Vulnerability-Lookup

RHSA-2026:28010

Vulnerability from csaf_redhat - Published: 2026-06-22 17:15 - Updated: 2026-06-22 20:01

Summary

Red Hat Security Advisory: Red Hat build of Cryostat security update

Severity

Important

Notes

Topic: An update is now available for the Red Hat build of Cryostat 4 on RHEL 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details: An update is now available for the Red Hat build of Cryostat 4 on RHEL 9. Security Fix(es): * DOMPurify: Cross-Site Scripting (XSS) via inconsistent tag sanitization (CVE-2026-41240) * crypto/x509: Denial of Service via inefficient certificate chain validation (CVE-2026-32281) * shell-quote: Arbitrary code execution via command injection due to unescaped line terminators (CVE-2026-9277) * Apache Thrift: Security bypass due to improper certificate validation (CVE-2026-43869) * Netty: High integrity impact due to improper DNS domain name constraint enforcement (CVE-2026-42579) * Netty: Incorrect HTTP response parsing leads to data confusion (CVE-2026-42584) * Netty: HTTP Request Smuggling due to improper handling of conflicting HTTP/1.0 headers (CVE-2026-42581) * Netty: HTTP Header Injection via HttpProxyHandler Disabled Validation (CVE-2026-42578) * Netty: Denial of Service via unbounded memory allocation in HTTP content decompression (CVE-2026-42587) * Apache Thrift c_glib: Denial of Service via specially crafted requests (CVE-2025-48431) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2025-48431

A flaw was found in Apache Thrift c_glib language bindings. A remote attacker could send specially crafted requests to a c_glib-based Thrift server, leading to a mismatched memory management routines vulnerability. This could cause the server to crash with a "free(): invalid pointer" error, resulting in a Denial of Service (DoS).

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-763 - Release of Invalid Pointer or Reference

Affected products

Fixed 2 products

Product	Identifier	Version	Remediation
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64		—	Vendor Fix fix
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64		—	Vendor Fix fix

Known not affected 18 products

Product	Identifier	Version	Remediation
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64		—

Threats

Impact Important

CVE-2026-9277

A flaw was found in the shell-quote component. The quote() function did not properly validate object-token inputs, allowing line terminators to pass unescaped into the output. A remote attacker could exploit this vulnerability by providing specially crafted input, which a POSIX shell would interpret as a command separator. This could lead to command injection, enabling the attacker to execute arbitrary code on the system.

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Affected products

Fixed 2 products

Product	Identifier	Version	Remediation
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64		—	Vendor Fix fix
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64		—	Vendor Fix fix

Known not affected 18 products

Product	Identifier	Version	Remediation
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64		—

Threats

Impact Important

CVE-2026-32281

A flaw was found in Go's `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-1050 - Excessive Platform Resource Consumption within a Loop

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64	—	Vendor Fix fix Workaround

Known not affected 16 products

Product	Version	Remediation
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64	—	Workaround

Threats

Impact Moderate

CVE-2026-41240

A flaw was found in DOMPurify, a DOM-only cross-site scripting sanitizer. A remote attacker could exploit an inconsistency in how forbidden tags and attributes are handled when function-based tag additions are used. This allows malicious HTML, MathML, or SVG elements to bypass sanitization and execute arbitrary code in the user's browser, leading to Cross-Site Scripting (XSS).

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64	—	Vendor Fix fix Workaround

Known not affected 16 products

Product	Version	Remediation
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64	—	Workaround

Threats

Impact Moderate

CVE-2026-42578

A flaw was found in Netty. The HttpProxyHandler component, which handles HTTP CONNECT requests, does not properly validate user-provided outbound headers. This allows an attacker to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This could lead to unexpected behavior or potential bypass of security controls on the proxy server.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

Affected products

Fixed 6 products

Product	Version	Remediation
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64	—	Vendor Fix fix
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64	—	Vendor Fix fix
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64	—	Vendor Fix fix
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64	—	Vendor Fix fix
Unresolved product id: 9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64	—	Vendor Fix fix
Unresolved product id: 9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64	—	Vendor Fix fix

Known not affected 14 products

Product	Identifier	Version	Remediation
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64		—

Threats

Impact Important

CVE-2026-42579

A flaw was found in Netty. Netty's DNS (Domain Name System) codec does not properly enforce domain name constraints as defined in RFC 1035 during both encoding and decoding processes. This vulnerability allows a remote attacker to exploit the decoder using malicious DNS responses or exploit the encoder through user-influenced hostnames, leading to a high integrity impact on the affected system.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-1286 - Improper Validation of Syntactic Correctness of Input

Affected products

Fixed 6 products

Product	Version	Remediation
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64	—	Vendor Fix fix
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64	—	Vendor Fix fix
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64	—	Vendor Fix fix
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64	—	Vendor Fix fix
Unresolved product id: 9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64	—	Vendor Fix fix
Unresolved product id: 9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64	—	Vendor Fix fix

Known not affected 14 products

Product	Identifier	Version	Remediation
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64		—

Threats

Impact Important

CVE-2026-42581

A flaw was found in Netty's HttpObjectDecoder. A remote attacker can exploit this by sending a specially crafted HTTP/1.0 request that includes both `Transfer-Encoding: chunked` and `Content-Length` headers. While Netty correctly strips the conflicting `Content-Length` header for HTTP/1.1 messages, this guard is absent for HTTP/1.0. This can lead to HTTP request smuggling, where downstream proxies or handlers may misinterpret message boundaries, potentially allowing an attacker to bypass security controls or access unauthorized information.

7.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Affected products

Fixed 6 products

Product	Version	Remediation
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64	—	Vendor Fix fix
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64	—	Vendor Fix fix
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64	—	Vendor Fix fix
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64	—	Vendor Fix fix
Unresolved product id: 9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64	—	Vendor Fix fix
Unresolved product id: 9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64	—	Vendor Fix fix

Known not affected 14 products

Product	Identifier	Version	Remediation
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64		—

Threats

Impact Important

CVE-2026-42584

A flaw was found in Netty, an asynchronous, event-driven network application framework. A remote attacker could exploit this vulnerability by sending a specific sequence of HTTP responses (103, followed by a 200 with a GET body, then another 200 for a HEAD request) when the client pipelines GET then HEAD requests. This can cause the HttpClientCodec to incorrectly pair responses, leading to subsequent HTTP responses being parsed from the wrong offset. This issue may result in information disclosure or other data integrity problems due to misinterpretation of network traffic.

7.3 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Affected products

Fixed 6 products

Product	Version	Remediation
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64	—	Vendor Fix fix
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64	—	Vendor Fix fix
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64	—	Vendor Fix fix
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64	—	Vendor Fix fix
Unresolved product id: 9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64	—	Vendor Fix fix
Unresolved product id: 9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64	—	Vendor Fix fix

Known not affected 14 products

Product	Identifier	Version	Remediation
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64		—
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64		—

Threats

Impact Important

CVE-2026-42587

A flaw was found in Netty. A remote attacker can bypass the configured decompression limit in the HttpContentDecompressor by sending a specially crafted compressed payload using Brotli (br), Zstandard (zstd), or Snappy content encodings. This can lead to unbounded memory allocation, resulting in an out-of-memory Denial of Service (DoS) for the affected system.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Fixed 6 products

Product	Version	Remediation
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64	—	Vendor Fix fix Workaround

Known not affected 14 products

Product	Version	Remediation
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64	—	Workaround

Threats

Impact Important

CVE-2026-43869

A flaw was found in Apache Thrift. This vulnerability involves improper validation of a certificate with a host mismatch, which could allow a remote attacker to bypass security checks. By presenting a specially crafted certificate, an attacker may impersonate a legitimate server or client. This could lead to a security bypass, potentially enabling unauthorized access or information disclosure.

