Critical/high still unreviewed, or CISA KEV listed
Heap buffer overflow in sasl_io_recv() via padded SASL UNBIND. Red Hat rates this important (CVSS 8.8). Weakness: CWE-122. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
sudo LDAP provider searches entire directory tree for sudoRole objects by default, enabling privilege escalation. Red Hat rates this important (CVSS 8.8). Weakness: CWE-1188. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Denial of Service via crafted BDF font file. Red Hat rates this important (CVSS 7.5). Weakness: CWE-770. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Denial of Service via crafted GD 2.x image file. Red Hat rates this important (CVSS 7.5). Weakness: CWE-1285. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Denial of Service via excessive memory allocation when processing font files. Red Hat rates this important (CVSS 7.5). Weakness: CWE-1050. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Unbounded GraphQL query depth allows authenticated denial of service. Red Hat rates this important (CVSS 7.7). Weakness: CWE-400. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Crypt::DSA: Crypt::DSA: Private key recovery due to biased random number generation. Red Hat rates this important (CVSS 7.5). Weakness: CWE-338. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Arbitrary Code Execution via Untrusted JAR File Loading. Red Hat rates this important (CVSS 7.8). Weakness: CWE-347. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Fix shadow paging use-after-free due to unexpected role. Red Hat rates this important (CVSS 7). Weakness: CWE-825. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Require in-GHCB scratch area if GHCB v2+ is in use. Red Hat rates this important (CVSS 7). Weakness: CWE-787. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
In the Linux kernel, the following vulnerability has been resolved: ipv6: account for fraggap on the paged allocation path In __ip6_append_data(), when the paged-allocation branch is taken (MSG_MORE / NETIF_F_SG / large fraglen), alloclen and pagedlen are computed as alloclen = fragheaderlen + transhdrlen; pagedlen = datalen - transhdrlen; datalen already includes fraggap (datalen = length + fraggap). When fraggap is non-zero, this is not the first skb and transhdrlen is zero. The fraggap bytes carried over from the previous skb are copied just past the fragment headers in the new skb's linear area. The linear area is therefore undersized by fraggap bytes while pagedlen is overstated by the same amount, and the copy writes past skb->end into the trailing skb_shared_info. An unprivileged user can trigger this via a UDPv6 socket using MSG_MORE together with MSG_SPLICE_PAGES. The bad accounting was introduced by commit 773ba4fe9104 ("ipv6: avoid partial copy for zc"). Before commit ce650a166335 ("udp6: Fix __ip6_append_data()'s handling of MSG_SPLICE_PAGES"), the negative copy value caused -EINVAL to be returned. That later commit allowed MSG_SPLICE_PAGES to proceed in this case, making the corruption triggerable. The non-paged branch sets alloclen to fraglen, which already accounts for fraggap because datalen does. Bring the paged branch in line by adding fraggap to alloclen and subtracting it from pagedlen. After this adjustment, copy no longer collapses to -fraggap on the paged path, so remove the stale comment describing that old arithmetic. Since a negative copy is no longer expected for a valid MSG_SPLICE_PAGES case, remove the MSG_SPLICE_PAGES exception from the negative copy check. A flaw was found in the Linux kernel's ipv6 networking subsystem. An incorrect parameter length calculation allows an attacker with permissions to create UDP sockets to trigger overwrites of kernel memory, potentially leading to privilege escalation, data corruption, or a system crash. Red Hat severity: Important — CVSS 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Weakness: CWE-130. Fixed by RHSA-2026:34911, RHSA-2026:35840 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Enterprise Linux 10; Red Hat Enterprise Linux 10.0 Extended Update Support.
