Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-61140 (GCVE-0-2025-61140)
Vulnerability from cvelistv5 – Published: 2026-01-28 00:00 – Updated: 2026-01-29 15:16
VLAI?
EPSS
Summary
The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.
Severity ?
9.8 (Critical)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-61140",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-29T15:14:47.234312Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-29T15:16:15.666Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T15:55:42.516Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/dchester/jsonpath"
},
{
"url": "https://gist.github.com/Dremig/8105c189774217222a8ebea3ed4d341d"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-61140",
"datePublished": "2026-01-28T00:00:00.000Z",
"dateReserved": "2025-09-26T00:00:00.000Z",
"dateUpdated": "2026-01-29T15:16:15.666Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-61140\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2026-01-28T16:16:13.547\",\"lastModified\":\"2026-02-09T19:06:19.203\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1321\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dchester:jsonpath:1.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D5AD03C5-77EE-43F4-8F1E-1AB0757FE7C1\"}]}]}],\"references\":[{\"url\":\"https://gist.github.com/Dremig/8105c189774217222a8ebea3ed4d341d\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/dchester/jsonpath\",\"source\":\"cve@mitre.org\",\"tags\":[\"Product\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-61140\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-29T15:14:47.234312Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1321\", \"description\": \"CWE-1321 Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-29T15:16:09.323Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"n/a\", \"product\": \"n/a\", \"versions\": [{\"status\": \"affected\", \"version\": \"n/a\"}]}], \"references\": [{\"url\": \"https://github.com/dchester/jsonpath\"}, {\"url\": \"https://gist.github.com/Dremig/8105c189774217222a8ebea3ed4d341d\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"n/a\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2026-01-28T15:55:42.516Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-61140\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-29T15:16:15.666Z\", \"dateReserved\": \"2025-09-26T00:00:00.000Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2026-01-28T00:00:00.000Z\", \"assignerShortName\": \"mitre\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
WID-SEC-W-2026-0526
Vulnerability from csaf_certbund - Published: 2026-02-25 23:00 - Updated: 2026-03-02 23:00Summary
IBM App Connect Enterprise: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
IBM App Connect Enterprise kombiniert die branchenbewährten Technologien des IBM Integration Bus mit Cloud-nativen Technologien.
Angriff
Ein Angreifer kann mehrere Schwachstellen in IBM App Connect Enterprise ausnutzen, um Daten zu manipulieren, und um einen Denial of Service Angriff durchzuführen.
Betroffene Betriebssysteme
- Linux
- Sonstiges
- UNIX
- Windows
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "IBM App Connect Enterprise kombiniert die branchenbew\u00e4hrten Technologien des IBM Integration Bus mit Cloud-nativen Technologien.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen in IBM App Connect Enterprise ausnutzen, um Daten zu manipulieren, und um einen Denial of Service Angriff durchzuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2026-0526 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0526.json"
},
{
"category": "self",
"summary": "WID-SEC-2026-0526 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0526"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7261765 vom 2026-02-25",
"url": "https://www.ibm.com/support/pages/node/7261765"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7262274 vom 2026-03-02",
"url": "https://www.ibm.com/support/pages/node/7262274"
}
],
"source_lang": "en-US",
"title": "IBM App Connect Enterprise: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2026-03-02T23:00:00.000+00:00",
"generator": {
"date": "2026-03-03T09:33:00.950+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2026-0526",