7.3 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE-295 - Improper Certificate Validation

Affected products

Fixed 2 products

Product	Identifier	Version	Remediation
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64		—	Vendor Fix fix Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64		—	Vendor Fix fix Workaround

Known not affected 18 products

Product	Version	Remediation
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64	—	Workaround
Unresolved product id: 9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64	—	Workaround

Threats

Impact Important

References

72 references

URL	Category
https://access.redhat.com/errata/RHSA-2026:28010	self
https://access.redhat.com/security/updates/classi…	external
https://bugzilla.redhat.com/show_bug.cgi?id=2456333	external
https://bugzilla.redhat.com/show_bug.cgi?id=2461147	external
https://bugzilla.redhat.com/show_bug.cgi?id=2463410	external
https://bugzilla.redhat.com/show_bug.cgi?id=2466660	external
https://bugzilla.redhat.com/show_bug.cgi?id=2477217	external
https://bugzilla.redhat.com/show_bug.cgi?id=2477220	external
https://bugzilla.redhat.com/show_bug.cgi?id=2477224	external
https://bugzilla.redhat.com/show_bug.cgi?id=2477226	external
https://bugzilla.redhat.com/show_bug.cgi?id=2477232	external
https://bugzilla.redhat.com/show_bug.cgi?id=2480741	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2025-48431	self
https://bugzilla.redhat.com/show_bug.cgi?id=2463410	external
https://www.cve.org/CVERecord?id=CVE-2025-48431	external
https://nvd.nist.gov/vuln/detail/CVE-2025-48431	external
http://www.openwall.com/lists/oss-security/2026/04/28/8	external
https://lists.apache.org/thread/lb4j0zyd5f3g36cos…	external
https://access.redhat.com/security/cve/CVE-2026-9277	self
https://bugzilla.redhat.com/show_bug.cgi?id=2480741	external
https://www.cve.org/CVERecord?id=CVE-2026-9277	external
https://nvd.nist.gov/vuln/detail/CVE-2026-9277	external
https://github.com/ljharb/shell-quote	external
https://github.com/ljharb/shell-quote/commit/1518179	external
https://github.com/ljharb/shell-quote/security/ad…	external
https://www.npmjs.com/package/shell-quote	external
https://access.redhat.com/security/cve/CVE-2026-32281	self
https://bugzilla.redhat.com/show_bug.cgi?id=2456333	external
https://www.cve.org/CVERecord?id=CVE-2026-32281	external
https://nvd.nist.gov/vuln/detail/CVE-2026-32281	external
https://go.dev/cl/758061	external
https://go.dev/issue/78281	external
https://groups.google.com/g/golang-announce/c/0uY…	external
https://pkg.go.dev/vuln/GO-2026-4946	external
https://access.redhat.com/security/cve/CVE-2026-41240	self
https://bugzilla.redhat.com/show_bug.cgi?id=2461147	external
https://www.cve.org/CVERecord?id=CVE-2026-41240	external
https://nvd.nist.gov/vuln/detail/CVE-2026-41240	external
https://github.com/cure53/DOMPurify/commit/c361ba…	external
https://github.com/cure53/DOMPurify/releases/tag/3.4.0	external
https://github.com/cure53/DOMPurify/security/advi…	external
https://access.redhat.com/security/cve/CVE-2026-42578	self
https://bugzilla.redhat.com/show_bug.cgi?id=2477226	external
https://www.cve.org/CVERecord?id=CVE-2026-42578	external
https://nvd.nist.gov/vuln/detail/CVE-2026-42578	external
https://github.com/netty/netty/security/advisorie…	external
https://access.redhat.com/security/cve/CVE-2026-42579	self
https://bugzilla.redhat.com/show_bug.cgi?id=2477217	external
https://www.cve.org/CVERecord?id=CVE-2026-42579	external
https://nvd.nist.gov/vuln/detail/CVE-2026-42579	external
https://github.com/netty/netty/security/advisorie…	external
https://access.redhat.com/security/cve/CVE-2026-42581	self
https://bugzilla.redhat.com/show_bug.cgi?id=2477232	external
https://www.cve.org/CVERecord?id=CVE-2026-42581	external
https://nvd.nist.gov/vuln/detail/CVE-2026-42581	external
https://github.com/netty/netty/security/advisorie…	external
https://access.redhat.com/security/cve/CVE-2026-42584	self
https://bugzilla.redhat.com/show_bug.cgi?id=2477224	external
https://www.cve.org/CVERecord?id=CVE-2026-42584	external
https://nvd.nist.gov/vuln/detail/CVE-2026-42584	external
https://github.com/netty/netty/security/advisorie…	external
https://access.redhat.com/security/cve/CVE-2026-42587	self
https://bugzilla.redhat.com/show_bug.cgi?id=2477220	external
https://www.cve.org/CVERecord?id=CVE-2026-42587	external
https://nvd.nist.gov/vuln/detail/CVE-2026-42587	external
https://github.com/netty/netty/security/advisorie…	external
https://access.redhat.com/security/cve/CVE-2026-43869	self
https://bugzilla.redhat.com/show_bug.cgi?id=2466660	external
https://www.cve.org/CVERecord?id=CVE-2026-43869	external
https://nvd.nist.gov/vuln/detail/CVE-2026-43869	external
https://lists.apache.org/thread/3hsgl1b69wzq3ry39…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update is now available for the Red Hat build of Cryostat 4 on RHEL 9.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "An update is now available for the Red Hat build of Cryostat 4 on RHEL 9.\n\nSecurity Fix(es):\n\n* DOMPurify: Cross-Site Scripting (XSS) via inconsistent tag sanitization (CVE-2026-41240)\n* crypto/x509: Denial of Service via inefficient certificate chain validation (CVE-2026-32281)\n* shell-quote: Arbitrary code execution via command injection due to unescaped line terminators (CVE-2026-9277)\n* Apache Thrift: Security bypass due to improper certificate validation (CVE-2026-43869)\n* Netty: High integrity impact due to improper DNS domain name constraint enforcement (CVE-2026-42579)\n* Netty: Incorrect HTTP response parsing leads to data confusion (CVE-2026-42584)\n* Netty: HTTP Request Smuggling due to improper handling of conflicting HTTP/1.0 headers (CVE-2026-42581)\n* Netty: HTTP Header Injection via HttpProxyHandler Disabled Validation (CVE-2026-42578)\n* Netty: Denial of Service via unbounded memory allocation in HTTP content decompression (CVE-2026-42587)\n* Apache Thrift c_glib: Denial of Service via specially crafted requests (CVE-2025-48431)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:28010",
        "url": "https://access.redhat.com/errata/RHSA-2026:28010"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "2456333",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456333"
      },
      {
        "category": "external",
        "summary": "2461147",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461147"
      },
      {
        "category": "external",
        "summary": "2463410",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2463410"
      },
      {
        "category": "external",
        "summary": "2466660",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466660"
      },
      {
        "category": "external",
        "summary": "2477217",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477217"
      },
      {
        "category": "external",
        "summary": "2477220",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477220"
      },
      {
        "category": "external",
        "summary": "2477224",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477224"
      },
      {
        "category": "external",
        "summary": "2477226",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477226"
      },
      {
        "category": "external",
        "summary": "2477232",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477232"
      },
      {
        "category": "external",
        "summary": "2480741",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480741"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_28010.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat build of Cryostat security update",
    "tracking": {
      "current_release_date": "2026-06-22T20:01:48+00:00",
      "generator": {
        "date": "2026-06-22T20:01:48+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "5.0.0"
        }
      },
      "id": "RHSA-2026:28010",
      "initial_release_date": "2026-06-22T17:15:26+00:00",
      "revision_history": [
        {
          "date": "2026-06-22T17:15:26+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-06-22T17:15:26+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-06-22T20:01:48+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Cryostat 4 on RHEL 9",
                "product": {
                  "name": "Cryostat 4 on RHEL 9",
                  "product_id": "9Base-Cryostat-4",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:cryostat:4::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Cryostat"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
                "product": {
                  "name": "cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
                  "product_id": "cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-agent-init-rhel9\u0026tag=0.7.0-8"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
                "product": {
                  "name": "cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
                  "product_id": "cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-db-rhel9\u0026tag=4.2.0-16"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
                "product": {
                  "name": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
                  "product_id": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-grafana-dashboard-rhel9\u0026tag=4.2.0-10"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
                "product": {
                  "name": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
                  "product_id": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-openshift-console-plugin-rhel9\u0026tag=4.2.0-10"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
                "product": {
                  "name": "cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
                  "product_id": "cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-reports-rhel9\u0026tag=4.2.0-10"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
                "product": {
                  "name": "cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
                  "product_id": "cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-rhel9\u0026tag=4.2.0-10"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
                "product": {
                  "name": "cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
                  "product_id": "cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-operator-bundle\u0026tag=4.2.0-8"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
                "product": {
                  "name": "cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
                  "product_id": "cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-rhel9-operator\u0026tag=4.2.0-15"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
                "product": {
                  "name": "cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
                  "product_id": "cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-storage-rhel9\u0026tag=4.2.0-16"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
                "product": {
                  "name": "cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
                  "product_id": "cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/jfr-datasource-rhel9\u0026tag=4.2.0-10"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
                "product": {
                  "name": "cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
                  "product_id": "cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-agent-init-rhel9\u0026tag=0.7.0-8"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
                "product": {
                  "name": "cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
                  "product_id": "cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-db-rhel9\u0026tag=4.2.0-16"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
