VulniPulse uses Google Ads measurement to understand visits from advertisements and campaign performance. It runs cookie-free until you choose — accepting enables cookies for more accurate attribution. Rejecting keeps it cookie-free and never limits the site.
See exactly what is measuredComplete feed
1774 advisories across 32 monitored vendors.
Mitigate TLBI errata on various Arm CPUs. Red Hat rates this moderate (CVSS 7). Weakness: CWE-1037.
clear i_sends on setup unwind. Red Hat rates this moderate (CVSS 7). Weakness: CWE-825.
File store write outside working directory via symlink traversal. Red Hat rates this moderate (CVSS 5.3). Weakness: CWE-22.
A flaw was found in oras-go. During the monolithic blob upload process, oras-go reuses the Authorization header for subsequent requests, even if a malicious registry provides a cross-host Location header. This vulnerability allows an attacker-controlled endpoint to receive the caller's credentials, leading to information disclosure. Additionally, it can enable client-side Server-Side Request Forgery (SSRF) to a cross-host target. Red Hat severity: Moderate — CVSS 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). Weakness: CWE-522. Under investigation: Gatekeeper 3; Multicluster Global Hub; OpenShift Service Mesh 3; Red Hat Advanced Cluster Management for Kubernetes 2; Red Hat OpenShift Container Platform 4; Red Hat OpenStack Platform 16.2; Red Hat OpenStack Platform 17.1; Red Hat OpenStack Platform 18.0.
A flaw was found in oras-go, a Go library used for managing OCI (Open Container Initiative) artifacts. An attacker can exploit this vulnerability by providing a specially crafted tarball containing a malicious hardlink. When this tarball is extracted, the hardlink can be manipulated to point to files outside the intended extraction location, specifically within the victim's current working directory. This allows an attacker to read sensitive information from the system, and in some cases, could lead to unauthorized access to critical system files if the component is operating with elevated privileges. The ensureLinkPath tar extraction helper validates that a hardlink's target resolves inside the extract base directory, but returns the original unresolved target string instead of the validated path. When os.Link() is called with a relative Linkname, it resolves against the process's current working directory (CWD), not the extract directory. An attacker controlling an OCI registry can craft a tarball layer with a malicious hardlink entry whose relative Linkname escapes the extract directory, creating a hardlink to arbitrary files in the victim's CWD. Exploitation requires the victim to run `oras pull` (or code using the oras-go file store) against an attacker-controlled registry with auto-extract enabled (io.deis.oras.content.unpack annotation set to true).
sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 4.1.1, the documented certificateOIDs option in sigstore.verify() is accepted by the public API but discarded before verification, so required certificate extension OIDs are never checked and applications relying on certificateOIDs to restrict which certificates may sign artifacts can accept unauthorized certificates. This issue is fixed in version 4.1.1. A flaw was found in sigstore. This allows unauthorized certificates to be accepted, bypassing security policies that rely on specific certificate extension object identifiers (OIDs). As a result, applications that depend on this option for security receive no protection, potentially leading to the acceptance of malicious or untrusted artifacts. Red Hat severity: Moderate — CVSS 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N). Weakness: CWE-345.
sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 3.1.1, @sigstore/verify derives a transparency-log timestamp from tlogEntries[].integratedTime for bundle v0.2 inclusionProof-only entries even though the inclusion proof path does not cryptographically bind integratedTime, allowing an attacker who can supply an untrusted bundle to influence certificate validity and timestampThreshold verification decisions. This issue is fixed in version 3.1.1. A flaw was found in sigstore-js. This could lead to incorrect validation of certificate validity. Red Hat severity: Moderate — CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N). Weakness: CWE-345. Affected Red Hat products: Red Hat Enterprise Linux 10; Red Hat Enterprise Linux 8; Red Hat Enterprise Linux 9; Red Hat OpenShift Dev Spaces; Red Hat Satellite 6; Self-service automation portal 2. Red Hat does not currently list a fixing RHSA for this CVE.
