proxy-to-direct redirect flows in the Node.js HTTP adapter, a remote attacker could exploit this vulnerability. The Proxy-Authorization header, which contains proxy credentials and is intended only for the outbound proxy, may be forwarded to the final redirected origin. This can lead to the disclosure of sensitive proxy credentials to an unintended third party.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Information disclosure of proxy credentials via redirect flows",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important information disclosure flaw in Axios affecting Node.js environments. When an application uses Axios with an authenticated HTTP proxy and follows redirects from an HTTP to a non-proxied HTTPS destination, the Proxy-Authorization header may be inadvertently sent to the final origin server. This could lead to the exposure of sensitive proxy credentials to an unintended third party.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"known_not_affected": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44487"
},
{
"category": "external",
"summary": "RHBZ#2487948",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487948"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44487",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44487"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44487",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44487"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-p92q-9vqr-4j8v",
"url": "https://github.com/axios/axios/security/advisories/GHSA-p92q-9vqr-4j8v"
}
],
"release_date": "2026-06-11T15:38:25.150000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-16T19:46:27+00:00",
"details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:41066"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Information disclosure of proxy credentials via redirect flows"
},
{
"cve": "CVE-2026-44488",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-06-11T17:01:36.836488+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487949"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client. When using the fetch adapter, Axios did not properly enforce configured request and response size limits. This vulnerability allows a remote attacker, through a malicious or compromised server, or by supplying a large data URL, to send or receive oversized data bodies. This can lead to resource exhaustion in server-side applications, resulting in a Denial of Service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Denial of Service due to unenforced request and response size limits",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Important: A denial of service flaw was found in Axios, a JavaScript HTTP client library. This issue arises when applications utilize the `fetch` adapter, as configured request and response size limits are not properly enforced. A remote attacker could exploit this by sending or receiving excessively large data bodies, leading to resource exhaustion and potential denial of service in affected server-side applications.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"known_not_affected": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44488"
},
{
"category": "external",
"summary": "RHBZ#2487949",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487949"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44488",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44488"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44488",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44488"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf",
"url": "https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf"
}
],
"release_date": "2026-06-11T15:37:38.013000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-16T19:46:27+00:00",
"details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:41066"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Denial of Service due to unenforced request and response size limits"
},
{
"cve": "CVE-2026-44492",
"cwe": {
"id": "CWE-289",
"name": "Authentication Bypass by Alternate Name"
},
"discovery_date": "2026-06-11T17:00:56.761751+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487938"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client. This vulnerability occurs because Axios does not properly normalize IPv4-mapped IPv6 addresses. When a NO_PROXY setting is configured to block direct access to specific IPv4 addresses, an attacker can bypass this restriction by using the IPv4-mapped IPv6 form of the address in a request URL. This allows the request to be routed through the proxy, potentially exposing internal services or sensitive information that should otherwise be inaccessible.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important flaw in Axios, a JavaScript HTTP client library, that allows for a proxy bypass. When a `NO_PROXY` environment variable is configured to prevent direct connections to specific IPv4 addresses, an attacker can craft a request URL using the IPv4-mapped IPv6 address format. This bypasses the intended `NO_PROXY` exclusion, routing the request through the configured proxy and potentially exposing internal services or sensitive information, such as cloud instance metadata credentials.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"known_not_affected": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44492"
},
{
"category": "external",
"summary": "RHBZ#2487938",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487938"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44492",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44492"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44492",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44492"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-pjwm-pj3p-43mv",
"url": "https://github.com/axios/axios/security/advisories/GHSA-pjwm-pj3p-43mv"
}
],
"release_date": "2026-06-11T15:29:13.890000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-16T19:46:27+00:00",
"details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:41066"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization"
},
{