                "product": {
                  "name": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
                  "product_id": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-grafana-dashboard-rhel9\u0026tag=4.2.0-10"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64",
                "product": {
                  "name": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64",
                  "product_id": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-openshift-console-plugin-rhel9\u0026tag=4.2.0-10"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
                "product": {
                  "name": "cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
                  "product_id": "cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-reports-rhel9\u0026tag=4.2.0-10"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64",
                "product": {
                  "name": "cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64",
                  "product_id": "cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-rhel9\u0026tag=4.2.0-10"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
                "product": {
                  "name": "cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
                  "product_id": "cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-operator-bundle\u0026tag=4.2.0-8"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
                "product": {
                  "name": "cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
                  "product_id": "cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-rhel9-operator\u0026tag=4.2.0-15"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64",
                "product": {
                  "name": "cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64",
                  "product_id": "cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-storage-rhel9\u0026tag=4.2.0-16"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64",
                "product": {
                  "name": "cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64",
                  "product_id": "cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/jfr-datasource-rhel9\u0026tag=4.2.0-10"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "arm64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64 as a component of Cryostat 4 on RHEL 9",
          "product_id": "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64"
        },
        "product_reference": "cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
        "relates_to_product_reference": "9Base-Cryostat-4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64 as a component of Cryostat 4 on RHEL 9",
          "product_id": "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64"
        },
        "product_reference": "cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
        "relates_to_product_reference": "9Base-Cryostat-4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64 as a component of Cryostat 4 on RHEL 9",
          "product_id": "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64"
        },
        "product_reference": "cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
        "relates_to_product_reference": "9Base-Cryostat-4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64 as a component of Cryostat 4 on RHEL 9",
          "product_id": "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64"
        },
        "product_reference": "cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
        "relates_to_product_reference": "9Base-Cryostat-4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64 as a component of Cryostat 4 on RHEL 9",
          "product_id": "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64"
        },
        "product_reference": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
        "relates_to_product_reference": "9Base-Cryostat-4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64 as a component of Cryostat 4 on RHEL 9",
          "product_id": "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64"
        },
        "product_reference": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
        "relates_to_product_reference": "9Base-Cryostat-4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64 as a component of Cryostat 4 on RHEL 9",
          "product_id": "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64"
        },
        "product_reference": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
        "relates_to_product_reference": "9Base-Cryostat-4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64 as a component of Cryostat 4 on RHEL 9",
          "product_id": "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64"
        },
        "product_reference": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64",
        "relates_to_product_reference": "9Base-Cryostat-4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64 as a component of Cryostat 4 on RHEL 9",
          "product_id": "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64"
        },
        "product_reference": "cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
        "relates_to_product_reference": "9Base-Cryostat-4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64 as a component of Cryostat 4 on RHEL 9",
          "product_id": "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64"
        },
        "product_reference": "cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
        "relates_to_product_reference": "9Base-Cryostat-4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64 as a component of Cryostat 4 on RHEL 9",
          "product_id": "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64"
        },
        "product_reference": "cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
        "relates_to_product_reference": "9Base-Cryostat-4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64 as a component of Cryostat 4 on RHEL 9",
          "product_id": "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64"
        },
        "product_reference": "cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
        "relates_to_product_reference": "9Base-Cryostat-4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64 as a component of Cryostat 4 on RHEL 9",
          "product_id": "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64"
        },
        "product_reference": "cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
        "relates_to_product_reference": "9Base-Cryostat-4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64 as a component of Cryostat 4 on RHEL 9",
          "product_id": "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64"
        },
        "product_reference": "cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
        "relates_to_product_reference": "9Base-Cryostat-4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64 as a component of Cryostat 4 on RHEL 9",
          "product_id": "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64"
        },
        "product_reference": "cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
        "relates_to_product_reference": "9Base-Cryostat-4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64 as a component of Cryostat 4 on RHEL 9",
          "product_id": "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64"
        },
        "product_reference": "cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64",
        "relates_to_product_reference": "9Base-Cryostat-4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64 as a component of Cryostat 4 on RHEL 9",
          "product_id": "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64"
        },
        "product_reference": "cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
        "relates_to_product_reference": "9Base-Cryostat-4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64 as a component of Cryostat 4 on RHEL 9",
          "product_id": "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64"
        },
        "product_reference": "cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64",
        "relates_to_product_reference": "9Base-Cryostat-4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64 as a component of Cryostat 4 on RHEL 9",
          "product_id": "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64"
        },
        "product_reference": "cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
        "relates_to_product_reference": "9Base-Cryostat-4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64 as a component of Cryostat 4 on RHEL 9",
          "product_id": "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64"
        },
        "product_reference": "cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64",
        "relates_to_product_reference": "9Base-Cryostat-4"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-48431",
      "cwe": {
        "id": "CWE-763",
        "name": "Release of Invalid Pointer or Reference"
      },
      "discovery_date": "2026-04-28T10:01:26.612789+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2463410"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Apache Thrift c_glib language bindings. A remote attacker could send specially crafted requests to a c_glib-based Thrift server, leading to a mismatched memory management routines vulnerability. This could cause the server to crash with a \"free(): invalid pointer\" error, resulting in a Denial of Service (DoS).",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Apache Thrift: c_glib: Apache Thrift c_glib: Denial of Service via specially crafted requests",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64"
        ],
        "known_not_affected": [
          "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64",
          "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
          "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-48431"
        },
        {
          "category": "external",
          "summary": "RHBZ#2463410",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2463410"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-48431",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-48431"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-48431",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48431"
        },
        {
          "category": "external",
          "summary": "http://www.openwall.com/lists/oss-security/2026/04/28/8",
          "url": "http://www.openwall.com/lists/oss-security/2026/04/28/8"
        },
        {
          "category": "external",
          "summary": "https://lists.apache.org/thread/lb4j0zyd5f3g36cos0wql925przpnwql",
          "url": "https://lists.apache.org/thread/lb4j0zyd5f3g36cos0wql925przpnwql"
        }
      ],
      "release_date": "2026-04-28T09:11:44.283000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-22T17:15:26+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:28010"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "Apache Thrift: c_glib: Apache Thrift c_glib: Denial of Service via specially crafted requests"
    },
    {
      "cve": "CVE-2026-9277",
      "cwe": {
        "id": "CWE-78",
        "name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
      },
      "discovery_date": "2026-05-22T14:01:14.427751+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2480741"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the shell-quote component. The quote() function did not properly validate object-token inputs, allowing line terminators to pass unescaped into the output. A remote attacker could exploit this vulnerability by providing specially crafted input, which a POSIX shell would interpret as a command separator. This could lead to command injection, enabling the attacker to execute arbitrary code on the system.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64"