Incomplete Fix for CVE-2026-8631. Red Hat rates this important (CVSS 9.8). Weakness: CWE-190. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Arbitrary code execution via deserialization vulnerability. Red Hat rates this important (CVSS 8.8). Weakness: CWE-502. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Man-in-the-middle attack via SSH host key bypass. Red Hat rates this important (CVSS 7.4). Weakness: CWE-347. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Information disclosure due to persistent Referer header. Red Hat rates this important (CVSS 7.5). Weakness: CWE-201. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Information disclosure via cached SSL session and early data. Red Hat rates this important (CVSS 7.5). Weakness: CWE-295. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Use-after-free via curl_easy_pause() in CURLMOPT_SOCKETFUNCTION callback. Red Hat rates this important (CVSS 7.3). Weakness: CWE-825. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Information disclosure due to failure to clear proxy authentication credentials. Red Hat rates this important (CVSS 7.5). Weakness: CWE-212. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Security feature bypass due to improper mTLS connection reuse. Red Hat rates this important (CVSS 7.5). Weakness: CWE-1025. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Information disclosure due to uncleared proxy authentication state. Red Hat rates this important (CVSS 7.5). Weakness: CWE-201. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Double-free vulnerability in SASL authentication. Red Hat rates this important (CVSS 8.1). Weakness: CWE-1341. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Insecure connection establishment due to TLS configuration mismatch. Red Hat rates this important (CVSS 8.1). Weakness: CWE-295. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
SSH host verification bypass when using schemeless URLs with SFTP/SCP. Red Hat rates this important (CVSS 7.5). Weakness: CWE-358. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Denial of Service via WebSocket PING flood. Red Hat rates this important (CVSS 7.5). Weakness: CWE-770. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Remote denial of service via QUIC UDP receive function vulnerability. Red Hat rates this important (CVSS 7.5). Weakness: CWE-835. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Arbitrary file read and code execution via path traversal. Red Hat rates this important (CVSS 7.5). Weakness: CWE-22. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Denial of Service in TLS 1.3 session ticket handling. Red Hat rates this important (CVSS 7.5). Weakness: CWE-130. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Denial of Service via unvalidated endpoint URL length. Red Hat rates this important (CVSS 7.5). Weakness: CWE-1284. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Denial of Service via uncontrolled resource consumption in JSON parsing. Red Hat rates this important (CVSS 7.5). Weakness: CWE-770. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
It was discovered that the Linux kernel algif_aead module did not properly handle in-place cryptographic operations. This flaw is known as Copy Fail. A local attacker could use this to escalate privileges, or possibly escape a container. (CVE-2026-31431) It was discovered that the Linux kernel did not properly handle shared page fragments during socket buffer operations, collectively known as Dirty Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the RxRPC networking subsystem when processing paged fragments. A local attacker could use this to escalate privileges, or possibly escape a container. (CVE-2026-43284, CVE-2026-43500, CVE-2026-45998, CVE-2026-46000) It was discovered that a logic flaw existed in the XFRM ESP-in-TCP subsystem in the Linux kernel when handling socket buffer fragments. This flaw is known as Fragnesia. A local attacker could use this to escalate privileges, or possibly escape a container. (CVE-2026-43503, CVE-2026-46300) Qualys discovered that a race condition existed in the ptrace subsystem of the Linux kernel when privileged processes are exiting. An unprivileged local attacker could use this issue to expose sensitive information. (CVE-2026-46333) Tristan Madani discovered that Ubuntu Linux kernel 6.8, 6.17 and 7.0 contain a memory leak when handling AppArmor notifications. A local attacker could use this to cause resource exhaustion. Affected Ubuntu releases: 24.04. CVEs: CVE-2026-43314, CVE-2026-45974, CVE-2025-71291, CVE-2026-45870, CVE-2026-43341, CVE-2026-47332, CVE-2026-23229, CVE-2026-47326….
Authentication bypass due to improper input neutralization. Red Hat rates this critical (CVSS 9.1). Weakness: CWE-140. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Remote code execution via JNDI injection. Red Hat rates this important (CVSS 7.5). Weakness: CWE-502. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
SQL Injection vulnerability. Red Hat rates this important (CVSS 7.3). Weakness: CWE-89. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Security bypass via Container Device Interface (CDI) annotation smuggling during checkpoint restoration.. Red Hat rates this important (CVSS 8.2). Weakness: CWE-807. Affected package(s): syft-main, trivy-main. Resolved in Red Hat advisory RHSA-2026:15862 — update the affected packages (`sudo dnf update`).
Privilege escalation via incorrect user ID handling. Red Hat rates this important (CVSS 7.8). Weakness: CWE-681. Affected package(s): trivy-main. Resolved in Red Hat advisory RHSA-2026:35111 — update the affected packages (`sudo dnf update`).