"cve": "CVE-2026-44494",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-06-11T17:01:12.945664+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487942"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios. This vulnerability, a Prototype Pollution \"Gadget\" attack, allows an attacker to escalate any existing Object.prototype pollution in an application\u0027s dependency tree into a full Man-in-the-Middle (MITM) attack. This enables the attacker to intercept, read, and modify all HTTP traffic, including sensitive authentication credentials. The flaw occurs because the `config.proxy` setting is susceptible to prototype pollution, allowing an attacker to inject a malicious proxy server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important flaw in the Axios library allows an attacker to escalate existing prototype pollution vulnerabilities within an application\u0027s dependency tree into a full Man-in-the-Middle (MITM) attack. By injecting a malicious proxy configuration into the `Object.prototype`, an attacker can intercept, read, and modify all HTTP traffic, including sensitive authentication credentials, without direct user interaction. This poses a significant risk to data confidentiality and integrity in Red Hat products that utilize the Axios library.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"known_not_affected": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44494"
},
{
"category": "external",
"summary": "RHBZ#2487942",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487942"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44494",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44494"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44494",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44494"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-35jp-ww65-95wh",
"url": "https://github.com/axios/axios/security/advisories/GHSA-35jp-ww65-95wh"
}
],
"release_date": "2026-06-11T15:32:03.155000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-16T19:46:27+00:00",
"details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:41066"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution"
},
{
"cve": "CVE-2026-44495",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-06-11T17:00:53.999811+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487937"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client. This vulnerability involves prototype pollution gadgets in the request configuration processing. If another vulnerability has already polluted the Object.prototype.transformResponse, affected Axios versions may incorrectly interpret this inherited value as part of the request configuration or as an option validator. Axios does not itself create the prototype pollution. Exploitability requires a separate prototype-pollution vulnerability or equivalent attacker control over Object.prototype before Axios creates a request.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Information disclosure due to prototype pollution vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important vulnerability in Axios, a promise-based HTTP client, can lead to information disclosure, including credential theft and response hijacking, or denial of service. Exploitation requires a separate prototype pollution vulnerability in the same JavaScript process, allowing an attacker to control `Object.prototype.transformResponse`. Red Hat products using affected Axios versions are at risk if another component introduces such pollution.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"known_not_affected": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44495"
},
{
"category": "external",
"summary": "RHBZ#2487937",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487937"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44495",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44495"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44495",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44495"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-3g43-6gmg-66jw",
"url": "https://github.com/axios/axios/security/advisories/GHSA-3g43-6gmg-66jw"
}
],
"release_date": "2026-06-11T15:33:12.433000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-16T19:46:27+00:00",
"details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:41066"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Information disclosure due to prototype pollution vulnerability"
},
{
"cve": "CVE-2026-44496",
"cwe": {
"id": "CWE-1333",
"name": "Inefficient Regular Expression Complexity"
},
"discovery_date": "2026-06-11T17:01:15.856386+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487943"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios. A remote attacker, by influencing the XSRF cookie name in a browser environment, could cause the application to construct a regular expression that leads to excessive processing. This can result in a client-side Denial of Service (DoS), where the affected browser tab may freeze, impacting the availability of the application for the user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important flaw in Axios can lead to a client-side Denial of Service. An attacker capable of influencing the XSRF cookie name within a browser environment could trigger excessive regular expression processing, causing the affected browser tab to freeze and degrade user availability. This issue specifically impacts browser-based applications and does not affect Node.js HTTP adapter usage, React Native, or web workers.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"known_not_affected": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44496"
},
{
"category": "external",
"summary": "RHBZ#2487943",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487943"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44496",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44496"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44496",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44496"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-hfxv-24rg-xrqf",
"url": "https://github.com/axios/axios/security/advisories/GHSA-hfxv-24rg-xrqf"
}
],
"release_date": "2026-06-11T15:34:28.492000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-16T19:46:27+00:00",
"details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:41066"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name"
},
{
"cve": "CVE-2026-44990",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-06-12T21:02:24.911971+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2488565"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the `sanitize-html` library. Under its default configuration, an attacker can embed malicious content within a disallowed `xmp` element. This vulnerability allows the attacker to bypass the HTML sanitization process, leading to stored Cross-Site Scripting (XSS). Successful exploitation can result in arbitrary code execution or information disclosure when a user views the affected content.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "sanitize-html: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important flaw. The `sanitize-html` library, used in Red Hat products, is susceptible to a stored Cross-Site Scripting (XSS) bypass. Malicious content within a disallowed `xmp` element can be rendered as live HTML or JavaScript due to a sanitizer bypass in the default configuration. This can lead to arbitrary code execution or information disclosure when affected content is viewed.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"known_not_affected": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44990"