        ],
        "known_not_affected": [
          "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64",
          "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
          "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-9277"
        },
        {
          "category": "external",
          "summary": "RHBZ#2480741",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480741"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-9277",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-9277"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9277",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9277"
        },
        {
          "category": "external",
          "summary": "https://github.com/ljharb/shell-quote",
          "url": "https://github.com/ljharb/shell-quote"
        },
        {
          "category": "external",
          "summary": "https://github.com/ljharb/shell-quote/commit/1518179",
          "url": "https://github.com/ljharb/shell-quote/commit/1518179"
        },
        {
          "category": "external",
          "summary": "https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p",
          "url": "https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p"
        },
        {
          "category": "external",
          "summary": "https://www.npmjs.com/package/shell-quote",
          "url": "https://www.npmjs.com/package/shell-quote"
        }
      ],
      "release_date": "2026-05-22T13:22:38.873000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-22T17:15:26+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:28010"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators"
    },
    {
      "cve": "CVE-2026-32281",
      "cwe": {
        "id": "CWE-1050",
        "name": "Excessive Platform Resource Consumption within a Loop"
      },
      "discovery_date": "2026-04-08T02:01:00.930989+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2456333"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Go\u0027s `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This flaw occurs during the validation of otherwise trusted certificate chains that contain a large number of policy mappings, leading to excessive resource consumption. Exploitation requires an attacker to present a specially crafted, yet trusted, certificate chain which would require the attacker has already compromised a trusted certificate root. Red Hat continuously monitors certificate authorities and curates the set which is trusted by default for Red Hat products.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64"
        ],
        "known_not_affected": [
          "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64",
          "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
          "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-32281"
        },
        {
          "category": "external",
          "summary": "RHBZ#2456333",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456333"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-32281",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-32281"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/758061",
          "url": "https://go.dev/cl/758061"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/78281",
          "url": "https://go.dev/issue/78281"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
          "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2026-4946",
          "url": "https://pkg.go.dev/vuln/GO-2026-4946"
        }
      ],
      "release_date": "2026-04-08T01:06:58.354000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-22T17:15:26+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:28010"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation"
    },
    {
      "cve": "CVE-2026-41240",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "discovery_date": "2026-04-23T16:04:41.751666+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2461147"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in DOMPurify, a DOM-only cross-site scripting sanitizer. A remote attacker could exploit an inconsistency in how forbidden tags and attributes are handled when function-based tag additions are used. This allows malicious HTML, MathML, or SVG elements to bypass sanitization and execute arbitrary code in the user\u0027s browser, leading to Cross-Site Scripting (XSS).",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "DOMPurify: DOMPurify: Cross-Site Scripting (XSS) via inconsistent tag sanitization",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64"
        ],
        "known_not_affected": [
          "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64",
          "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
          "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-41240"
        },
        {
          "category": "external",
          "summary": "RHBZ#2461147",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461147"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-41240",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-41240"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-41240",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41240"
        },
        {
          "category": "external",
          "summary": "https://github.com/cure53/DOMPurify/commit/c361baa18dbdcb3344a41110f4c48ad85bf48f80",
          "url": "https://github.com/cure53/DOMPurify/commit/c361baa18dbdcb3344a41110f4c48ad85bf48f80"
        },
        {
          "category": "external",
          "summary": "https://github.com/cure53/DOMPurify/releases/tag/3.4.0",
          "url": "https://github.com/cure53/DOMPurify/releases/tag/3.4.0"
        },
        {
          "category": "external",
          "summary": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-h7mw-gpvr-xq4m",
          "url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-h7mw-gpvr-xq4m"
        }
      ],
      "release_date": "2026-04-23T14:54:32.426000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-22T17:15:26+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:28010"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "DOMPurify: DOMPurify: Cross-Site Scripting (XSS) via inconsistent tag sanitization"
    },
    {
      "cve": "CVE-2026-42578",
      "cwe": {
        "id": "CWE-93",
        "name": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)"
      },
      "discovery_date": "2026-05-13T19:02:00.826936+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2477226"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Netty. The HttpProxyHandler component, which handles HTTP CONNECT requests, does not properly validate user-provided outbound headers. This allows an attacker to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This could lead to unexpected behavior or potential bypass of security controls on the proxy server.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty: io.netty/netty-handler-proxy: Netty: HTTP Header Injection via HttpProxyHandler Disabled Validation",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64",
          "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
          "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64"
        ],
        "known_not_affected": [
          "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-42578"
        },
        {
          "category": "external",
          "summary": "RHBZ#2477226",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477226"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-42578",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42578"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42578",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42578"
        },
        {
          "category": "external",
          "summary": "https://github.com/netty/netty/security/advisories/GHSA-45q3-82m4-75jr",
          "url": "https://github.com/netty/netty/security/advisories/GHSA-45q3-82m4-75jr"
        }
      ],
      "release_date": "2026-05-13T17:57:43.538000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-22T17:15:26+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:28010"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "netty: io.netty/netty-handler-proxy: Netty: HTTP Header Injection via HttpProxyHandler Disabled Validation"
    },
    {
      "cve": "CVE-2026-42579",
      "cwe": {
        "id": "CWE-1286",
        "name": "Improper Validation of Syntactic Correctness of Input"
      },
      "discovery_date": "2026-05-13T19:01:25.062732+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2477217"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Netty. Netty\u0027s DNS (Domain Name System) codec does not properly enforce domain name constraints as defined in RFC 1035 during both encoding and decoding processes. This vulnerability allows a remote attacker to exploit the decoder using malicious DNS responses or exploit the encoder through user-influenced hostnames, leading to a high integrity impact on the affected system.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty: Netty: High integrity impact due to improper DNS domain name constraint enforcement",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This is an Important integrity flaw in Netty\u0027s DNS codec. The vulnerability arises from insufficient enforcement of RFC 1035 domain name constraints during both encoding and decoding, allowing remote attackers to manipulate DNS responses or user-controlled hostnames. This could lead to a high integrity impact on affected Red Hat products that utilize the vulnerable Netty DNS codec.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64",
          "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
          "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64"
        ],
        "known_not_affected": [
          "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-42579"
        },
        {
          "category": "external",
          "summary": "RHBZ#2477217",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477217"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-42579",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42579"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42579",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42579"
        },
        {
          "category": "external",
          "summary": "https://github.com/netty/netty/security/advisories/GHSA-cm33-6792-r9fm",
          "url": "https://github.com/netty/netty/security/advisories/GHSA-cm33-6792-r9fm"
        }
      ],
      "release_date": "2026-05-13T18:01:52.500000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-22T17:15:26+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:28010"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "netty: Netty: High integrity impact due to improper DNS domain name constraint enforcement"
    },
    {
      "cve": "CVE-2026-42581",
      "cwe": {
        "id": "CWE-444",
        "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
      },
      "discovery_date": "2026-05-13T19:02:26.404511+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2477232"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Netty\u0027s HttpObjectDecoder. A remote attacker can exploit this by sending a specially crafted HTTP/1.0 request that includes both `Transfer-Encoding: chunked` and `Content-Length` headers. While Netty correctly strips the conflicting `Content-Length` header for HTTP/1.1 messages, this guard is absent for HTTP/1.0. This can lead to HTTP request smuggling, where downstream proxies or handlers may misinterpret message boundaries, potentially allowing an attacker to bypass security controls or access unauthorized information.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty: io.netty/netty-codec-http: Netty: HTTP Request Smuggling due to improper handling of conflicting HTTP/1.0 headers",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This is an Important flaw. Netty\u0027s HttpObjectDecoder, used across various Red Hat products, improperly handles conflicting `Transfer-Encoding: chunked` and `Content-Length` headers in HTTP/1.0 requests. This allows a remote attacker to perform HTTP request smuggling, potentially bypassing security controls or gaining unauthorized access to information due to misinterpretation of message boundaries by downstream proxies or handlers.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64",
