VulniPulse uses Google Ads measurement to understand visits from advertisements and campaign performance. It runs cookie-free until you choose — accepting enables cookies for more accurate attribution. Rejecting keeps it cookie-free and never limits the site.
See exactly what is measuredComplete feed
Advisories the vendor has revised
Request desynchronization allows security policy bypass via HTTP/3 to HTTP/1 translation. Red Hat rates this important (CVSS 7.5). Weakness: CWE-444.
Denial of Service via specially crafted zstd payload. Red Hat rates this important (CVSS 7.5). Weakness: CWE-770.
Denial of Service via deeply nested JSON objects. Red Hat rates this important (CVSS 7.5). Weakness: CWE-776.
Arbitrary file write and information disclosure via symlink validation bypass. Red Hat rates this important (CVSS 8.1). Weakness: CWE-22.
Information disclosure via malicious container image environment variables. Red Hat rates this important (CVSS 7.5). Weakness: CWE-914. Red Hat lists fixing advisory RHSA-2026:37123 with package podman-7:5.8.2-4.el10_2, podman-6:5.8.2-4.el9_8, podman-main-6.0.0-1.hum1, container-tools:rhel8-8100020260709093628.afee755d. Affected products named by the advisory: Red Hat Enterprise Linux 1; Red Hat Enterprise Linux 9.
Unsafe URI and Path Handling in HTML Backend. Red Hat rates this important (CVSS 7.1). Weakness: CWE-22.
Unauthenticated remote information disclosure vulnerability in Ollama's model quantization engine allows an attacker to read and exfiltrate the server's heap memory, potentially leading to sensitive data exposure, further compromise, and stealthy persistence. This vulnerability is rated Important due to the potential for remote exploitation without authentication. Red Hat severity: Important — CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Weakness: CWE-825. Red Hat lists Migration Toolkit for Applications 8; Red Hat Ansible Automation Platform 2; Red Hat build of Debezium 3; Red Hat OpenShift AI (RHOAI); Red Hat Trusted Profile Analyzer as not affected.
Kerberos pre-authentication bypass via unrecognized PA-DATA. Red Hat rates this important (CVSS 7.3). Weakness: CWE-358.
A flaw was found in KubeVirt's migration proxy. When spec.configuration.migrations.disableTLS is set to true on the KubeVirt custom resource, the target virt-handler binds a plain TCP listener on all interfaces (0.0.0.0/::) on a random port with no authentication, peer allow-list, or handshake token. This listener proxies directly into the target virt-launcher's virtqemud control socket. An attacker with a running pod on the cluster network can connect to this listener and issue unfiltered libvirt RPC commands against another tenant's virtual machine, including reading VM memory and configuration, modifying VM state via QMP, or destroying the VM. The bind address is unconditionally 0.0.0.0 — configuring a dedicated migration network via migrations.network only changes the advertised migration IP, not the listener bind address, so the port remains reachable on the pod network even when a dedicated migration network is configured. The API documentation describes disableTLS as removing "the additional layer of live migration encryption" without disclosing that it also removes all mutual authentication. Red Hat rates this flaw as Moderate impact for OpenShift Virtualization. The disableTLS setting is off by default, can only be enabled by a cluster-admin on the KubeVirt custom resource, and cannot be enabled by tenants through the MigrationPolicy API.
Denial of Service via large input to subtle.encrypt(). Red Hat rates this important (CVSS 7.5). Weakness: CWE-770. Red Hat lists fixing advisory RHSA-2026:35892 with package nodejs20-main-20.20.2-1.hum1, nodejs22-main-22.23.1-1.hum1, nodejs24-main-24.18.0-0.1.hum1, nodejs26-main-26.4.0-1.2.hum1. Affected product named by the advisory: Red Hat Enterprise Linux 1.
Authentication bypass due to TLS hostname handling and unicode dot separator mismatch. Red Hat rates this important (CVSS 7.7). Weakness: CWE-289. Red Hat lists fixing advisory RHSA-2026:35892 with package nodejs20-main-20.20.2-1.hum1, nodejs22-main-22.23.1-1.hum1, nodejs24-main-24.18.0-0.1.hum1, nodejs26-main-26.4.0-1.2.hum1. Affected product named by the advisory: Red Hat Enterprise Linux 1.
Clean up DMABUFs before disabling function. Red Hat rates this important (CVSS 7). Weakness: CWE-826.