},
{
"category": "external",
"summary": "RHBZ#2488565",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488565"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44990",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44990"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44990",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44990"
},
{
"category": "external",
"summary": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-rpr9-rxv7-x643",
"url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-rpr9-rxv7-x643"
}
],
"release_date": "2026-06-12T20:39:47.065000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-16T19:46:27+00:00",
"details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:41066"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "sanitize-html: `sanitize-html`: Stored Cross-Site Scripting via HTML sanitizer bypass"
},
{
"cve": "CVE-2026-45822",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2026-06-30T09:01:06.468966+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2494807"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the `decode-uri-component` library. This vulnerability allows a remote attacker to trigger a Denial of Service (DoS) by submitting specially crafted input. The `decode()` function, when processing a large number of encoded URI components, consumes excessive CPU resources, which can lead to the application becoming unresponsive and unavailable.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "decode-uri-component: decode-uri-component: Denial of Service via crafted input",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A denial of service flaw was found in the decode-uri-component npm package. The decode() function exhibits super-linear time complexity when processing input containing many percent-encoded sequences, allowing an attacker to cause significant CPU consumption and event-loop blocking. In Red Hat products where this package is bundled (OpenShift Console, Quay, Pipelines, RHOAI, and others), exploitation requires that attacker-controlled input containing crafted percent-encoded strings reaches the decode() function without prior length validation. Red Hat rates this as Moderate severity since the impact is limited to availability with no confidentiality or integrity impact, consistent with the CNA\u0027s CVSS 4.0 assessment of 6.6 Medium.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"known_not_affected": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-45822"
},
{
"category": "external",
"summary": "RHBZ#2494807",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2494807"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-45822",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45822"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-45822",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45822"
},
{
"category": "external",
"summary": "https://github.com/SamVerschueren/decode-uri-component/blob/00662938dc7c6241547ae8abce7785cc13ffd3f6/index.js",
"url": "https://github.com/SamVerschueren/decode-uri-component/blob/00662938dc7c6241547ae8abce7785cc13ffd3f6/index.js"
},
{
"category": "external",
"summary": "https://github.com/SamVerschueren/decode-uri-component/commit/fa479dafeede7bedf04e5c89aa78f2a78c664005",
"url": "https://github.com/SamVerschueren/decode-uri-component/commit/fa479dafeede7bedf04e5c89aa78f2a78c664005"
},
{
"category": "external",
"summary": "https://www.npmjs.com/package/decode-uri-component",
"url": "https://www.npmjs.com/package/decode-uri-component"
}
],
"release_date": "2026-06-30T08:05:36.399000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-16T19:46:27+00:00",
"details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:41066"
},
{
"category": "workaround",
"details": "Validate and limit the length of any user-controlled input before passing it to decode-uri-component\u0027s decode() function. Inputs containing more than approximately 200 percent-encoded tokens (e.g. \u0027%ab\u0027 sequences) can trigger noticeable delays. Reject or truncate URI components exceeding a reasonable length threshold before decoding. A fix exists in the upstream repository (commit fa479daf) but has not yet been included in an npm release.",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "decode-uri-component: decode-uri-component: Denial of Service via crafted input"
},
{
"cve": "CVE-2026-46597",
"cwe": {
"id": "CWE-681",
"name": "Incorrect Conversion between Numeric Types"
},
"discovery_date": "2026-05-22T04:01:21.721980+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480678"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang.org/x/crypto/ssh. A remote attacker could send specially crafted inputs to the AES-GCM packet decoder. This could lead to an incorrectly placed cast from bytes to an integer, causing a server-side panic and resulting in a Denial of Service (DoS) for the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted AES-GCM packet decoder inputs",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important denial of service flaw in `golang.org/x/crypto/ssh` allows a remote attacker to trigger a server-side panic by sending specially crafted inputs to the AES-GCM packet decoder. This vulnerability could lead to service unavailability in Red Hat products that incorporate and expose SSH services built with the affected `golang.org/x/crypto/ssh` component.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"known_not_affected": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-46597"
},
{
"category": "external",
"summary": "RHBZ#2480678",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480678"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-46597",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46597"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-46597",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46597"
},
{
"category": "external",
"summary": "https://go.dev/cl/781620",
"url": "https://go.dev/cl/781620"
},
{
"category": "external",
"summary": "https://go.dev/issue/79561",
