VulniPulse uses Google Ads measurement to understand visits from advertisements and campaign performance. It runs cookie-free until you choose — accepting enables cookies for more accurate attribution. Rejecting keeps it cookie-free and never limits the site.
See exactly what is measuredComplete feed
Critical/high still unreviewed, or CISA KEV listed
Denial of Service via malformed speculative decoding workload. Red Hat rates this important (CVSS 7.5). Weakness: CWE-125. Affected products named by the advisory: Red Hat AI Inference Server; Red Hat Enterprise Linux AI (RHEL AI) 3; Red Hat OpenShift AI (RHOAI).
Denial of Service via crafted BDF font file. Red Hat rates this important (CVSS 7.5). Weakness: CWE-770. Affected products named by the advisory: Exploit Intelligence; Lightspeed Core; OpenShift Lightspeed; Red Hat AI Inference Server; and 7 more.
Denial of Service via crafted GD 2.x image file. Red Hat rates this important (CVSS 7.5). Weakness: CWE-1285. Affected products named by the advisory: Exploit Intelligence; Lightspeed Core; OpenShift Lightspeed; Red Hat AI Inference Server; and 7 more.
Denial of Service via excessive memory allocation when processing font files. Red Hat rates this important (CVSS 7.5). Weakness: CWE-1050. Affected products named by the advisory: Exploit Intelligence; Lightspeed Core; OpenShift Lightspeed; Red Hat AI Inference Server; and 7 more.
Denial of Service via crafted PCF font data. Red Hat rates this important (CVSS 7.5). Weakness: CWE-409. Affected products named by the advisory: Red Hat Ansible Automation Platform 2; Red Hat Enterprise Linux 7; Red Hat Enterprise Linux 8; Red Hat Satellite 6.
Untrusted Java Deserialization in Apache OpenNLP SvmDoccatModel Versions Affected: before 3.0.0-M4 (libsvm document categorization module; introduced in OPENNLP-1808 and only present on the 3.x line) Description: SvmDoccatModel.deserialize(InputStream) reads an attacker-controlled stream with java.io.ObjectInputStream and calls readObject() without an ObjectInputFilter installed. ObjectInputStream materialises every class referenced in the stream before the resulting object is cast to SvmDoccatModel, so the cast that follows readObject() executes only after the foreign object graph has already been deserialised in full. If a Java deserialization gadget chain is available on the consumer's classpath, a crafted payload supplied to deserialize() executes arbitrary code in the JVM that loads it. Apache OpenNLP itself does not ship a known gadget chain, so the realistic risk is to downstream applications that embed the libsvm module alongside vulnerable transitive dependencies. The method is public and static, so any caller can pass an untrusted stream to it directly. The practical impact is remote code execution against processes that load SvmDoccatModel instances from untrusted or semi-trusted origins. Mitigation: 3.x users should upgrade to 3.0.0-M4.
Path traversal in configDependencies env lockfile allows symlink creation outside node_modules/.pnpm-config. Red Hat rates this important (CVSS 8.2). Affected products named by the advisory: Red Hat Enterprise Linux; Red Hat AMQ Broker 7; Red Hat Build of Keycloak; Red Hat JBoss Enterprise Application Platform 8; and 1 more.
patch-remove could delete project-selected files outside the patches directory. Red Hat rates this important (CVSS 7.1). Weakness: CWE-22. Affected products named by the advisory: Red Hat Enterprise Linux; Red Hat AMQ Broker 7; Red Hat Build of Keycloak; Red Hat JBoss Enterprise Application Platform 8; and 1 more.
A flaw was found in Red Hat Advanced Cluster Security for Kubernetes (RHACS). Central does not limit the depth of GraphQL queries served on the authenticated GraphQL API. An authenticated user with a valid API token can send deeply nested queries that cause excessive resource consumption in Central, resulting in a denial of service for the management plane. Red Hat Product Security is aware of this issue affecting RHACS Central. Red Hat is not aware of malicious exploitation of this issue outside of coordinated testing. Updates addressing this issue will be released according to the RHACS support lifecycle. Refer to the associated errata when available for affected versions and update instructions. Red Hat severity: Important — CVSS 7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H). Weakness: CWE-400. Red Hat fixing advisory: RHSA-2026:36625, RHSA-2026:36207, RHSA-2026:36319. Affected products named by the advisory: Red Hat Advanced Cluster Security for Kubernetes 4.10; Red Hat Advanced Cluster Security for Kubernetes 4.11; Red Hat Advanced Cluster Security for Kubernetes 4.9.
Apache Camel JMS components: Arbitrary Exchange state injection. Red Hat rates this important (CVSS 8.1). Weakness: CWE-502. Affected products named by the advisory: Red Hat Enterprise Linux; Red Hat build of Apache Camel 4 for Quarkus 3; Red Hat build of Apache Camel for Spring Boot 4.