Avoid NULL pointer dereference or refcount corruption. Red Hat rates this important (CVSS 7).
In the Linux kernel, the following vulnerability has been resolved: drm/xe/eustall: Fix drm_dev_put called before stream disable in close In xe_eu_stall_stream_close(), drm_dev_put() is called before the stream is disabled and its resources are freed. If this drops the last reference, the device structures could be freed while the subsequent cleanup code still accesses them, leading to a use-after-free. Fix this by moving drm_dev_put() after all device accesses are complete. This matches the ordering in xe_oa_release(). (cherry picked from commit 35aff528f7297e949e5e19c9cd7fd748cf1cf21c) This timing issue can lead to a use-after-free condition, where device structures might be accessed after they have been deallocated. A local attacker could potentially exploit this to cause system instability or a denial of service (DoS). Red Hat severity: Moderate — CVSS 7 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). Weakness: CWE-825. Affected Red Hat products: Red Hat Enterprise Linux 10; Red Hat Enterprise Linux 9. Red Hat does not currently list a fixing RHSA for this CVE.
In the Linux kernel, the following vulnerability has been resolved: ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison The local-vs-remote region comparison loop uses '<=' instead of '<', causing it to read one entry past the valid range of qr_regions. The other loops in the same function correctly use '<'. Fix the loop condition to use '<' for consistency and correctness. A flaw was found in the Linux kernel's OCFS2 Distributed Lock Manager (DLM) component. This out-of-bounds read could lead to system instability or crashes. Red Hat severity: Important — CVSS 7.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L). Weakness: CWE-125. Red Hat lists Red Hat Enterprise Linux 10; Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7; Red Hat Enterprise Linux 8; Red Hat Enterprise Linux 9 as not affected.
Package Import Signature Validation Bypass Allows Self-Signed Packages. Red Hat rates this important (CVSS 8.8). Weakness: CWE-347.
Integer overflow in Mojo. Red Hat rates this important (CVSS 8.7). Weakness: CWE-190.
Remote Code Execution via NTLM Authentication Stack Buffer Overflow. Red Hat rates this important (CVSS 7.5). Weakness: CWE-120.
pnpm is a package manager. Prior to 10.33.4 and 11.0.7, a malicious codeload.github.com server can serve whatever tarball it wants and pnpm will install it regardless of the lockfile. The lockfile does not store the hash of the dependencies from https://codeload.github.com. This means that if this server was compromised or a person's machine configuration was compromised, pnpm would download and install these dependencies. This vulnerability is fixed in 10.33.4 and 11.0.7. This vulnerability allows a remote attacker to serve malicious software packages if the `codeload.github.com` server is compromised or a user's machine configuration is tampered with. This could lead to the installation of unverified and potentially malicious code, resulting in arbitrary code execution on the affected system. This Important vulnerability in pnpm, as shipped in Red Hat products, exposes users to supply chain attacks by failing to verify the integrity of dependencies sourced from `codeload.github.com`. This risk is heightened in environments where developers rely on GitHub git dependencies without additional integrity checks. Red Hat severity: Important — CVSS 7.5 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). Weakness: CWE-494. Affected Red Hat products: Red Hat Build of Keycloak.
pnpm is a package manager. During install, pnpm later uses that alias as a filesystem path when linking dependency nodes. This vulnerability is fixed in 10.34.0 and 11.4.0. This vulnerability allows a malicious registry package to include specially crafted dependency aliases that contain path traversal segments. During the installation process, pnpm incorrectly processes these aliases, which can lead to the replacement of legitimate project paths with symbolic links (symlinks) pointing to directories controlled by an attacker. This could enable an attacker to execute arbitrary code or manipulate project files, severely impacting the integrity and security of the project. During installation, even with `--ignore-scripts`, specially crafted dependency aliases can lead to path traversal, replacing legitimate project files with symlinks to attacker-controlled directories. This bypasses expected security measures and can compromise the integrity of a project when subsequent commands are executed. Red Hat severity: Important — CVSS 8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H). Weakness: CWE-22. Affected Red Hat products: Red Hat Build of Keycloak. Red Hat lists Red Hat AMQ Broker 7; Red Hat JBoss Enterprise Application Platform 8; Red Hat JBoss Enterprise Application Platform Expansion Pack as not affected. Red Hat does not currently list a fixing RHSA for this CVE.