"url": "https://go.dev/issue/79561"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI",
"url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-5013",
"url": "https://pkg.go.dev/vuln/GO-2026-5013"
}
],
"release_date": "2026-05-22T02:31:26.754000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-16T19:46:27+00:00",
"details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:41066"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted AES-GCM packet decoder inputs"
},
{
"cve": "CVE-2026-48526",
"cwe": {
"id": "CWE-347",
"name": "Improper Verification of Cryptographic Signature"
},
"discovery_date": "2026-05-28T16:01:22.805235+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482734"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in PyJWT, a Python library for JSON Web Token (JWT) implementation. When decoding JWTs, the library fails to validate the use of JSON Web Keys (JWK) in the HMAC algorithm while also supporting asymmetric algorithms. This allows a remote attacker to use the issuer\u0027s public key as the secret key for the HMAC algorithm, leading to the ability to forge JWTs. This vulnerability can result in authentication bypass or unauthorized access.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-pyjwt: PyJWT: Authentication bypass due to forged JSON Web Tokens",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important vulnerability in PyJWT allows for authentication bypass and unauthorized access. It occurs when a JWT verifier is misconfigured to accept both symmetric and asymmetric algorithms, and a public JSON Web Key is erroneously used as the HMAC secret. Red Hat products are only affected if they utilize this specific, non-standard verifier configuration.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"known_not_affected": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48526"
},
{
"category": "external",
"summary": "RHBZ#2482734",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482734"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48526",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48526"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48526",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48526"
},
{
"category": "external",
"summary": "https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx",
"url": "https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx"
}
],
"release_date": "2026-05-28T15:09:09.258000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-16T19:46:27+00:00",
"details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:41066"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:7df4998918f382d98fa22a78f6390cd74fc61f7c4bdfebfcc521223012e58f94_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:a4ebf6125dc9f3ec9619b4ef3bc656f32e4f954f758393287e353608f1f22158_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/clair-rhel9@sha256:ad21b5b3e9be86e46da017c3f6c5f21a8ecd5589ec7b8fcfa238a737205a3143_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:1968b253b36566be2ad09057e3249147a3cc292713e538669d1b75460bec6ace_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:3db8bd709ba6e311052f18c8dbcff80907229c33b9bac63a716f3fb3d4fa7358_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:7d4593286c5b733c8ed5ab2c255c762628c6438e68f10e6ee25582c91d628de4_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-bridge-operator-rhel9@sha256:f51f40e95d73d6ccdc36caa2184a3e2fef4cf9cc0ced017bc7db890ea0a27293_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:6716128c395abd6d293c7fdfee76e1f7e3701cbe400befc4e8bc2922db7d0101_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:30689606ecbebba668c36a16892b0e6f7e0c1868933143fa078e7abaea380544_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:50ef0b22a4630bdd2e7355d7284b94aa33c5f424a218d55cb26224a3001cb484_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-builder-rhel9@sha256:75dae1dc7c81d7657ffc4317d80898afe45a0dd78d8739465b7cc95a15f481b8_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:892c8bae38073747321083d3cb6fe0fbd2b1ab6547f8bbbf42f5cd6eac895ed1_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:45713ba39b951f894271777aefa5e7e0f4015d592a3e0a40cca680396f726ca3_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:6a208c36a417a6d0b5223f6ddc4b98c2f007ac209db2b2d70875bda6b84b6e42_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-container-security-operator-rhel9@sha256:a557d7fb863fb489c60709ac34eaa5c7c2d66961770a8359794e6ec21bd12840_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-bundle@sha256:ca805ae1448ab106b9b486d158c5c27e27b9bbe0bcc8d11529c3fd521d674a6c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:3a01cd1d9559dbb9a1e8ae6c2bdcafe9596e3225b870cfbf725ea67a5a89e238_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:b17a240fd3c7032b9f098c9a3369a52ee4afaa23aa97a35936bf3fd44243681c_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-operator-rhel9@sha256:c65a8c8d6dc0a191959b7e6d3f8f60afccf49d318d18080d91a059a6163ca4d4_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:197e328cbe22d79da1589720fc5dc79874c84dcbe78928efedb2de9ad8a756a9_ppc64le",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:5bab84aa3a13566f9c38af03862416cc1d6aa5b3a81090bef72d05a9aafe221b_s390x",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:71ee2ea79064730fbb9682fdd30dc7a455bf5a0a3b0297bdc264f2936876f62a_amd64",
"Red Hat Quay 3.16:registry.redhat.io/quay/quay-rhel9@sha256:fe189be7d6cc775261c6b7fb58bc9badac2411647874d330d8de6e7f02569230_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "python-pyjwt: PyJWT: Authentication bypass due to forged JSON Web Tokens"
}
]
}
ubuntu-cve-2026-9277
Vulnerability from osv_ubuntu
shell-quote's quote() function did not validate object-token inputs against the operator model used by parse(). The .op field was backslash-escaped character by character using /(.)/g, which in JavaScript does not match line terminators (\n, \r, U+2028, U+2029). A line terminator in .op therefore passed through unescaped into the output; POSIX shells treat a literal newline as a command separator, so any content after it would execute as a second command. The vulnerable code path is reachable in two ways: (1) direct construction of { op: '...\n...' } from external input, and (2) via parse(cmd, envFn) when envFn returns object tokens whose .op is attacker-influenced. Both are documented API surface. Fixed by replacing the per-character escape with strict shape validation: .op must match the parser's control-operator allowlist; { op: 'glob', pattern } validates pattern and forbids line terminators; { comment } validates comment and forbids line terminators; any other object shape throws TypeError.