Denial of Service via excessive HTTP headers. Red Hat rates this important (CVSS 7.5). Weakness: CWE-770. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Denial of Service via crafted ALZ file. Red Hat rates this important (CVSS 7.5). Weakness: CWE-120. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Denial of Service via crafted DMG file. Red Hat rates this important (CVSS 7.5). Weakness: CWE-190. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Denial of Service via crafted 7z file. Red Hat rates this important (CVSS 7.5). Weakness: CWE-120. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Denial of Service via crafted PESpin file. Red Hat rates this important (CVSS 7.5). Weakness: CWE-120. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Denial of Service via crafted InstallShield file. Red Hat rates this important (CVSS 7.5). Weakness: CWE-770. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Denial of Service via crafted Portable Executable (PE) files. Red Hat rates this important (CVSS 7.5). Weakness: CWE-787. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Denial of Service via crafted FSG file parsing. Red Hat rates this important (CVSS 7.5). Weakness: CWE-787. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Privilege escalation to administrator-level access via usergroup role assignment manipulation. Red Hat rates this important (CVSS 8.8). Weakness: CWE-266. Affected package(s): foreman. Resolved in Red Hat advisory RHSA-2026:34366 — update the affected packages (`sudo dnf update`).
Authentication bypass via predictable session IDs. Red Hat rates this important (CVSS 7.4). Weakness: CWE-331. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Host-root command execution via unvalidated image config labels in CRI plugin. Red Hat rates this important (CVSS 8.8). Weakness: CWE-78. Affected package(s): multicluster-engine/assisted-service, trivy-main. Resolved in Red Hat advisory RHSA-2026:36167 — update the affected packages (`sudo dnf update`).
c3p0 is a JDBC Connection pooling library. In versions prior to 0.14.0, c3p0 in combination with other libraries, can compose to a "sink" for deserialization gadgets. The JDBC spec's DataSource.getConnection() and ConnectionPoolDataSource.getPooledConnection() match the getXXX() form, so JavaBean libraries treat them as "properties" assumed safe while they actually call into JDBC drivers. Attackers can thus craft malicious DataSource objects whose property lookups invoke vulnerable drivers, then smuggle them in serialized form to where an application deserializes and auto-resolves bean properties — triggering the attack. This requires a susceptible DataSource/ConnectionPoolDataSource and JDBC driver on the CLASSPATH, plus a carrier that auto-looks-up JavaBean properties on = deserialization, most commonly a collection paired with an Apache commons-beanutils Comparator that sorts by bean properties. c3p0 supplied that susceptible DataSource/ConnectionPoolDataSource, which was an essential component of the trigger. This issue has been fixed in version 0.14.0. A flaw was found in c3p0, a JDBC Connection pooling library. This vulnerability allows a remote attacker to potentially execute arbitrary code by crafting a malicious data source object. When an application deserializes this object and automatically resolves its properties, it can trigger vulnerable JDBC drivers. This requires specific conditions, including the presence of a susceptible JDBC driver and a mechanism for automatic property resolution during deserialization. A flaw was found in c3p0. Prior to version 0.14.0, c3p0's DataSource and ConnectionPoolDataSource implementations expose getConnection() and getPooledConnection() as JavaBean properties. During deserialization, carrier libraries such as Apache Commons BeanUtils automatically invoke these getters, which can trigger calls into JDBC drivers. An attacker who can deliver a crafted serialized object to an application could exploit this to achieve remote code execution. Successful exploitation requires all of the following prerequisites to be met: 1. c3p0 < 0.14.0 on the application classpath 2. A vulnerable JDBC driver on the classpath 3. A carrier library that auto-reads JavaBean properties during deserialization (e.g., commons-beanutils with a Comparator in a sorted collection) 4. A deserialization entry point that processes attacker-controlled data (e.g., via RMI, JMX, or HTTP) This is a gadget chain attack where c3p0 provides one essential component. Removing any single prerequisite from the classpath prevents exploitation. Red Hat severity: Important — CVSS 7.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). Weakness: CWE-502. No fixing RHSA erratum has published yet; monitor the Red Hat CVE page and patch when it ships. Will not fix / out of support: Red Hat Fuse 7.