          "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
          "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64"
        ],
        "known_not_affected": [
          "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-42581"
        },
        {
          "category": "external",
          "summary": "RHBZ#2477232",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477232"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-42581",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42581"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42581",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42581"
        },
        {
          "category": "external",
          "summary": "https://github.com/netty/netty/security/advisories/GHSA-xxqh-mfjm-7mv9",
          "url": "https://github.com/netty/netty/security/advisories/GHSA-xxqh-mfjm-7mv9"
        }
      ],
      "release_date": "2026-05-13T17:54:44.492000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-22T17:15:26+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:28010"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "netty: io.netty/netty-codec-http: Netty: HTTP Request Smuggling due to improper handling of conflicting HTTP/1.0 headers"
    },
    {
      "cve": "CVE-2026-42584",
      "cwe": {
        "id": "CWE-444",
        "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
      },
      "discovery_date": "2026-05-13T19:01:51.846351+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2477224"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Netty, an asynchronous, event-driven network application framework. A remote attacker could exploit this vulnerability by sending a specific sequence of HTTP responses (103, followed by a 200 with a GET body, then another 200 for a HEAD request) when the client pipelines GET then HEAD requests. This can cause the HttpClientCodec to incorrectly pair responses, leading to subsequent HTTP responses being parsed from the wrong offset. This issue may result in information disclosure or other data integrity problems due to misinterpretation of network traffic.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty: io.netty/netty-codec-http: Netty: Incorrect HTTP response parsing leads to data confusion",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Important: A flaw in Netty\u0027s HttpClientCodec allows a remote attacker to cause data confusion. By sending a specially crafted sequence of HTTP responses, an attacker can cause subsequent HTTP responses to be parsed incorrectly, potentially leading to information disclosure or data integrity issues in applications utilizing Netty for HTTP client operations. This vulnerability affects various Red Hat products that bundle Netty, including Red Hat AMQ, Enterprise Application Platform, Red Hat Build of Quarkus, and Red Hat Build of Keycloak.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64",
          "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
          "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64"
        ],
        "known_not_affected": [
          "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-42584"
        },
        {
          "category": "external",
          "summary": "RHBZ#2477224",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477224"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-42584",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42584"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42584",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42584"
        },
        {
          "category": "external",
          "summary": "https://github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3",
          "url": "https://github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3"
        }
      ],
      "release_date": "2026-05-13T18:10:48.437000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-22T17:15:26+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:28010"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "netty: io.netty/netty-codec-http: Netty: Incorrect HTTP response parsing leads to data confusion"
    },
    {
      "cve": "CVE-2026-42587",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2026-05-13T19:01:35.415881+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2477220"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Netty. A remote attacker can bypass the configured decompression limit in the HttpContentDecompressor by sending a specially crafted compressed payload using Brotli (br), Zstandard (zstd), or Snappy content encodings. This can lead to unbounded memory allocation, resulting in an out-of-memory Denial of Service (DoS) for the affected system.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty: io.netty/netty-codec-http: io.netty/netty-codec-http2: Netty: Denial of Service via unbounded memory allocation in HTTP content decompression",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This is an Important denial of service vulnerability in Netty\u0027s HTTP content decompression. A remote attacker can exploit this flaw by sending specially crafted compressed payloads using Brotli, Zstandard, or Snappy encodings, bypassing configured decompression limits. This leads to unbounded memory allocation, potentially causing an out-of-memory condition and rendering affected Red Hat systems unavailable.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64",
          "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
          "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64"
        ],
        "known_not_affected": [
          "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-42587"
        },
        {
          "category": "external",
          "summary": "RHBZ#2477220",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477220"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-42587",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42587"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42587",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42587"
        },
        {
          "category": "external",
          "summary": "https://github.com/netty/netty/security/advisories/GHSA-f6hv-jmp6-3vwv",
          "url": "https://github.com/netty/netty/security/advisories/GHSA-f6hv-jmp6-3vwv"
        }
      ],
      "release_date": "2026-05-13T18:22:21.699000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-22T17:15:26+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:28010"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "netty: io.netty/netty-codec-http: io.netty/netty-codec-http2: Netty: Denial of Service via unbounded memory allocation in HTTP content decompression"
    },
    {
      "cve": "CVE-2026-43869",
      "cwe": {
        "id": "CWE-295",
        "name": "Improper Certificate Validation"
      },
      "discovery_date": "2026-05-05T08:00:56.417384+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2466660"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Apache Thrift. This vulnerability involves improper validation of a certificate with a host mismatch, which could allow a remote attacker to bypass security checks. By presenting a specially crafted certificate, an attacker may impersonate a legitimate server or client. This could lead to a security bypass, potentially enabling unauthorized access or information disclosure.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Apache Thrift: Apache Thrift: Security bypass due to improper certificate validation",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64"
        ],
        "known_not_affected": [
          "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
          "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64",
          "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
          "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-43869"
        },
        {
          "category": "external",
          "summary": "RHBZ#2466660",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466660"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-43869",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-43869"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-43869",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43869"
        },
        {
          "category": "external",
          "summary": "https://lists.apache.org/thread/3hsgl1b69wzq3ry39scqbv2dhyl3j52r",
          "url": "https://lists.apache.org/thread/3hsgl1b69wzq3ry39scqbv2dhyl3j52r"
        }
      ],
      "release_date": "2026-05-05T07:25:48.611000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-22T17:15:26+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:28010"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:b24e82ee4ae599b923a24317121f5e510dfb97497d0685745c02bd800734e993_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:cdecc70f89a5ab3e5814561bca539a070389eca8566e84397a0e998f3ccb88e6_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:064fa3780f79011c98dcabe589fedaa66755904e298714d3753b06dc07011e6e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6259b43f01e14bcfd66cc720f0e385a26c25e38d6085581cf52de5f1955edbed_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:42700ce6541e2e989b2f2f11877139e0283bb6b62f2c7988f24703a809798c6f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:c9a5f19878b38c4e3cd2cc1f0afb9b5c3e51f93195c6d2a789d5a2ebd5c40f20_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d11c60a59969db188675694ea70e975347645da7dddcba451856f93715d46a4f_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:ec4ad72eeff4ad2c81e22f2b6d29dc0113ac38a163de3245c8ff84e738b3892a_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:08bc4c4c4049ece749ebbf00e2da6f4e2da1fd28635508268f13e4c8ee81f001_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:131c5273c1cfc51060514f8ffe76ec2999ccd39e598dee09a2f151addbae9cb4_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:a84bde7d350a83bbdc60ef80bdcad3d1d4c7794816ee02c3bbcd185a0881c838_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:ba96c3f24fb861b6214f6a7b1bf778deb032a654542c40a5af9eebdcfece3834_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:4cd0a3b5132ee4bfd17332247a254b680cacb4501792055a2772712a65fae3c9_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:76a3ad2cb49b44aaee57c952c1a8a70884eac5d39bae85cddf8e995dfb20a75e_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:0a59132b639c754650bc38b836a636a76ab27531a0b2e67258e61984c32e903d_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:dfda0b39740b52574fa44dd8830338c1b51b0027c78e3a679a1f0ba7f8dbddbd_arm64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:4ebed4d89315d7f8baa80d8f54d26351ff8e7aac7c29dfb8dd28acb455ecba65_amd64",
            "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:9c5a9f6f958e02c89bdee98fe828e23ede3ec50f2386ab2f479d8dff1dce99e2_arm64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:391f217a593b1992f949590b6084343acf3935ed039da1b137a62184d664a50f_amd64",
            "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:68307d0f051583a1fcba76766c731686e4f50159935d7b9578eba4847227dab2_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "Apache Thrift: Apache Thrift: Security bypass due to improper certificate validation"
    }
  ]
}