{
"affected": [
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "node-shell-quote",
"binary_version": "1.6.1+20160617-git72fb5a8ce29b-1ubuntu0.1~esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "node-shell-quote",
"purl": "pkg:deb/ubuntu/node-shell-quote@1.6.1+20160617-git72fb5a8ce29b-1ubuntu0.1~esm1?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.1+20160617-git72fb5a8ce29b-1ubuntu0.1~esm1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.6.1+20160617-git72fb5a8ce29b-1"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "node-shell-quote",
"binary_version": "1.7.3+~1.7.1-1ubuntu0.1~esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:22.04:LTS",
"name": "node-shell-quote",
"purl": "pkg:deb/ubuntu/node-shell-quote@1.7.3+~1.7.1-1ubuntu0.1~esm1?arch=source\u0026distro=esm-apps/jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.3+~1.7.1-1ubuntu0.1~esm1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.7.3+~1.7.1-1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "node-shell-quote",
"binary_version": "1.7.4+~1.7.1-1ubuntu0.24.04.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:24.04:LTS",
"name": "node-shell-quote",
"purl": "pkg:deb/ubuntu/node-shell-quote@1.7.4+~1.7.1-1ubuntu0.24.04.1?arch=source\u0026distro=noble"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.4+~1.7.1-1ubuntu0.24.04.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.7.4+~1.7.1-1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "node-shell-quote",
"binary_version": "1.7.4+~1.7.1-1ubuntu0.25.10.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:25.10",
"name": "node-shell-quote",
"purl": "pkg:deb/ubuntu/node-shell-quote@1.7.4+~1.7.1-1ubuntu0.25.10.1?arch=source\u0026distro=questing"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.4+~1.7.1-1ubuntu0.25.10.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.7.4+~1.7.1-1"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "node-shell-quote",
"binary_version": "1.8.3+~1.7.5-1ubuntu0.1~esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:26.04:LTS",
"name": "node-shell-quote",
"purl": "pkg:deb/ubuntu/node-shell-quote@1.8.3+~1.7.5-1ubuntu0.1~esm1?arch=source\u0026distro=esm-apps/resolute"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.3+~1.7.5-1ubuntu0.1~esm1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.7.4+~1.7.1-1",
"1.8.3+~1.7.5-1"
]
}
],
"aliases": [],
"details": "shell-quote\u0027s `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which in JavaScript does not match line terminators (\\n, \\r, U+2028, U+2029). A line terminator in `.op` therefore passed through unescaped into the output; POSIX shells treat a literal newline as a command separator, so any content after it would execute as a second command. The vulnerable code path is reachable in two ways: (1) direct construction of `{ op: \u0027...\\n...\u0027 }` from external input, and (2) via `parse(cmd, envFn)` when `envFn` returns object tokens whose `.op` is attacker-influenced. Both are documented API surface. Fixed by replacing the per-character escape with strict shape validation: `.op` must match the parser\u0027s control-operator allowlist; `{ op: \u0027glob\u0027, pattern }` validates `pattern` and forbids line terminators; `{ comment }` validates `comment` and forbids line terminators; any other object shape throws `TypeError`.",
"id": "UBUNTU-CVE-2026-9277",
"modified": "2026-06-30T16:18:41Z",
"published": "2026-05-22T14:16:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2026-9277"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9277"
},
{
"type": "REPORT",
"url": "https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p"
},
{
"type": "REPORT",
"url": "https://github.com/ljharb/shell-quote"
},
{
"type": "REPORT",
"url": "https://github.com/ljharb/shell-quote/commit/1518179"
},
{
"type": "REPORT",
"url": "https://www.npmjs.com/package/shell-quote"
},
{
"type": "REPORT",
"url": "http://www.openwall.com/lists/oss-security/2026/05/23/2"
},
{
"type": "REPORT",
"url": "https://github.com/ljharb/shell-quote/commit/4378a6e613db5948168684864e49b42b83134d2d"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-8410-1"
}
],
"related": [
"USN-8410-1"
],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2026-9277"
]
}
WID-SEC-W-2026-1934
Vulnerability from csaf_certbund - Published: 2026-06-15 22:00 - Updated: 2026-06-16 22:00| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Red Hat OpenShift Service Mesh 3.0