electron-updater allows for automatic updates for Electron apps. Prior to 26.15.0, AppImage targets built by app-builder-lib could use an empty path component when setting the LD_LIBRARY_PATH environment variable at runtime. This causes the current working directory to be added to the dynamic linker search path, which may allow an attacker to execute arbitrary code by placing a malicious shared library in the directory from which the AppImage is launched. This issue has been fixed in version 26.15.0. A flaw was found in electron-updater, a component used for automatic updates in Electron applications. This vulnerability arises because AppImage targets, built by app-builder-lib, incorrectly add the current working directory to the dynamic linker search path when setting the LD_LIBRARY_PATH environment variable. An attacker could exploit this by placing a malicious program in the same directory as an AppImage, which would then be executed when the AppImage is launched. This could allow the attacker to run arbitrary code on the affected system. The vulnerability in electron-builder's AppImage packaging only affects applications distributed as AppImage format, where an empty LD_LIBRARY_PATH component causes the current working directory to be added to the dynamic linker search path. Red Hat products that bundle electron-builder components are not affected: the goose RPM is distributed as an RPM package (not AppImage), and Podman Desktop uses Flatpak and tar.gz targets on Linux (AppImage is not configured in its electron-builder config). The vulnerable AppImage code path is never exercised in any Red Hat product. Red Hat severity: Important — CVSS 7.3 (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H). Weakness: CWE-427. No fixing RHSA erratum has published yet; monitor the Red Hat CVE page and patch when it ships.
Improper Input Validation vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All. An attacker that has access to publish or modify entries in LDAP that match the configured searchBase and searchFilter can instantiate denied transports inside the broker JVM. This can be used to fetch an attacker URL and spawn a second BrokerService inside the same JVM. This issue affects Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue. A flaw was found in Apache ActiveMQ. An attacker with privileges to publish or modify entries in Lightweight Directory Access Protocol (LDAP) can exploit an improper input validation vulnerability. This allows the attacker to instantiate denied transports within the broker's Java Virtual Machine (JVM). Consequently, this can be used to fetch an attacker-controlled URL and launch an additional BrokerService within the same JVM, potentially leading to a denial of service or further system compromise. Red Hat products ship Apache ActiveMQ Classic components as transitive dependencies. The vulnerability is in the LdapNetworkConnector feature specific to Classic ActiveMQ, which allows an attacker with LDAP write access to instantiate denied transports and spawn a rogue broker. This feature is not configured or used in any Red Hat product deployment. Red Hat AMQ Broker is based on Apache ActiveMQ Artemis, a separate codebase that does not include the LdapNetworkConnector. Red Hat severity: Important — CVSS 7.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H). Weakness: CWE-90. No fixing RHSA erratum has published yet; monitor the Red Hat CVE page and patch when it ships.
Improper Input Validation vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp. A remote unauthenticated peer that can reach an exposed STOMP connector can trigger denial-of-service behavior by sending a negative content-length. For the NIO STOMP transport, an attacker can keep streaming body bytes and grow the per-connection command buffer beyond configured limits to cause OOM. For the blocking STOMP protocol, an error will instead force abnormal transport exception handling for the affected connection and closure. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Stomp: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue. A flaw was found in Apache ActiveMQ. A remote, unauthenticated attacker can exploit an improper input validation vulnerability by sending a specially crafted message with a negative content-length to an exposed STOMP connector. This can lead to a denial of service (DoS) condition, either by consuming excessive memory and causing an Out-Of-Memory (OOM) error or by forcing the abnormal closure of affected connections. Red Hat products ship Apache ActiveMQ Classic components as transitive dependencies. The vulnerability is in the Classic ActiveMQ STOMP connector's content-length validation, allowing an unauthenticated attacker to cause OOM via a negative content-length value. Apache ActiveMQ Artemis, which powers Red Hat AMQ Broker, has its own STOMP protocol implementation (artemis-stomp-protocol) that does not share this code path. The Classic STOMP connector is not exposed in Red Hat product deployments. Red Hat severity: Important — CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Weakness: CWE-839. No fixing RHSA erratum has published yet; monitor the Red Hat CVE page and patch when it ships.
Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ Client, Apache ActiveMQ, Apache ActiveMQ All. An unauthenticated network attacker can cause a broker DoS by sending a crafted WireFormatInfo frame with a malicious large size value. The value is not validate and causes the broker to attempt allocation during pre-auth negotiation which can trigger OOM and crash the broker. This issue affects Apache ActiveMQ Client: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue. A flaw was found in Apache ActiveMQ. An unauthenticated network attacker can exploit this vulnerability by sending a specially crafted WireFormatInfo frame with an excessively large size value. This unvalidated value causes the broker to attempt an oversized memory allocation during pre-authentication negotiation. Consequently, this can lead to an Out Of Memory (OOM) error, resulting in a Denial of Service (DoS) and crashing the broker. A flaw was found in Apache ActiveMQ Classic's OpenWire protocol handling. An unauthenticated remote attacker can crash the broker by sending a crafted WireFormatInfo frame with a malicious oversized value during pre-authentication protocol negotiation, causing an Out of Memory condition. Red Hat AMQ Broker is based on Apache ActiveMQ Artemis, but its OpenWire protocol support delegates wire format negotiation to Classic ActiveMQ's activemq-client code, which is vulnerable to this attack on the OpenWire listener port. Red Hat severity: Important — CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Weakness: CWE-770. No fixing RHSA erratum has published yet; monitor the Red Hat CVE page and patch when it ships. Will not fix / out of support: Red Hat Fuse 7.
Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All. Following the fix for CVE-2026-49270 an unauthenticated attacker can now cause broker OOM by sending an repeated BrokerInfo commands without sending a ConnectionInfo, until the broker will crash with OOM. This issue affects Apache ActiveMQ Broker: from 5.19.7 before 5.19.8, from 6.2.6 before 6.2.7; Apache ActiveMQ: from 5.19.7 before 5.19.8, from 6.2.6 before 6.2.7; Apache ActiveMQ All: from 5.19.7 before 5.19.8, from 6.2.6 before 6.2.7. Users are recommended to upgrade to version 6.2.7, which fixes the issue. A flaw was found in Apache ActiveMQ. An unauthenticated remote attacker can exploit this vulnerability by repeatedly sending BrokerInfo commands without corresponding ConnectionInfo commands. This can lead to an Out of Memory condition, causing the broker to crash and resulting in a Denial of Service. Red Hat products that include Apache ActiveMQ classic components ship versions prior to 5.19.7 (5.x line) and prior to 6.2.6 (6.x line). The vulnerable code was introduced as a regression in versions 5.19.7 and 6.2.6 while fixing CVE-2026-49270, and is not present in the versions shipped by Red Hat. Products shipping Apache ActiveMQ Artemis are not affected as Artemis is a separate codebase. Red Hat severity: Important — CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Weakness: CWE-770. No fixing RHSA erratum has published yet; monitor the Red Hat CVE page and patch when it ships.
Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp. An unauthenticated client that opens a STOMP NIO connection can send header bytes that never terminate which makes the broker buffer them without limit, exhausting the JVM heap. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Stomp: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue. Red Hat products ship Apache ActiveMQ Classic components as transitive dependencies. The vulnerability is in the Classic ActiveMQ STOMP NIO codec, which does not limit the size of header byte buffering, allowing an unauthenticated attacker to exhaust JVM heap memory. Apache ActiveMQ Artemis, which powers Red Hat AMQ Broker, has its own STOMP protocol implementation (artemis-stomp-protocol) that does not share this code path. The Classic STOMP NIO codec is not exposed in Red Hat product deployments. Red Hat severity: Important — CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Weakness: CWE-789. No fixing RHSA erratum has published yet; monitor the Red Hat CVE page and patch when it ships.
Missing Authorization vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Apache ActiveMQ Classic temporary destinations are expected to be isolated to the connection that created them. The isolation can be broken as this is only checked in the client, allowing a different connection to consume from another connection's temporary destination. This issue affects Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7, which fixes the issue. A flaw was found in Apache ActiveMQ. Temporary destinations, which are designed to be private to a specific connection, can be accessed by other connections due to a missing authorization check. This allows an unauthorized connection to consume messages from another connection's temporary destination, leading to information disclosure. Red Hat products ship Apache ActiveMQ Classic components as transitive dependencies. The vulnerability is in the Classic ActiveMQ broker's temporary destination isolation, where access control is enforced only client-side, allowing a different connection to consume messages from another connection's temporary destination. Red Hat AMQ Broker is based on Apache ActiveMQ Artemis, which has its own temporary destination implementation. The Classic broker's temporary destination logic is not exercised at runtime in Red Hat product deployments. Red Hat severity: Important — CVSS 8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L). Weakness: CWE-1220. No fixing RHSA erratum has published yet; monitor the Red Hat CVE page and patch when it ships.