CVE-2025-48431 (GCVE-0-2025-48431)

Vulnerability from cvelistv5 – Published: 2026-04-28 09:11 – Updated: 2026-04-28 13:55

Title

Apache Thrift: Specially crafted input can crash a c_glib Thrift server with invalid pointer error.

Summary

Mismatched Memory Management Routines vulnerability in Apache Thrift c_glib language bindings. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue. Description: Specially crafted requests can crash an c_glib-based Thrift server with a clean but fatal "free(): invalid pointer" error message.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-762 - Mismatched Memory Management Routines

Assigner

apache

References

2 references

URL	Tags
https://lists.apache.org/thread/lb4j0zyd5f3g36cos…	vendor-advisory
http://www.openwall.com/lists/oss-security/2026/04/28/8

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Thrift	Affected: 0 , < 0.23.0 (semver)

Credits

Hasnain Lakhani Hasnain Lakhani

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-28T09:50:39.269Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/28/8"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-48431",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-28T13:54:53.014882Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-28T13:55:52.591Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Thrift",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "0.23.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Hasnain Lakhani"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Hasnain Lakhani"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eMismatched Memory Management Routines vulnerability in Apache Thrift c_glib language bindings.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Thrift: before 0.23.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.23.0, which fixes the issue.\u003cbr\u003e\u003cbr\u003eDescription: Specially crafted requests can crash an c_glib-based Thrift server with a clean but fatal \"free(): invalid pointer\" error message.\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e"
            }
          ],
          "value": "Mismatched Memory Management Routines vulnerability in Apache Thrift c_glib language bindings.\n\nThis issue affects Apache Thrift: before 0.23.0.\n\nUsers are recommended to upgrade to version 0.23.0, which fixes the issue.\n\nDescription: Specially crafted requests can crash an c_glib-based Thrift server with a clean but fatal \"free(): invalid pointer\" error message."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-762",
              "description": "CWE-762 Mismatched Memory Management Routines",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-28T09:11:44.283Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/lb4j0zyd5f3g36cos0wql925przpnwql"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Thrift: Specially crafted input can crash a c_glib Thrift server with invalid pointer error.",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-48431",
    "datePublished": "2026-04-28T09:11:44.283Z",
    "dateReserved": "2025-05-20T20:27:01.040Z",
    "dateUpdated": "2026-04-28T13:55:52.591Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-32281 (GCVE-0-2026-32281)

Vulnerability from cvelistv5 – Published: 2026-04-08 01:06 – Updated: 2026-04-13 18:19

Title

Inefficient policy validation in crypto/x509

Summary

Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-407 - Inefficient Algorithmic Complexity

Assigner

References

4 references

URL	Tags
https://go.dev/cl/758061
https://go.dev/issue/78281
https://groups.google.com/g/golang-announce/c/0uY…
https://pkg.go.dev/vuln/GO-2026-4946

Impacted products

1 product

Vendor	Product	Version
Go standard library	crypto/x509	Affected: 0 , < 1.25.9 (semver) Affected: 1.26.0-0 , < 1.26.2 (semver)

Credits

Jakub Ciolek - https://ciolek.dev

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-32281",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-13T17:52:37.734298Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-13T18:19:44.779Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "crypto/x509",
          "product": "crypto/x509",
          "programRoutines": [
            {
              "name": "policiesValid"
            },
            {
              "name": "Certificate.Verify"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.9",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.2",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Jakub Ciolek - https://ciolek.dev"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-407: Inefficient Algorithmic Complexity",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T01:06:58.354Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/758061"
        },
        {
          "url": "https://go.dev/issue/78281"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4946"
        }
      ],
      "title": "Inefficient policy validation in crypto/x509"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-32281",
    "datePublished": "2026-04-08T01:06:58.354Z",
    "dateReserved": "2026-03-11T16:38:46.556Z",
    "dateUpdated": "2026-04-13T18:19:44.779Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-41240 (GCVE-0-2026-41240)

Vulnerability from cvelistv5 – Published: 2026-04-23 14:54 – Updated: 2026-04-23 17:21

Title

DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)

Summary

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency between FORBID_TAGS and FORBID_ATTR handling when function-based ADD_TAGS is used. Commit c361baa added an early exit for FORBID_ATTR at line 1214. The same fix was not applied to FORBID_TAGS. At line 1118-1123, when EXTRA_ELEMENT_HANDLING.tagCheck returns true, the short-circuit evaluation skips the FORBID_TAGS check entirely. This allows forbidden elements to survive sanitization with their attributes intact. Version 3.4.0 patches the issue.

Severity

6 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

SSVC

Exploitation: poc Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-183 - Permissive List of Allowed Inputs
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/cure53/DOMPurify/security/advi…	x_refsource_CONFIRM
https://github.com/cure53/DOMPurify/commit/c361ba…	x_refsource_MISC
https://github.com/cure53/DOMPurify/releases/tag/3.4.0	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
cure53	DOMPurify	Affected: < 3.4.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41240",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-23T17:21:26.630611Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-23T17:21:30.547Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-h7mw-gpvr-xq4m"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "DOMPurify",
          "vendor": "cure53",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.4.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency between FORBID_TAGS and FORBID_ATTR handling when function-based ADD_TAGS is used. Commit c361baa added an early exit for FORBID_ATTR at line 1214. The same fix was not applied to FORBID_TAGS. At line 1118-1123, when EXTRA_ELEMENT_HANDLING.tagCheck returns true, the short-circuit evaluation skips the FORBID_TAGS check entirely. This allows forbidden elements to survive sanitization with their attributes intact. Version 3.4.0 patches the issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-183",
              "description": "CWE-183: Permissive List of Allowed Inputs",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-23T14:54:32.426Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-h7mw-gpvr-xq4m",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-h7mw-gpvr-xq4m"
        },
        {
          "name": "https://github.com/cure53/DOMPurify/commit/c361baa18dbdcb3344a41110f4c48ad85bf48f80",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/cure53/DOMPurify/commit/c361baa18dbdcb3344a41110f4c48ad85bf48f80"
        },
        {
          "name": "https://github.com/cure53/DOMPurify/releases/tag/3.4.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/cure53/DOMPurify/releases/tag/3.4.0"
        }
      ],
      "source": {
        "advisory": "GHSA-h7mw-gpvr-xq4m",
        "discovery": "UNKNOWN"
      },
      "title": "DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-41240",
    "datePublished": "2026-04-23T14:54:32.426Z",
    "dateReserved": "2026-04-18T03:47:03.135Z",
    "dateUpdated": "2026-04-23T17:21:30.547Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42578 (GCVE-0-2026-42578)