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:service_mesh_3.0
|
Service Mesh 3.0 | |
|
Red Hat OpenShift Service Mesh 3.2
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:service_mesh_3.2
|
Service Mesh 3.2 | |
|
Red Hat OpenShift Service Mesh 3.1
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:service_mesh_3.1
|
Service Mesh 3.1 | |
|
Red Hat OpenShift Service Mesh 2.6
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:service_mesh_2.6
|
Service Mesh 2.6 |
| URL | Category |
|---|---|
| https://wid.cert-bund.de/.well-known/csaf/white/2… | self |
| https://wid.cert-bund.de/portal/wid/securityadvis… | self |
| https://access.redhat.com/errata/RHSA-2026:26072 | external |
| https://access.redhat.com/errata/RHSA-2026:26077 | external |
| https://access.redhat.com/errata/RHSA-2026:26079 | external |
| https://access.redhat.com/errata/RHSA-2026:26080 | external |
| https://access.redhat.com/errata/RHSA-2026:26234 | external |
| https://access.redhat.com/errata/RHSA-2026:26090 | external |
| https://access.redhat.com/errata/RHSA-2026:26225 | external |
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Red Hat OpenShift ist eine \"Platform as a Service\" (PaaS) L\u00f6sung zur Bereitstellung von Applikationen in der Cloud.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Red Hat OpenShift ausnutzen, um beliebigen Programmcode auszuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Sonstiges\n- UNIX",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2026-1934 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1934.json"
},
{
"category": "self",
"summary": "WID-SEC-2026-1934 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1934"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:26072 vom 2026-06-15",
"url": "https://access.redhat.com/errata/RHSA-2026:26072"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:26077 vom 2026-06-15",
"url": "https://access.redhat.com/errata/RHSA-2026:26077"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:26079 vom 2026-06-15",
"url": "https://access.redhat.com/errata/RHSA-2026:26079"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:26080 vom 2026-06-15",
"url": "https://access.redhat.com/errata/RHSA-2026:26080"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:26234 vom 2026-06-16",
"url": "https://access.redhat.com/errata/RHSA-2026:26234"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:26090 vom 2026-06-16",
"url": "https://access.redhat.com/errata/RHSA-2026:26090"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:26225 vom 2026-06-16",
"url": "https://access.redhat.com/errata/RHSA-2026:26225"
}
],
"source_lang": "en-US",
"title": "Red Hat OpenShift Service Mesh: Schwachstelle erm\u00f6glicht Codeausf\u00fchrung",
"tracking": {
"current_release_date": "2026-06-16T22:00:00.000+00:00",
"generator": {
"date": "2026-06-17T08:35:01.768+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.6.0"
}
},
"id": "WID-SEC-W-2026-1934",
"initial_release_date": "2026-06-15T22:00:00.000+00:00",
"revision_history": [
{
"date": "2026-06-15T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2026-06-16T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Red Hat aufgenommen"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
},
{
"branches": [
{
"category": "product_version",
"name": "Service Mesh 2.6",
"product": {
"name": "Red Hat OpenShift Service Mesh 2.6",
"product_id": "T055414",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:service_mesh_2.6"
}
}
},
{
"category": "product_version",
"name": "Service Mesh 3.1",
"product": {
"name": "Red Hat OpenShift Service Mesh 3.1",
"product_id": "T055415",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:service_mesh_3.1"
}
}
},
{
"category": "product_version",
"name": "Service Mesh 3.2",
"product": {
"name": "Red Hat OpenShift Service Mesh 3.2",
"product_id": "T055416",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:service_mesh_3.2"
}
}
},
{
"category": "product_version",
"name": "Service Mesh 3.0",
"product": {
"name": "Red Hat OpenShift Service Mesh 3.0",
"product_id": "T055417",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:service_mesh_3.0"
}
}
}
],
"category": "product_name",
"name": "OpenShift"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-9277",
"product_status": {
"known_affected": [
"67646",
"T055417",
"T055416",
"T055415",
"T055414"
]
},
"release_date": "2026-06-15T22:00:00.000+00:00",
"title": "CVE-2026-9277"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.