VulniPulse uses Google Ads measurement to understand visits from advertisements and campaign performance. It runs cookie-free until you choose — accepting enables cookies for more accurate attribution. Rejecting keeps it cookie-free and never limits the site.
See exactly what is measuredComplete feed
Advisories the vendor has revised
websocket missing authorization allows credential theft via activation_id spoofing. Red Hat rates this critical (CVSS 9.6). Weakness: CWE-862. Red Hat lists fixing advisory RHSA-2026:28376 with package automation-eda-controller-0:1.2.9-2.el9ap, ansible-automation-platform-26/eda-controller-rhel9:1781732675, automation-eda-controller-0:1.1.19-1.el8ap, ansible-automation-platform-25/eda-controller-rhel8:1781741251. Affected products named by the advisory: Red Hat Enterprise Linux 9; Red Hat Enterprise Linux 8.
Spring Statemachine's Kryo-based persistence backends (JPA, MongoDB, Redis and ZooKeeper) deserialise persisted state-machine contexts without enforcing a class allowlist (CWE-502, deserialisation of untrusted data), which can lead to remote code execution inside the application JVM. Affected versions: Spring Statemachine 4.0.0 through 4.0.1 Spring Statemachine 3.2.0 through 3.2.4
Denial of Service via deeply nested JSON processing. Red Hat rates this important (CVSS 7.5). Weakness: CWE-1050.
Arbitrary code execution via PolymorphicTypeValidator bypass. Red Hat rates this important (CVSS 8.1). Weakness: CWE-502. Red Hat lists fixing advisory RHSA-2026:36839 with package jackson-databind.
Security bypass allows arbitrary code execution. Red Hat rates this important (CVSS 8.1). Weakness: CWE-184. Red Hat lists fixing advisory RHSA-2026:36839 with package jackson-databind.
Remote client can inject or override identity headers via header normalization. Red Hat rates this important (CVSS 8.1). Weakness: CWE-444.
Buffer performs incorrect byte length calculations resulting in heap buffer under/overflow. Red Hat rates this important (CVSS 7.1). Weakness: CWE-131.
Active Session Hijacking via Insecure Session State Reuse. Red Hat rates this important (CVSS 7.8). Weakness: CWE-287. Red Hat lists fixing advisory RHSA-2026:28438 with package satellite/foreman-mcp-server-rhel9:1782228692.
Arbitrary code execution via SVG decoder command injection. Red Hat rates this important (CVSS 8.1). Weakness: CWE-78. Red Hat lists fixing advisory RHSA-2026:32961 with package ImageMagick-0:6.9.10.68-17.el7_9. Affected product named by the advisory: Red Hat Enterprise Linux 7.
Denial of Service via HTTP/2 Rapid Reset technique. Red Hat rates this important (CVSS 7.5). Weakness: CWE-770.
Denial of Service via crafted SQL statements in sqlo_place_dt_set. Red Hat rates this important (CVSS 7.5). Weakness: CWE-89.
openlink virtuoso-opensource: Denial of Service via crafted SQL statements. Red Hat rates this important (CVSS 7.5). Weakness: CWE-89.
Denial of Service in st_compare component via crafted SQL statements. Red Hat rates this important (CVSS 7.5). Weakness: CWE-89.
Denial of Service via crafted SQL statements. Red Hat rates this important (CVSS 7.5). Weakness: CWE-770.
Python tarfile module: Denial of Service via improper EOF handling in streaming mode. Red Hat rates this moderate (CVSS 6.5). Weakness: CWE-835. Red Hat lists fixing advisory RHSA-2026:35813 with package python3-11-main-3.11.15-4.4.hum1, python3-14-main-3.14.6-1.2.hum1, python3-13-main-3.13.14-1.2.hum1, python3-12-main-3.12.13-3.3.hum1.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters but never consults prop.visibleInView(activeView). The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator replay path bypasses that check, so a constructor parameter annotated with both @JsonView(AdminView.class) and @JsonUnwrapped is populated from attacker JSON even when a more restrictive view is active. This vulnerability is fixed in 2.21.4 and 3.1.4. This vulnerability allows a remote attacker to bypass security view restrictions by sending specially crafted JSON (JavaScript Object Notation) data. The UnwrappedPropertyHandler component, which processes unwrapped properties, incorrectly populates constructor parameters that should be hidden by an active security view. This can lead to unauthorized information disclosure or data manipulation. When processing unwrapped creator properties, the component fails to properly enforce @JsonView annotations, enabling sensitive constructor parameters to be populated from untrusted JSON data. Red Hat severity: Moderate — CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). Weakness: CWE-639.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4. A flaw was found in jackson-databind, a library used for processing JSON data. This vulnerability allows a remote attacker to force the application to perform an attacker-chosen DNS (Domain Name System) query. This occurs when untrusted JSON input containing specific network address information is processed, potentially leading to the disclosure of sensitive network configuration details. Moderate: A flaw in `jackson-databind` can lead to information disclosure in Red Hat products that process untrusted JSON input. This eager DNS resolution occurs before application-level validation, potentially revealing internal network configuration details through DNS logs.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES)) rebuilds from this._beanProperties (the original, unfiltered map) instead of contextual._beanProperties, then overwrites the filtered map — restoring every property _handleByNameInclusion had just removed. This vulnerability is fixed in 2.18.9, 2.21.5, and 3.1.4. This vulnerability occurs in the data-binding functionality where properties intended to be ignored are incorrectly restored and become writable again. An attacker could potentially exploit this by providing input that modifies data through these supposedly ignored properties. This could lead to unintended changes in application data, impacting data integrity. This is a Moderate impact flaw in jackson-databind where applications enabling case-insensitive property matching alongside per-property @JsonIgnoreProperties may inadvertently expose fields to unauthorized modification.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector._renameProperties() allows a property with @JsonProperty("renamed") on the getter and @JsonIgnore on the setter to be renamed rather than dropped. With MapperFeature.INFER_PROPERTY_MUTATORS enabled (default), the private backing field is retained; during deserialization BeanDeserializerFactory.addBeanProps() sees hasField()==true, builds a FieldProperty, and makes the backing field writable. An attacker supplying the renamed JSON key writes the backing field directly, bypassing the @JsonIgnore on the setter. This vulnerability is fixed in 3.1.4. This vulnerability allows a remote attacker to bypass security controls by exploiting an issue in how properties are handled when both @JsonProperty (for renaming) and @JsonIgnore (for ignoring) annotations are used. By supplying a specially crafted JSON key, an attacker can directly write to a private data field, circumventing the intended security restrictions and potentially leading to unexpected data modification. Moderate: This flaw in jackson-databind allows for property tampering and mass assignment in Red Hat products. Red Hat severity: Moderate — CVSS 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). Weakness: CWE-915.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInView(activeView) check. A change making SetterlessProperty.isMerging() return true routed setterless Collection/Map properties through this unguarded path, so a setterless collection annotated with a restricted @JsonView is populated from attacker JSON even when the active view excludes it. This vulnerability is fixed in 2.21.4 and 3.1.4. A remote attacker can exploit this vulnerability due to an issue in how active-view (@JsonView) filters are applied. This can lead to information disclosure, allowing an attacker to access data that should otherwise be restricted. Moderate: A flaw in jackson-databind allows for information disclosure and an access-control bypass. This occurs because the `@JsonView` filter, intended to restrict data visibility, is not correctly applied to setterless collection and map properties during deserialization. An attacker could exploit this to populate view-restricted properties from untrusted JSON, potentially accessing sensitive data that should be excluded by the active view.