"initial_release_date": "2026-02-25T23:00:00.000+00:00",
"revision_history": [
{
"date": "2026-02-25T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2026-03-02T23:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von IBM aufgenommen"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "IBM App Connect Enterprise",
"product": {
"name": "IBM App Connect Enterprise",
"product_id": "T032495",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:app_connect_enterprise:-"
}
}
},
{
"category": "product_version_range",
"name": "\u003c13.0.6.2",
"product": {
"name": "IBM App Connect Enterprise \u003c13.0.6.2",
"product_id": "T051233"
}
},
{
"category": "product_version",
"name": "13.0.6.2",
"product": {
"name": "IBM App Connect Enterprise 13.0.6.2",
"product_id": "T051233-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:app_connect_enterprise:13.0.6.2"
}
}
},
{
"category": "product_version_range",
"name": "\u003c12.0.12.23",
"product": {
"name": "IBM App Connect Enterprise \u003c12.0.12.23",
"product_id": "T051234"
}
},
{
"category": "product_version",
"name": "12.0.12.23",
"product": {
"name": "IBM App Connect Enterprise 12.0.12.23",
"product_id": "T051234-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:app_connect_enterprise:12.0.12.23"
}
}
}
],
"category": "product_name",
"name": "App Connect Enterprise"
}
],
"category": "vendor",
"name": "IBM"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-61140",
"product_status": {
"known_affected": [
"T051234",
"T032495",
"T051233"
]
},
"release_date": "2026-02-25T23:00:00.000+00:00",
"title": "CVE-2025-61140"
},
{
"cve": "CVE-2026-24001",
"product_status": {
"known_affected": [
"T051234",
"T032495",
"T051233"
]
},
"release_date": "2026-02-25T23:00:00.000+00:00",
"title": "CVE-2026-24001"
},
{
"cve": "CVE-2026-25128",
"product_status": {
"known_affected": [
"T051234",
"T032495",
"T051233"
]
},
"release_date": "2026-02-25T23:00:00.000+00:00",
"title": "CVE-2026-25128"
},
{
"cve": "CVE-2026-25547",
"product_status": {
"known_affected": [
"T051234",
"T032495",
"T051233"
]
},
"release_date": "2026-02-25T23:00:00.000+00:00",
"title": "CVE-2026-25547"
}
]
}
GHSA-6C59-MWGH-R2X6
Vulnerability from github – Published: 2026-01-28 18:30 – Updated: 2026-02-05 16:14
VLAI?
Summary
JSONPath vulnerable to Prototype Pollution due to insufficient input validation of object keys in lib/index.js
Details
The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "jsonpath"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-61140"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-02T14:09:06Z",
"nvd_published_at": "2026-01-28T16:16:13Z",
"severity": "MODERATE"
},
"details": "The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.",
"id": "GHSA-6c59-mwgh-r2x6",
"modified": "2026-02-05T16:14:30Z",
"published": "2026-01-28T18:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61140"
},
{
"type": "WEB",
"url": "https://github.com/dchester/jsonpath/issues/181"
},
{
"type": "WEB",
"url": "https://github.com/dchester/jsonpath/issues/194"
},
{
"type": "WEB",
"url": "https://github.com/dchester/jsonpath/pull/195"
},
{
"type": "WEB",
"url": "https://github.com/dchester/jsonpath/commit/9631412641b7095f86840a7a45b5b3afc68b0fcb"
},
{
"type": "WEB",
"url": "https://gist.github.com/Dremig/8105c189774217222a8ebea3ed4d341d"
},
{
"type": "PACKAGE",
"url": "https://github.com/dchester/jsonpath"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "JSONPath vulnerable to Prototype Pollution due to insufficient input validation of object keys in lib/index.js"
}
RHSA-2026:2181
Vulnerability from csaf_redhat - Published: 2026-02-05 18:57 - Updated: 2026-02-18 04:19Summary
Red Hat Security Advisory: Self-service automation portal 2.1 security update
Notes
Topic
Updated images are now available for Self-service automation portal 2.1, which include new features, bug fixes, and enhancements for Red Hat Ansible Automation Platform integration with Red Hat Developer Hub.
Details
Self-service automation portal 2.1 delivers an Ansible-first Red Hat Developer Hub
user experience that simplifies the automation experience for Ansible users of all skill levels.
The Ansible plug-ins provide curated content and features to accelerate Ansible learner
onboarding and streamline Ansible use case adoption across your organization.
