VulniPulse uses Google Ads measurement to understand visits from advertisements and campaign performance. It runs cookie-free until you choose — accepting enables cookies for more accurate attribution. Rejecting keeps it cookie-free and never limits the site.
See exactly what is measuredComplete feed
Advisories the vendor has revised
In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_locked() When a compressed or sparse attribute has its clusters frame-aligned, vcn is rounded down to the frame start using cmask, which can result in vcn != vcn0. In this case, vcn and vcn0 may reside in different attribute segments. The code already handles the case where vcn is in a different segment by loading its runs before allocation. However, it fails to load runs for vcn0 when vcn0 resides in a different segment than vcn. This causes run_lookup_entry() to return SPARSE_LCN for vcn0 since its segment was never loaded into the in-memory run list, triggering the WARN_ON(1). If vcn0 falls outside the current segment range [svcn, evcn1), find and load the attribute segment containing vcn0 before performing the run lookup. This oversight can lead to a kernel warning (`WARN_ON(1)`) during a run lookup, potentially causing system instability or a Denial of Service (DoS). A local user could trigger this condition. Red Hat severity: not rated. Weakness: CWE-166. Red Hat lists Red Hat Enterprise Linux 10; Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7; Red Hat Enterprise Linux 8; Red Hat Enterprise Linux 9 as not affected.
mTLS enforcement bypass due to HTTP/3 TLS configuration flaw. Red Hat rates this important (CVSS 9.1). Weakness: CWE-289.
Unauthorized access due to mutual TLS bypass. Red Hat rates this important (CVSS 9.1). Weakness: CWE-807.
Authentication bypass in StripPrefix middleware allows unauthorized access to protected paths. Red Hat rates this important (CVSS 9.1). Weakness: CWE-22.
websocket missing authorization allows credential theft via activation_id spoofing. Red Hat rates this critical (CVSS 9.6). Weakness: CWE-862. Red Hat lists fixing advisory RHSA-2026:28376 with package automation-eda-controller-0:1.2.9-2.el9ap, ansible-automation-platform-26/eda-controller-rhel9:1781732675, automation-eda-controller-0:1.1.19-1.el8ap, ansible-automation-platform-25/eda-controller-rhel8:1781741251. Affected products named by the advisory: Red Hat Enterprise Linux 9; Red Hat Enterprise Linux 8.
Denial of Service via deeply nested JSON processing. Red Hat rates this important (CVSS 7.5). Weakness: CWE-1050.
Arbitrary code execution via PolymorphicTypeValidator bypass. Red Hat rates this important (CVSS 8.1). Weakness: CWE-502. Red Hat lists fixing advisory RHSA-2026:36839 with package jackson-databind.
Security bypass allows arbitrary code execution. Red Hat rates this important (CVSS 8.1). Weakness: CWE-184. Red Hat lists fixing advisory RHSA-2026:36839 with package jackson-databind.
Remote client can inject or override identity headers via header normalization. Red Hat rates this important (CVSS 8.1). Weakness: CWE-444.
Buffer performs incorrect byte length calculations resulting in heap buffer under/overflow. Red Hat rates this important (CVSS 7.1). Weakness: CWE-131.
Active Session Hijacking via Insecure Session State Reuse. Red Hat rates this important (CVSS 7.8). Weakness: CWE-287. Red Hat lists fixing advisory RHSA-2026:28438 with package satellite/foreman-mcp-server-rhel9:1782228692.
Arbitrary code execution via SVG decoder command injection. Red Hat rates this important (CVSS 8.1). Weakness: CWE-78. Red Hat lists fixing advisory RHSA-2026:32961 with package ImageMagick-0:6.9.10.68-17.el7_9. Affected product named by the advisory: Red Hat Enterprise Linux 7.
Denial of Service via HTTP/2 Rapid Reset technique. Red Hat rates this important (CVSS 7.5). Weakness: CWE-770.
Denial of Service via crafted SQL statements in sqlo_place_dt_set. Red Hat rates this important (CVSS 7.5). Weakness: CWE-89.
openlink virtuoso-opensource: Denial of Service via crafted SQL statements. Red Hat rates this important (CVSS 7.5). Weakness: CWE-89.
Denial of Service in st_compare component via crafted SQL statements. Red Hat rates this important (CVSS 7.5). Weakness: CWE-89.
Denial of Service via crafted SQL statements. Red Hat rates this important (CVSS 7.5). Weakness: CWE-770.
Python tarfile module: Denial of Service via improper EOF handling in streaming mode. Red Hat rates this moderate (CVSS 6.5). Weakness: CWE-835. Red Hat lists fixing advisory RHSA-2026:35813 with package python3-11-main-3.11.15-4.4.hum1, python3-14-main-3.14.6-1.2.hum1, python3-13-main-3.13.14-1.2.hum1, python3-12-main-3.12.13-3.3.hum1.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters but never consults prop.visibleInView(activeView). The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator replay path bypasses that check, so a constructor parameter annotated with both @JsonView(AdminView.class) and @JsonUnwrapped is populated from attacker JSON even when a more restrictive view is active. This vulnerability is fixed in 2.21.4 and 3.1.4. This vulnerability allows a remote attacker to bypass security view restrictions by sending specially crafted JSON (JavaScript Object Notation) data. The UnwrappedPropertyHandler component, which processes unwrapped properties, incorrectly populates constructor parameters that should be hidden by an active security view. This can lead to unauthorized information disclosure or data manipulation. When processing unwrapped creator properties, the component fails to properly enforce @JsonView annotations, enabling sensitive constructor parameters to be populated from untrusted JSON data. Red Hat severity: Moderate — CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). Weakness: CWE-639.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4. A flaw was found in jackson-databind, a library used for processing JSON data. This vulnerability allows a remote attacker to force the application to perform an attacker-chosen DNS (Domain Name System) query. This occurs when untrusted JSON input containing specific network address information is processed, potentially leading to the disclosure of sensitive network configuration details. Moderate: A flaw in `jackson-databind` can lead to information disclosure in Red Hat products that process untrusted JSON input. This eager DNS resolution occurs before application-level validation, potentially revealing internal network configuration details through DNS logs.