brace-expansion through 5.0.6 is vulnerable to denial of service. The expand() function exhibits exponential-time complexity in the number of consecutive non-expanding '{}' brace groups. An attacker who passes a crafted string to expand(), directly or transitively, can cause significant CPU consumption and event-loop blocking. The max option does not mitigate this, as it bounds the output size rather than the recursion work. A flaw was found in brace-expansion. An attacker can exploit a vulnerability in the `expand()` function by providing a specially crafted string. This string, containing consecutive non-expanding brace groups, can trigger exponential-time complexity, leading to significant CPU consumption and event-loop blocking. This can result in a Denial of Service (DoS) for the affected system. A flaw was found in brace-expansion, a widely-used npm package for expanding brace sequences. The expand() function exhibits exponential-time complexity when processing consecutive non-expanding brace groups. An attacker who can supply crafted input to expand(), directly or transitively via minimatch or glob, can cause significant CPU consumption and event-loop blocking, resulting in denial of service. The max option does not mitigate this issue, as it bounds the output size rather than the recursion work. Red Hat severity: Important — CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Weakness: CWE-1333. Fixed by RHSA-2026:33866, RHSA-2026:34478, RHSA-2026:35272 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images. Will not fix / out of support: OpenShift Service Mesh 2; Red Hat Fuse 7; Red Hat Hardened Images.
decode-uri-component through 0.4.1 is vulnerable to denial of service. The decode() function splits input on '%' producing N tokens and calls decodeComponents(), exhibiting super-linear parsing time: 200 '%ab' tokens takes approximately 0.7s, 700 tokens approximately 6s, and 1400 tokens approximately 33s. An attacker can cause significant CPU consumption and event-loop blocking via crafted input. A flaw was found in the `decode-uri-component` library. This vulnerability allows a remote attacker to trigger a Denial of Service (DoS) by submitting specially crafted input. The `decode()` function, when processing a large number of encoded URI components, consumes excessive CPU resources, which can lead to the application becoming unresponsive and unavailable. A denial of service flaw was found in the decode-uri-component npm package. The decode() function exhibits super-linear time complexity when processing input containing many percent-encoded sequences, allowing an attacker to cause significant CPU consumption and event-loop blocking. In Red Hat products where this package is bundled (OpenShift Console, Quay, Pipelines, RHOAI, and others), exploitation requires that attacker-controlled input containing crafted percent-encoded strings reaches the decode() function without prior length validation. Red Hat rates this as Moderate severity since the impact is limited to availability with no confidentiality or integrity impact, consistent with the CNA's CVSS 4.0 assessment of 6.6 Medium. Red Hat severity: Important — CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Weakness: CWE-1050. No fixing RHSA erratum has published yet; monitor the Red Hat CVE page and patch when it ships.
NLTK version 3.9.4 is vulnerable to a path traversal attack due to an incomplete fix for GitHub Issue #3504. The `_UNSAFE_NO_PROTOCOL_RE` regex in `nltk/data.py` checks for literal `../` sequences but fails to account for percent-encoded traversal sequences such as `..%2f`. The `url2pathname()` function decodes these sequences after the validation step, allowing an attacker to bypass the protection. This vulnerability enables an attacker to read arbitrary files accessible to the Python process by controlling the resource name parameter passed to `nltk.data.load()` or `nltk.data.find()`. The issue affects applications that rely on NLTK for resource loading, including NLP web applications, Jupyter notebooks, and CLI tools. The default `pathsec.ENFORCE=False` setting exacerbates the impact by not blocking the file read at the `open()` stage. A flaw was found in NLTK. An attacker can exploit a path traversal vulnerability by providing specially crafted input to `nltk.data.load()` or `nltk.data.find()`. This allows the attacker to read arbitrary files accessible to the Python process, leading to information disclosure. The vulnerability arises from an incomplete fix that fails to account for percent-encoded traversal sequences. A path traversal flaw was found in NLTK's resource loading functions (nltk.data.load() and nltk.data.find()). The vulnerability allows arbitrary file reads when an attacker can control the resource_name parameter by using percent-encoded path separators to bypass validation. In Red Hat products where NLTK is bundled (OpenShift AI, OpenShift Lightspeed, Ansible Automation Platform), the resource loading functions are typically used internally to load pre-packaged NLP models and corpora. Exploitation requires that untrusted user input is passed directly to these functions without additional sanitization. Red Hat severity: Important — CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Weakness: CWE-22. No fixing RHSA erratum has published yet; monitor the Red Hat CVE page and patch when it ships. Will not fix / out of support: Red Hat Ansible Automation Platform 2.