Security Fix(es):
* automation-portal
* CVE-2025-61140
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated images are now available for Self-service automation portal 2.1, which include new features, bug fixes, and enhancements for Red Hat Ansible Automation Platform integration with Red Hat Developer Hub.",
"title": "Topic"
},
{
"category": "general",
"text": "Self-service automation portal 2.1 delivers an Ansible-first Red Hat Developer Hub\nuser experience that simplifies the automation experience for Ansible users of all skill levels.\nThe Ansible plug-ins provide curated content and features to accelerate Ansible learner\nonboarding and streamline Ansible use case adoption across your organization.\nSecurity Fix(es):\n * automation-portal \n * CVE-2025-61140",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:2181",
"url": "https://access.redhat.com/errata/RHSA-2026:2181"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-61140",
"url": "https://access.redhat.com/security/cve/CVE-2025-61140"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform",
"url": "https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_2181.json"
}
],
"title": "Red Hat Security Advisory: Self-service automation portal 2.1 security update",
"tracking": {
"current_release_date": "2026-02-18T04:19:55+00:00",
"generator": {
"date": "2026-02-18T04:19:55+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.1"
}
},
"id": "RHSA-2026:2181",
"initial_release_date": "2026-02-05T18:57:03+00:00",
"revision_history": [
{
"date": "2026-02-05T18:57:03+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-02-05T18:57:28+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-02-18T04:19:55+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Self-service automation portal 2.1",
"product": {
"name": "Self-service automation portal 2.1",
"product_id": "Self-service automation portal 2.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ansible_portal:2.1"
}
}
}
],
"category": "product_family",
"name": "Self-service automation portal"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ansible-automation-platform/automation-portal@sha256:140ed733a2820c7087000878f99ca3010613743ccc43c667956dc1d74302fd76_amd64",
"product": {
"name": "registry.redhat.io/ansible-automation-platform/automation-portal@sha256:140ed733a2820c7087000878f99ca3010613743ccc43c667956dc1d74302fd76_amd64",
"product_id": "registry.redhat.io/ansible-automation-platform/automation-portal@sha256:140ed733a2820c7087000878f99ca3010613743ccc43c667956dc1d74302fd76_amd64",
"product_identification_helper": {
"purl": "pkg:oci/automation-portal@sha256%3A140ed733a2820c7087000878f99ca3010613743ccc43c667956dc1d74302fd76?arch=amd64\u0026repository_url=registry.redhat.io/ansible-automation-platform\u0026tag=1770282458"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ansible-automation-platform/automation-portal@sha256:140ed733a2820c7087000878f99ca3010613743ccc43c667956dc1d74302fd76_amd64 as a component of Self-service automation portal 2.1",
"product_id": "Self-service automation portal 2.1:registry.redhat.io/ansible-automation-platform/automation-portal@sha256:140ed733a2820c7087000878f99ca3010613743ccc43c667956dc1d74302fd76_amd64"
},
"product_reference": "registry.redhat.io/ansible-automation-platform/automation-portal@sha256:140ed733a2820c7087000878f99ca3010613743ccc43c667956dc1d74302fd76_amd64",
"relates_to_product_reference": "Self-service automation portal 2.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-61140",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2026-01-28T17:00:46.678419+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2433946"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jsonpath. The `value` function is vulnerable to Prototype Pollution, a type of vulnerability that allows an attacker to inject or modify properties of an object\u0027s prototype. This can lead to various impacts, including arbitrary code execution, privilege escalation, or denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jsonpath: jsonpath: Prototype Pollution vulnerability in the value function",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Self-service automation portal 2.1:registry.redhat.io/ansible-automation-platform/automation-portal@sha256:140ed733a2820c7087000878f99ca3010613743ccc43c667956dc1d74302fd76_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61140"
},
{
"category": "external",
"summary": "RHBZ#2433946",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433946"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61140",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61140"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61140",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61140"
},
{
"category": "external",
"summary": "https://gist.github.com/Dremig/8105c189774217222a8ebea3ed4d341d",
"url": "https://gist.github.com/Dremig/8105c189774217222a8ebea3ed4d341d"
},
{
"category": "external",
"summary": "https://github.com/dchester/jsonpath",
"url": "https://github.com/dchester/jsonpath"
}
],
"release_date": "2026-01-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-02-05T18:57:03+00:00",
"details": "For more about Ansible plugins for Red Hat Developer Hub, see References links",
"product_ids": [
"Self-service automation portal 2.1:registry.redhat.io/ansible-automation-platform/automation-portal@sha256:140ed733a2820c7087000878f99ca3010613743ccc43c667956dc1d74302fd76_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:2181"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Self-service automation portal 2.1:registry.redhat.io/ansible-automation-platform/automation-portal@sha256:140ed733a2820c7087000878f99ca3010613743ccc43c667956dc1d74302fd76_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jsonpath: jsonpath: Prototype Pollution vulnerability in the value function"
}
]
}
RHSA-2026:2180
Vulnerability from csaf_redhat - Published: 2026-02-05 18:48 - Updated: 2026-02-18 04:19Summary
Red Hat Security Advisory: Self-service automation portal 2.0 security update
Notes
Topic
Updated images are now available for Self-service automation portal 2.0, which include new features, bug fixes, and enhancements for Red Hat Ansible Automation Platform integration with Red Hat Developer Hub.