Server-Side Request Forgery and sensitive data exposure. Red Hat rates this important (CVSS 8.2). Weakness: CWE-918. Affected products named by the advisory: Red Hat Enterprise Linux; Red Hat build of Apache Camel 4 for Quarkus 3; Red Hat build of Apache Camel for Spring Boot 4.
Remote attacker can execute unintended operations via header manipulation. Red Hat rates this important (CVSS 7.5). Weakness: CWE-639. Affected products named by the advisory: Red Hat Enterprise Linux; Red Hat build of Apache Camel 4 for Quarkus 3; Red Hat build of Apache Camel for Spring Boot 4; Red Hat JBoss Enterprise Application Platform Expansion Pack.
Improper Input Validation, Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Camel Mail Component. The camel-mail producer (MailProducer.getSender) scanned the outgoing Exchange for message headers in the mail.smtp. / mail.smtps. namespace and, when any were present, built a per-message JavaMail sender with those values applied as JavaMail session properties, overriding the endpoint configuration. This namespace is Camel-internal - only MailProducer interprets it - and was not blocked by any HeaderFilterStrategy, so the values could originate from any inbound protocol (for example platform-http query parameters or request headers, or JMS / Kafka messages from untrusted producers) that feeds a route ending in an smtp / smtps producer without an intervening removeHeaders.
Apache Camel (camel-vertx-http): Remote Code Execution via Deserialization of Untrusted Data. Red Hat rates this important (CVSS 8.1). Weakness: CWE-502. Affected products named by the advisory: Red Hat Enterprise Linux; Red Hat build of Apache Camel 4 for Quarkus 3; Red Hat build of Apache Camel for Spring Boot 4; Red Hat JBoss Enterprise Application Platform Expansion Pack.
Crypt::DSA: Crypt::DSA: Private key recovery due to biased random number generation. Red Hat rates this important (CVSS 7.5). Weakness: CWE-338. Affected product named by the advisory: Red Hat Enterprise Linux.
Arbitrary code execution via pickle deserialization bypass. Red Hat rates this important (CVSS 8.8). Weakness: CWE-693. Affected products named by the advisory: Red Hat Enterprise Linux; Exploit Intelligence.
Arbitrary code execution due to incomplete denylist in deserialization. Red Hat rates this important (CVSS 8.8). Weakness: CWE-184. Affected products named by the advisory: Red Hat Enterprise Linux; Exploit Intelligence; Red Hat Hardened Images.
Arbitrary Code Execution via Untrusted JAR File Loading. Red Hat rates this important (CVSS 7.8). Weakness: CWE-347. Affected products named by the advisory: Red Hat Enterprise Linux; OpenShift Lightspeed; Red Hat OpenShift AI (RHOAI); Exploit Intelligence; and 1 more.
In the Linux kernel, the following vulnerability has been resolved: ipv6: account for fraggap on the paged allocation path In __ip6_append_data(), when the paged-allocation branch is taken (MSG_MORE / NETIF_F_SG / large fraglen), alloclen and pagedlen are computed as alloclen = fragheaderlen + transhdrlen; pagedlen = datalen - transhdrlen; datalen already includes fraggap (datalen = length + fraggap). When fraggap is non-zero, this is not the first skb and transhdrlen is zero. The fraggap bytes carried over from the previous skb are copied just past the fragment headers in the new skb's linear area. The linear area is therefore undersized by fraggap bytes while pagedlen is overstated by the same amount, and the copy writes past skb->end into the trailing skb_shared_info. An unprivileged user can trigger this via a UDPv6 socket using MSG_MORE together with MSG_SPLICE_PAGES. The bad accounting was introduced by commit 773ba4fe9104 ("ipv6: avoid partial copy for zc"). Before commit ce650a166335 ("udp6: Fix __ip6_append_data()'s handling of MSG_SPLICE_PAGES"), the negative copy value caused -EINVAL to be returned. That later commit allowed MSG_SPLICE_PAGES to proceed in this case, making the corruption triggerable. After this adjustment, copy no longer collapses to -fraggap on the paged path, so remove the stale comment describing that old arithmetic.
Fix shadow paging use-after-free due to unexpected role. Red Hat rates this important (CVSS 7.8). Weakness: CWE-825. Red Hat lists fixing advisory RHSA-2026:36957 with package kernel-0:6.12.0-211.32.1.el10_2, kernel-0:5.14.0-427.137.1.el9_4, kernel-0:5.14.0-687.24.1.el9_8. Affected products named by the advisory: Red Hat Enterprise Linux 1; Red Hat Enterprise Linux 9. Affected products named by the advisory: Red Hat Enterprise Linux 10; Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7; Red Hat Enterprise Linux 8; and 1 more.