Vulnerability from cvelistv5 – Published: 2026-05-13 17:57 – Updated: 2026-05-13 18:37

Title

Netty: HTTP Header Injection via HttpProxyHandler Disabled Validation

Summary

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

Severity

2.9 (Low)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

SSVC

Exploitation: poc Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/netty/netty/security/advisorie…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
netty	netty	Affected: >= 4.2.0.Alpha1, < 4.2.13.Final Affected: < 4.1.133.Final

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42578",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T18:36:58.234828Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T18:37:18.204Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/netty/netty/security/advisories/GHSA-45q3-82m4-75jr"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "netty",
          "vendor": "netty",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
            },
            {
              "status": "affected",
              "version": "\u003c 4.1.133.Final"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty\u0027s HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 2.9,
            "baseSeverity": "LOW",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-113",
              "description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T17:57:43.538Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/netty/netty/security/advisories/GHSA-45q3-82m4-75jr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/netty/netty/security/advisories/GHSA-45q3-82m4-75jr"
        }
      ],
      "source": {
        "advisory": "GHSA-45q3-82m4-75jr",
        "discovery": "UNKNOWN"
      },
      "title": "Netty: HTTP Header Injection via HttpProxyHandler Disabled Validation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42578",
    "datePublished": "2026-05-13T17:57:43.538Z",
    "dateReserved": "2026-04-28T17:26:12.085Z",
    "dateUpdated": "2026-05-13T18:37:18.204Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42579 (GCVE-0-2026-42579)

Vulnerability from cvelistv5 – Published: 2026-05-13 18:01 – Updated: 2026-05-18 15:40

Title

Netty: DNS Codec Input Validation Bypass in Netty (Encoder + Decoder)

Summary

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

SSVC

Exploitation: poc Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-20 - Improper Input Validation
CWE-400 - Uncontrolled Resource Consumption
CWE-626 - Null Byte Interaction Error (Poison Null Byte)

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/netty/netty/security/advisorie…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
netty	netty	Affected: >= 4.2.0.Alpha1, < 4.2.13.Final Affected: < 4.1.133.Final

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42579",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-18T15:39:59.449891Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-18T15:40:22.534Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/netty/netty/security/advisories/GHSA-cm33-6792-r9fm"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "netty",
          "vendor": "netty",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
            },
            {
              "status": "affected",
              "version": "\u003c 4.1.133.Final"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty\u0027s DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-626",
              "description": "CWE-626: Null Byte Interaction Error (Poison Null Byte)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T18:01:52.500Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/netty/netty/security/advisories/GHSA-cm33-6792-r9fm",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/netty/netty/security/advisories/GHSA-cm33-6792-r9fm"
        }
      ],
      "source": {
        "advisory": "GHSA-cm33-6792-r9fm",
        "discovery": "UNKNOWN"
      },
      "title": "Netty: DNS Codec Input Validation Bypass in Netty (Encoder + Decoder)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42579",
    "datePublished": "2026-05-13T18:01:52.500Z",
    "dateReserved": "2026-04-28T17:26:12.085Z",
    "dateUpdated": "2026-05-18T15:40:22.534Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42581 (GCVE-0-2026-42581)

Vulnerability from cvelistv5 – Published: 2026-05-13 17:54 – Updated: 2026-05-13 18:42

Title

Netty: HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization

Summary

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

Severity

5.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

SSVC

Exploitation: poc Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/netty/netty/security/advisorie…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
netty	netty	Affected: >= 4.2.0.Alpha1, < 4.2.13.Final Affected: < 4.1.133.Final

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42581",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T18:42:38.397208Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T18:42:59.711Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/netty/netty/security/advisories/GHSA-xxqh-mfjm-7mv9"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "netty",
          "vendor": "netty",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
            },
            {
              "status": "affected",
              "version": "\u003c 4.1.133.Final"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-444",
              "description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T17:54:44.492Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/netty/netty/security/advisories/GHSA-xxqh-mfjm-7mv9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/netty/netty/security/advisories/GHSA-xxqh-mfjm-7mv9"
        }
      ],
      "source": {
        "advisory": "GHSA-xxqh-mfjm-7mv9",
        "discovery": "UNKNOWN"
      },
      "title": "Netty: HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42581",
    "datePublished": "2026-05-13T17:54:44.492Z",
    "dateReserved": "2026-04-28T17:26:12.085Z",
    "dateUpdated": "2026-05-13T18:42:59.711Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42584 (GCVE-0-2026-42584)

Vulnerability from cvelistv5 – Published: 2026-05-13 18:10 – Updated: 2026-05-13 18:35

Title

Netty: HttpClientCodec response desynchronization

Summary

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

Severity

7.3 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

SSVC

Exploitation: poc Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/netty/netty/security/advisorie…	x_refsource_CONFIRM

Impacted products

2 products

Vendor	Product	Version
netty	netty	Affected: >= 4.2.0.Alpha1, < 4.2.13.Final Affected: < 4.1.133.Final
io.netty	netty-codec-http	Affected: >= 4.2.0.Alpha1, < 4.2.13.Final Affected: < 4.1.133.Final

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42584",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T18:35:01.642953Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T18:35:05.734Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "netty",
          "vendor": "netty",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
            },
            {
              "status": "affected",
              "version": "\u003c 4.1.133.Final"
            }
          ]
        },
        {
          "product": "netty-codec-http",
          "vendor": "io.netty",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
            },
            {
              "status": "affected",
              "version": "\u003c 4.1.133.Final"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message\u2019s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-444",
              "description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T18:10:48.437Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3"
        }
      ],
      "source": {
        "advisory": "GHSA-57rv-r2g8-2cj3",
        "discovery": "UNKNOWN"
      },
      "title": "Netty: HttpClientCodec response desynchronization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42584",
    "datePublished": "2026-05-13T18:10:48.437Z",
    "dateReserved": "2026-04-28T17:26:12.086Z",
    "dateUpdated": "2026-05-13T18:35:05.734Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42587 (GCVE-0-2026-42587)

Vulnerability from cvelistv5 – Published: 2026-05-13 18:22 – Updated: 2026-05-13 18:44

Title

Netty: HttpContentDecompressor maxAllocation bypass via Content-Encoding: br/zstd/snappy enables decompression bomb DoS

Summary

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: poc Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/netty/netty/security/advisorie…	x_refsource_CONFIRM

Impacted products

3 products

Vendor	Product	Version
netty	netty	Affected: >= 4.2.0.Alpha1, < 4.2.13.Final Affected: < 4.1.133.Final
io.netty	netty-codec-http	Affected: >= 4.2.0.Alpha1, < 4.2.13.Final Affected: < 4.1.133.Final
io.netty	netty-codec-http2	Affected: >= 4.2.0.Alpha1, < 4.2.13.Final Affected: < 4.1.133.Final

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42587",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T18:43:31.138358Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T18:44:09.298Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/netty/netty/security/advisories/GHSA-f6hv-jmp6-3vwv"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "netty",
          "vendor": "netty",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
            },
            {
              "status": "affected",
              "version": "\u003c 4.1.133.Final"
            }
          ]
        },
        {
          "product": "netty-codec-http",
          "vendor": "io.netty",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
            },
            {
              "status": "affected",
              "version": "\u003c 4.1.133.Final"
            }
          ]
        },
        {
          "product": "netty-codec-http2",
          "vendor": "io.netty",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
            },
            {
              "status": "affected",
              "version": "\u003c 4.1.133.Final"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T18:22:21.699Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/netty/netty/security/advisories/GHSA-f6hv-jmp6-3vwv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/netty/netty/security/advisories/GHSA-f6hv-jmp6-3vwv"
        }
      ],
      "source": {
        "advisory": "GHSA-f6hv-jmp6-3vwv",
        "discovery": "UNKNOWN"
      },
      "title": "Netty: HttpContentDecompressor maxAllocation bypass via Content-Encoding: br/zstd/snappy enables decompression bomb DoS"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42587",
    "datePublished": "2026-05-13T18:22:21.699Z",
    "dateReserved": "2026-04-28T17:26:12.086Z",
    "dateUpdated": "2026-05-13T18:44:09.298Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-43869 (GCVE-0-2026-43869)