Details
Self-service automation portal 2.0 delivers an Ansible-first Red Hat Developer Hub
user experience that simplifies the automation experience for Ansible users of all skill levels.
The Ansible plug-ins provide curated content and features to accelerate Ansible learner
onboarding and streamline Ansible use case adoption across your organization.
Security Fix(es):
* automation-portal
* CVE-2025-61140
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated images are now available for Self-service automation portal 2.0, which include new features, bug fixes, and enhancements for Red Hat Ansible Automation Platform integration with Red Hat Developer Hub.",
"title": "Topic"
},
{
"category": "general",
"text": "Self-service automation portal 2.0 delivers an Ansible-first Red Hat Developer Hub\nuser experience that simplifies the automation experience for Ansible users of all skill levels.\nThe Ansible plug-ins provide curated content and features to accelerate Ansible learner\nonboarding and streamline Ansible use case adoption across your organization.\nSecurity Fix(es):\n * automation-portal \n * CVE-2025-61140",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:2180",
"url": "https://access.redhat.com/errata/RHSA-2026:2180"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-61140",
"url": "https://access.redhat.com/security/cve/CVE-2025-61140"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform",
"url": "https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_2180.json"
}
],
"title": "Red Hat Security Advisory: Self-service automation portal 2.0 security update",
"tracking": {
"current_release_date": "2026-02-18T04:19:54+00:00",
"generator": {
"date": "2026-02-18T04:19:54+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.1"
}
},
"id": "RHSA-2026:2180",
"initial_release_date": "2026-02-05T18:48:32+00:00",
"revision_history": [
{
"date": "2026-02-05T18:48:32+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-02-05T18:48:40+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-02-18T04:19:54+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Self-service automation portal 2.0",
"product": {
"name": "Self-service automation portal 2.0",
"product_id": "Self-service automation portal 2.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ansible_portal:2.0"
}
}
}
],
"category": "product_family",
"name": "Self-service automation portal"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ansible-automation-platform/automation-portal@sha256:5ba75c11ba1f6f1b395bc4b6e05c7f543efa16f7d71d75201cabe56a82ff53d8_amd64",
"product": {
"name": "registry.redhat.io/ansible-automation-platform/automation-portal@sha256:5ba75c11ba1f6f1b395bc4b6e05c7f543efa16f7d71d75201cabe56a82ff53d8_amd64",
"product_id": "registry.redhat.io/ansible-automation-platform/automation-portal@sha256:5ba75c11ba1f6f1b395bc4b6e05c7f543efa16f7d71d75201cabe56a82ff53d8_amd64",
"product_identification_helper": {
"purl": "pkg:oci/automation-portal@sha256%3A5ba75c11ba1f6f1b395bc4b6e05c7f543efa16f7d71d75201cabe56a82ff53d8?arch=amd64\u0026repository_url=registry.redhat.io/ansible-automation-platform\u0026tag=1770281704"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ansible-automation-platform/automation-portal@sha256:5ba75c11ba1f6f1b395bc4b6e05c7f543efa16f7d71d75201cabe56a82ff53d8_amd64 as a component of Self-service automation portal 2.0",
"product_id": "Self-service automation portal 2.0:registry.redhat.io/ansible-automation-platform/automation-portal@sha256:5ba75c11ba1f6f1b395bc4b6e05c7f543efa16f7d71d75201cabe56a82ff53d8_amd64"
},
"product_reference": "registry.redhat.io/ansible-automation-platform/automation-portal@sha256:5ba75c11ba1f6f1b395bc4b6e05c7f543efa16f7d71d75201cabe56a82ff53d8_amd64",
"relates_to_product_reference": "Self-service automation portal 2.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-61140",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2026-01-28T17:00:46.678419+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2433946"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jsonpath. The `value` function is vulnerable to Prototype Pollution, a type of vulnerability that allows an attacker to inject or modify properties of an object\u0027s prototype. This can lead to various impacts, including arbitrary code execution, privilege escalation, or denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jsonpath: jsonpath: Prototype Pollution vulnerability in the value function",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Self-service automation portal 2.0:registry.redhat.io/ansible-automation-platform/automation-portal@sha256:5ba75c11ba1f6f1b395bc4b6e05c7f543efa16f7d71d75201cabe56a82ff53d8_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61140"
},
{
"category": "external",
"summary": "RHBZ#2433946",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433946"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61140",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61140"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61140",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61140"
},
{
"category": "external",
"summary": "https://gist.github.com/Dremig/8105c189774217222a8ebea3ed4d341d",
