Arbitrary code execution via command injection in glob() function
Summary
Arbitrary code execution via command injection in glob() function. Red Hat rates this important (CVSS 7.3). Weakness: CWE-78. Affected package(s): rhcos, rhaiis/vllm-rocm-rhel9:1778244531, rhui5/cds-kubernetes-tp-rhel9:1777459441, rhui5/haproxy-rhel9:1776868744, rhui5/installer-rhel9:1776868772, vim. Resolved in Red Hat advisory RHSA-2026:6915 — update the affected packages (`sudo dnf update`).
- rhcos-414.92.202605060243-0
- rhcos-417.94.202605112123-0
- rhaiis/vllm-rocm-rhel9:1778244531
- rhcos-4.19.9.6.202604080618-0
- rhui5/cds-kubernetes-tp-rhel9:1777459441
- rhui5/haproxy-rhel9:1776868744
- rhui5/installer-rhel9:1776868772
- vim-2:9.1.083-5.el10_0.2
- rhui5/cds-rhel9:1776868774
- vim-2:8.2.2637-23.el9_7.2
- rhaiis/vllm-cuda-rhel9:1775740563
- vim-2:8.0.1763-20.el8_8.1
Official advisory · high-confidence parse· fetched 4 hours ago·verify at source
- RHSA-2026:6915
Official advisory · high-confidence parse· fetched 4 hours ago·verify at source
Mitigation checklist
- Update the affected package(s) to the fixed version shipped in RHSA-2026:6915 (`sudo dnf update` / `yum update`).
Official advisory · high-confidence parse· fetched 4 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.