Vulnerability from cvelistv5 – Published: 2026-05-05 07:25 – Updated: 2026-05-06 13:01

Title

Apache Thrift: TSSLTransportFactory.java hostname verification

Summary

Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Severity

7.3 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-297 - Improper Validation of Certificate with Host Mismatch

Assigner

apache

References

2 references

URL	Tags
https://lists.apache.org/thread/3hsgl1b69wzq3ry39…	vendor-advisory
http://www.openwall.com/lists/oss-security/2026/05/05/3

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Thrift	Affected: 0 , < 0.23.0 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-05-05T07:42:21.000Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/05/3"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 7.3,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-43869",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-06T13:01:36.994667Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-06T13:01:42.213Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Thrift",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "0.23.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Thrift: before 0.23.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.23.0, which fixes the issue.\u003c/p\u003e"
            }
          ],
          "value": "Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift.\n\nThis issue affects Apache Thrift: before 0.23.0.\n\nUsers are recommended to upgrade to version 0.23.0, which fixes the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-297",
              "description": "CWE-297 Improper Validation of Certificate with Host Mismatch",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-05T07:25:48.611Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/3hsgl1b69wzq3ry39scqbv2dhyl3j52r"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Thrift: TSSLTransportFactory.java hostname verification",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-43869",
    "datePublished": "2026-05-05T07:25:48.611Z",
    "dateReserved": "2026-05-04T14:22:44.030Z",
    "dateUpdated": "2026-05-06T13:01:42.213Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-9277 (GCVE-0-2026-9277)

Vulnerability from cvelistv5 – Published: 2026-05-22 13:22 – Updated: 2026-05-23 03:04

Title

shell-quote `quote()` does not validate object-token shapes, allowing command injection via line terminators in `.op`

Summary

shell-quote's `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which in JavaScript does not match line terminators (\n, \r, U+2028, U+2029). A line terminator in `.op` therefore passed through unescaped into the output; POSIX shells treat a literal newline as a command separator, so any content after it would execute as a second command. The vulnerable code path is reachable in two ways: (1) direct construction of `{ op: '...\n...' }` from external input, and (2) via `parse(cmd, envFn)` when `envFn` returns object tokens whose `.op` is attacker-influenced. Both are documented API surface. Fixed by replacing the per-character escape with strict shape validation: `.op` must match the parser's control-operator allowlist; `{ op: 'glob', pattern }` validates `pattern` and forbids line terminators; `{ comment }` validates `comment` and forbids line terminators; any other object shape throws `TypeError`.

Severity

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

9.2 (Critical)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Assigner

harborist

References

5 references

URL	Tags
https://github.com/ljharb/shell-quote/security/ad…	vendor-advisory
https://github.com/ljharb/shell-quote/commit/1518179	patch
https://github.com/ljharb/shell-quote	product
https://www.npmjs.com/package/shell-quote	product
http://www.openwall.com/lists/oss-security/2026/05/23/2

Impacted products

1 product

Vendor	Product	Version
	shell-quote	Affected: 1.1.0 , < 1.8.4 (semver)

Credits

Akshat Sinha (@akshatgit) Jordan Harband (@ljharb)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-9277",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-22T14:17:31.964845Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-22T14:17:39.549Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-05-23T03:04:40.537Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/23/2"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://www.npmjs.com/package/shell-quote",
          "defaultStatus": "unaffected",
          "packageName": "shell-quote",
          "product": "shell-quote",
          "programFiles": [
            "quote.js"
          ],
          "repo": "https://github.com/ljharb/shell-quote",
          "versions": [
            {
              "lessThan": "1.8.4",
              "status": "affected",
              "version": "1.1.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Akshat Sinha (@akshatgit)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Jordan Harband (@ljharb)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eshell-quote\u0027s `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which in JavaScript does not match line terminators (\\n, \\r, U+2028, U+2029). A line terminator in `.op` therefore passed through unescaped into the output; POSIX shells treat a literal newline as a command separator, so any content after it would execute as a second command. The vulnerable code path is reachable in two ways: (1) direct construction of `{ op: \u0027...\\n...\u0027 }` from external input, and (2) via `parse(cmd, envFn)` when `envFn` returns object tokens whose `.op` is attacker-influenced. Both are documented API surface. Fixed by replacing the per-character escape with strict shape validation: `.op` must match the parser\u0027s control-operator allowlist; `{ op: \u0027glob\u0027, pattern }` validates `pattern` and forbids line terminators; `{ comment }` validates `comment` and forbids line terminators; any other object shape throws `TypeError`.\u003c/p\u003e"
            }
          ],
          "value": "shell-quote\u0027s `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which in JavaScript does not match line terminators (\\n, \\r, U+2028, U+2029). A line terminator in `.op` therefore passed through unescaped into the output; POSIX shells treat a literal newline as a command separator, so any content after it would execute as a second command. The vulnerable code path is reachable in two ways: (1) direct construction of `{ op: \u0027...\\n...\u0027 }` from external input, and (2) via `parse(cmd, envFn)` when `envFn` returns object tokens whose `.op` is attacker-influenced. Both are documented API surface. Fixed by replacing the per-character escape with strict shape validation: `.op` must match the parser\u0027s control-operator allowlist; `{ op: \u0027glob\u0027, pattern }` validates `pattern` and forbids line terminators; `{ comment }` validates `comment` and forbids line terminators; any other object shape throws `TypeError`."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 9.2,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T13:22:38.873Z",
        "orgId": "7ffcee3d-2c14-4c3e-b844-86c6a321a158",
        "shortName": "harborist"
      },
      "references": [
        {
          "name": "GHSA-w7jw-789q-3m8p",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p"
        },
        {
          "name": "Fix commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/ljharb/shell-quote/commit/1518179"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://github.com/ljharb/shell-quote"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://www.npmjs.com/package/shell-quote"
        }
      ],
      "source": {
        "advisory": "GHSA-w7jw-789q-3m8p",
        "discovery": "EXTERNAL"
      },
      "title": "shell-quote `quote()` does not validate object-token shapes, allowing command injection via line terminators in `.op`"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7ffcee3d-2c14-4c3e-b844-86c6a321a158",
    "assignerShortName": "harborist",
    "cveId": "CVE-2026-9277",
    "datePublished": "2026-05-22T13:22:38.873Z",
    "dateReserved": "2026-05-22T12:13:25.893Z",
    "dateUpdated": "2026-05-23T03:04:40.537Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:28010

CVE-2025-48431 (GCVE-0-2025-48431)

CVE-2026-32281 (GCVE-0-2026-32281)

CVE-2026-41240 (GCVE-0-2026-41240)

CVE-2026-42578 (GCVE-0-2026-42578)

CVE-2026-42579 (GCVE-0-2026-42579)

CVE-2026-42581 (GCVE-0-2026-42581)

CVE-2026-42584 (GCVE-0-2026-42584)

CVE-2026-42587 (GCVE-0-2026-42587)

CVE-2026-43869 (GCVE-0-2026-43869)

CVE-2026-9277 (GCVE-0-2026-9277)

Tags

Sightings

Nomenclature