"url": "https://gist.github.com/Dremig/8105c189774217222a8ebea3ed4d341d"
},
{
"category": "external",
"summary": "https://github.com/dchester/jsonpath",
"url": "https://github.com/dchester/jsonpath"
}
],
"release_date": "2026-01-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-02-05T18:48:32+00:00",
"details": "For more about Ansible plugins for Red Hat Developer Hub, see References links",
"product_ids": [
"Self-service automation portal 2.0:registry.redhat.io/ansible-automation-platform/automation-portal@sha256:5ba75c11ba1f6f1b395bc4b6e05c7f543efa16f7d71d75201cabe56a82ff53d8_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:2180"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Self-service automation portal 2.0:registry.redhat.io/ansible-automation-platform/automation-portal@sha256:5ba75c11ba1f6f1b395bc4b6e05c7f543efa16f7d71d75201cabe56a82ff53d8_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jsonpath: jsonpath: Prototype Pollution vulnerability in the value function"
}
]
}
CERTFR-2026-AVI-0224
Vulnerability from certfr_avis - Published: 2026-02-27 - Updated: 2026-02-27
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
IBM indique les versions correctives 9.0.5.27 et 26.0.0.3 pour WebSphere Application Server seront disponibles au cours du premier trimestre 2026. La version 8.5.5.30 sera disponible au troisième trimestre 2026.
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | WebSphere | WebSphere Application Server versions 8.x antérieures à 8.5.5.30 | ||
| IBM | WebSphere | WebSphere Application Server - Liberty versions antérieures à 26.0.0.3 | ||
| IBM | QRadar Assistant | QRadar AI Assistant versions antérieures à 1.3.1 | ||
| IBM | Sterling | Sterling Secure Proxy versions 6.1.x antérieures à 6.1.0.3 GA | ||
| IBM | QRadar | QRadar SIEM versions 7.5.x antérieures à 7.5.0 UP14 IF05 | ||
| IBM | Sterling | Sterling Transformation Extender sans l'application des mesures de contournement décrites par l'éditeur | ||
| IBM | Sterling | Sterling Secure Proxy versions 6.2.1.x antérieures à 6.2.1.1 GA | ||
| IBM | Db2 | Db2 mirror pour i sans les derniers correctifs de sécurité | ||
| IBM | WebSphere | WebSphere Application Server versions 9.x antérieures à 9.0.5.27 | ||
| IBM | Sterling | Sterling Secure Proxy versions 6.2.x antérieures à 6.2.0.3 GA | ||
| IBM | Cognos Command Center | Cognos Command Center versions antérieures à 10.2.5 FP1 IF3 |
References
| Title | Publication Time | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "WebSphere Application Server versions 8.x ant\u00e9rieures \u00e0 8.5.5.30",
"product": {
"name": "WebSphere",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "WebSphere Application Server - Liberty versions ant\u00e9rieures \u00e0 26.0.0.3",
"product": {
"name": "WebSphere",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "QRadar AI Assistant versions ant\u00e9rieures \u00e0 1.3.1",
"product": {
"name": "QRadar Assistant",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Secure Proxy versions 6.1.x ant\u00e9rieures \u00e0 6.1.0.3 GA",
"product": {
"name": "Sterling",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "QRadar SIEM versions 7.5.x ant\u00e9rieures \u00e0 7.5.0 UP14 IF05",
"product": {
"name": "QRadar",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Transformation Extender sans l\u0027application des mesures de contournement d\u00e9crites par l\u0027\u00e9diteur",
"product": {
"name": "Sterling",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Secure Proxy versions 6.2.1.x ant\u00e9rieures \u00e0 6.2.1.1 GA",
"product": {
"name": "Sterling",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Db2 mirror pour i sans les derniers correctifs de s\u00e9curit\u00e9",
"product": {
"name": "Db2",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "WebSphere Application Server versions 9.x ant\u00e9rieures \u00e0 9.0.5.27",
"product": {
"name": "WebSphere",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Secure Proxy versions 6.2.x ant\u00e9rieures \u00e0 6.2.0.3 GA",
"product": {
"name": "Sterling",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Cognos Command Center versions ant\u00e9rieures \u00e0 10.2.5 FP1 IF3",
"product": {
"name": "Cognos Command Center",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": "IBM indique les versions correctives 9.0.5.27 et 26.0.0.3 pour WebSphere Application Server seront disponibles au cours du premier trimestre 2026. La version 8.5.5.30 sera disponible au troisi\u00e8me trimestre 2026.",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-21933",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21933"
},
{
"name": "CVE-2026-21932",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21932"
},
{
"name": "CVE-2025-12816",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12816"
},
{
"name": "CVE-2025-68973",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68973"
},
{
"name": "CVE-2025-65106",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-65106"
},
{
"name": "CVE-2026-22610",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22610"
},
{
"name": "CVE-2025-66412",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66412"
},
{