It was discovered that Roundcube Webmail was prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document. An attacker could use this issue to execute arbitrary web script in the context of an affected user's session. Affected Ubuntu releases: 26.04. CVEs: CVE-2025-68461.
Claude Code is an agentic coding tool. From 2.1.38 until 2.1.163, Claude Code's worktree handling allowed creation of worktrees named ".git" and navigation to worktrees outside the sandbox context, enabling git directory confusion attacks. By exploiting symlink manipulation and git fsmonitor execution during worktree operations, an attacker could overwrite files in the user's home directory (such as .zshenv), leading to code execution outside of seatbelt sandbox restrictions. Reliably exploiting this required the user to clone a malicious repository containing prompt injection content and run Claude Code against it. This vulnerability is fixed in 2.1.163. A flaw was found in Claude Code, an agentic coding tool, in its handling of worktrees. This vulnerability allowed the creation of specially named worktrees and navigation outside of the intended secure environment, leading to what is known as a 'git directory confusion attack'. By manipulating symbolic links and how git monitors file system changes, an attacker could overwrite important user files, potentially leading to unauthorized code execution on the user's system. This attack requires a user to interact with a malicious code repository. This is an Important vulnerability in Claude Code, an agentic coding tool within OpenShift Lightspeed, stemming from a git directory confusion flaw. The vulnerability allows an attacker to overwrite user configuration files, leading to arbitrary code execution outside of sandbox restrictions. Exploitation requires a user to clone a malicious repository and then execute Claude Code against its contents. Red Hat severity: Important — CVSS 7.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H). Weakness: CWE-59. No fixing RHSA erratum has published yet; monitor the Red Hat CVE page and patch when it ships.
fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family URLs. The IDN conversion path calls a helper that does not exist on the global URL constructor, silently leaving the host in its original Unicode form while normalize() and equal() still return values that differ from a WHATWG-compatible URL parser. Applications that use fast-uri to enforce host-based policy (denylists, loopback filtering, redirect validation, outbound proxy routing) before passing the same URL to Node's URL or fetch can be bypassed when the two implementations resolve the same input to different hosts. Patches: upgrade to fast-uri 3.1.3 for the 3.x line or 4.0.1 for the 4.x line. Workarounds: enforce host policy using the same URL parser used for the actual request, or reject non-ASCII hosts before policy checks. A flaw was found in fast-uri. This vulnerability occurs because fast-uri fails to properly convert Unicode (Internationalized Domain Name - IDN) hostnames for HTTP-family URLs. This can lead to a situation where security policies, such as denylists or redirect validations, are bypassed when applications use fast-uri to enforce these policies before passing the URL to another parser. A remote attacker could exploit this to circumvent security controls and potentially access unauthorized resources or perform malicious redirects. This Important flaw in `fast-uri` allows a remote attacker to bypass host-based security policies. Applications that rely on `fast-uri` for URL parsing and policy enforcement, such as denylists or redirect validations, can be circumvented due to inconsistent handling of Unicode hostnames. This discrepancy between `fast-uri` and other URL parsers could lead to unauthorized resource access or malicious redirects in affected Red Hat products. Red Hat severity: Important — CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). Weakness: CWE-551. No fixing RHSA erratum has published yet; monitor the Red Hat CVE page and patch when it ships. Will not fix / out of support: Red Hat Ansible Automation Platform 2; Red Hat Data Grid 8.
Discuss the latest advisories, swap patch-day notes with other infra teams, and get support — straight from the people who run VulniPulse.
Join the communityIf you want to support server/domain costs, please donate below — much love ❤️
Donate