The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. In versions from 2.0.0 prior to 2.16.0 and from 3.0.0.Beta1 prior to 3.0.11, ThreadSafeCookieStore stored a cookie under the value of its Domain attribute without verifying that the responding host is allowed to set a cookie for that domain, leading to a cookie tossing / cookie injection issue. A host the client connects to can therefore plant a cookie scoped to an unrelated domain, and the client will then send that cookie on later requests to that domain. Applications that use a single AsyncHttpClient instance - and thus the default, shared CookieStore - to reach both an attacker-influenced host and a trusted host are impacted. This issue has been fixed in versions 2.16.0 and 3.0.11. The ThreadSafeCookieStore component did not properly verify the domain attribute of cookies, allowing a malicious host to set a cookie for an unrelated domain. This could lead to a cookie injection issue, impacting applications that use a single AsyncHttpClient instance to connect to both untrusted and trusted hosts. This Moderate impact flaw in the AsyncHttpClient library, affecting Red Hat Enterprise Application Platform, allows a malicious server to inject cookies for unrelated domains.
containerd is an open-source container runtime. Versions prior to 1.7.33, 2.0.10, 2.1.9, 2.2.5 and 2.3.2, contain a vulnerability that allows a maliciously crafted image to cause a Denial of Service (DoS) condition. When creating a container from this image, memory exhaustion occurs, leading to an Out Of Memory (OOM) kill of the containerd process. This renders the container runtime API unavailable and can disrupt clients such as the Docker Engine or Kubernetes control-plane components. This issue has been fixed in versions 1.7.33, 2.0.10, 2.1.9, 2.2.5 and 2.3.2.
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-26, an incorrect handling of arguments can cause a heap buffer over-write in the JP2 encoder. This issue has been fixed in version7.1.2-26. This vulnerability could allow an attacker to cause a denial of service (DoS) by providing a specially crafted image, leading to an application crash. Red Hat severity: Moderate — CVSS 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H). Weakness: CWE-787. Affected Red Hat products: Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7. Will not fix / out of support: Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7. Red Hat does not currently list a fixing RHSA for this CVE.
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-51 and 7.1.2-26, when providing invalid arguments to the connected-components option an infinite loop will occur. This issue has been fixed in versions 6.9.13-51 and 7.1.2-26. Successful exploitation of this flaw can lead to a Denial of Service (DoS), making the software unresponsive. Red Hat severity: Moderate — CVSS 4.7 (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H). Weakness: CWE-835. Affected Red Hat products: Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7. Will not fix / out of support: Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7. Red Hat does not currently list a fixing RHSA for this CVE.
Denial of Service via crafted image in MVG decoder. Red Hat rates this moderate (CVSS 5.3). Weakness: CWE-787.
Heap buffer overflow in MVG decoder allows out-of-bounds write. Red Hat rates this moderate (CVSS 5.9). Weakness: CWE-787.
Denial of Service via crafted 8BIM profile. Red Hat rates this moderate (CVSS 5.5). Weakness: CWE-825.
Information disclosure vulnerability in MNG decoder. Red Hat rates this moderate (CVSS 5.3). Weakness: CWE-908.
Information disclosure via overly permissive file permissions. Red Hat rates this moderate (CVSS 5.5). Weakness: CWE-277.
Denial of Service via integer overflow in XCF decoder. Red Hat rates this moderate (CVSS 6.5). Weakness: CWE-125.
Unauthorized file access due to missing policy checks in concatenate operation. Red Hat rates this moderate (CVSS 6.1). Weakness: CWE-1220.
Arbitrary host file read via symlink following in CRI checkpoint restore. Red Hat rates this important (CVSS 6.5). Weakness: CWE-59. Red Hat lists fixing advisory RHSA-2026:15862 with package syft-main-1.46.0-0.1.hum1, grype-main-0.115.0-0.1.hum1, trivy-main-0.69.3-1.2.hum1.
Arbitrary code execution via CRI checkpoint image tag poisoning. Red Hat rates this moderate (CVSS 6.7). Weakness: CWE-1289. Red Hat lists fixing advisory RHSA-2026:35111 with package trivy-main-0.72.0-0.1.hum1.