"name": "CVE-2025-40240",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40240"
},
{
"name": "CVE-2025-69223",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-69223"
},
{
"name": "CVE-2025-66035",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66035"
},
{
"name": "CVE-2025-68664",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68664"
},
{
"name": "CVE-2026-22701",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22701"
},
{
"name": "CVE-2026-23745",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23745"
},
{
"name": "CVE-2026-22690",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22690"
},
{
"name": "CVE-2025-15284",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-15284"
},
{
"name": "CVE-2025-69230",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-69230"
},
{
"name": "CVE-2025-66019",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66019"
},
{
"name": "CVE-2026-21925",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21925"
},
{
"name": "CVE-2025-66031",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66031"
},
{
"name": "CVE-2025-69225",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-69225"
},
{
"name": "CVE-2026-21860",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21860"
},
{
"name": "CVE-2025-40277",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40277"
},
{
"name": "CVE-2023-53673",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53673"
},
{
"name": "CVE-2026-1615",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1615"
},
{
"name": "CVE-2025-69227",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-69227"
},
{
"name": "CVE-2026-1188",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1188"
},
{
"name": "CVE-2025-66471",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66471"
},
{
"name": "CVE-2025-68146",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68146"
},
{
"name": "CVE-2025-66030",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66030"
},
{
"name": "CVE-2025-61140",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61140"
},
{
"name": "CVE-2025-66221",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66221"
},
{
"name": "CVE-2025-69228",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-69228"
},
{
"name": "CVE-2025-39993",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39993"
},
{
"name": "CVE-2024-29371",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29371"
},
{
"name": "CVE-2025-40154",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40154"
},
{
"name": "CVE-2025-13601",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13601"
},
{
"name": "CVE-2025-69226",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-69226"
},
{
"name": "CVE-2026-21945",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21945"
},
{
"name": "CVE-2025-40248",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40248"
},
{
"name": "CVE-2025-9230",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-9230"
},
{
"name": "CVE-2025-69224",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-69224"
},
{
"name": "CVE-2025-64756",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-64756"
},
{
"name": "CVE-2025-69229",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-69229"
},
{
"name": "CVE-2025-68480",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68480"
},
{
"name": "CVE-2025-14847",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14847"
},
{
"name": "CVE-2025-68285",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68285"
},
{
"name": "CVE-2025-68615",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68615"
},
{
"name": "CVE-2026-22691",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22691"
},
{
"name": "CVE-2025-66418",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66418"
}
],
"initial_release_date": "2026-02-27T00:00:00",
"last_revision_date": "2026-02-27T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0224",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-02-27T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": "2026-02-26",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7261959",
"url": "https://www.ibm.com/support/pages/node/7261959"
},
{
"published_at": "2026-02-25",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7261794",
"url": "https://www.ibm.com/support/pages/node/7261794"
},
{
"published_at": "2026-02-25",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7261890",
"url": "https://www.ibm.com/support/pages/node/7261890"
},
{
"published_at": "2026-02-25",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7261887",
"url": "https://www.ibm.com/support/pages/node/7261887"
},
{
"published_at": "2026-02-26",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7261935",
"url": "https://www.ibm.com/support/pages/node/7261935"
},
{
"published_at": "2026-02-20",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7261436",
"url": "https://www.ibm.com/support/pages/node/7261436"
},
{
"published_at": "2026-02-25",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7261774",
"url": "https://www.ibm.com/support/pages/node/7261774"
}
]
}
FKIE_CVE-2025-61140
Vulnerability from fkie_nvd - Published: 2026-01-28 16:16 - Updated: 2026-02-09 19:06
Severity ?
Summary
The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://gist.github.com/Dremig/8105c189774217222a8ebea3ed4d341d | Third Party Advisory | |
| cve@mitre.org | https://github.com/dchester/jsonpath | Product |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dchester:jsonpath:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D5AD03C5-77EE-43F4-8F1E-1AB0757FE7C1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution."
}
],
"id": "CVE-2025-61140",
"lastModified": "2026-02-09T19:06:19.203",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2026-01-28T16:16:13.547",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://gist.github.com/Dremig/8105c189774217222a8ebea3ed4d341d"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://github.com/dchester/jsonpath"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1321"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
OPENSUSE-SU-2026:20239-1
Vulnerability from csaf_opensuse - Published: 2026-02-17 09:54 - Updated: 2026-02-17 09:54Summary
Security update for golang-github-prometheus-prometheus
Notes
Title of the patch
Security update for golang-github-prometheus-prometheus
Description of the patch
This update for golang-github-prometheus-prometheus fixes the following issues:
- CVE-2026-25547: Fixed an unbounded brace range expansion leading to excessive CPU and memory consumption. (bsc#1257841)
- CVE-2026-1615: Fixed arbitrary code injection due to unsafe evaluation of user-supplied JSON Path expressions in jsonpath. (bsc#1257897)
- CVE-2025-61140: Fixed a function vulnerable to prototype pollution in jsonpath. (bsc#1257442)
Patchnames
openSUSE-Leap-16.0-290
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for golang-github-prometheus-prometheus",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for golang-github-prometheus-prometheus fixes the following issues:\n\n- CVE-2026-25547: Fixed an unbounded brace range expansion leading to excessive CPU and memory consumption. (bsc#1257841)\n- CVE-2026-1615: Fixed arbitrary code injection due to unsafe evaluation of user-supplied JSON Path expressions in jsonpath. (bsc#1257897)\n- CVE-2025-61140: Fixed a function vulnerable to prototype pollution in jsonpath. (bsc#1257442)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-290",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_20239-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1257442",
"url": "https://bugzilla.suse.com/1257442"
},
{
"category": "self",
"summary": "SUSE Bug 1257841",
"url": "https://bugzilla.suse.com/1257841"
},
{
"category": "self",
"summary": "SUSE Bug 1257897",
"url": "https://bugzilla.suse.com/1257897"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-61140 page",
"url": "https://www.suse.com/security/cve/CVE-2025-61140/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-1615 page",
"url": "https://www.suse.com/security/cve/CVE-2026-1615/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-25547 page",
"url": "https://www.suse.com/security/cve/CVE-2026-25547/"
}
],
"title": "Security update for golang-github-prometheus-prometheus",
"tracking": {
"current_release_date": "2026-02-17T09:54:15Z",
"generator": {
"date": "2026-02-17T09:54:15Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:20239-1",
"initial_release_date": "2026-02-17T09:54:15Z",
"revision_history": [
{
"date": "2026-02-17T09:54:15Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "golang-github-prometheus-prometheus-3.5.0-160000.2.1.aarch64",
"product": {
"name": "golang-github-prometheus-prometheus-3.5.0-160000.2.1.aarch64",
"product_id": "golang-github-prometheus-prometheus-3.5.0-160000.2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-github-prometheus-prometheus-3.5.0-160000.2.1.ppc64le",
"product": {
"name": "golang-github-prometheus-prometheus-3.5.0-160000.2.1.ppc64le",
"product_id": "golang-github-prometheus-prometheus-3.5.0-160000.2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-github-prometheus-prometheus-3.5.0-160000.2.1.s390x",
"product": {
"name": "golang-github-prometheus-prometheus-3.5.0-160000.2.1.s390x",
"product_id": "golang-github-prometheus-prometheus-3.5.0-160000.2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-github-prometheus-prometheus-3.5.0-160000.2.1.x86_64",
"product": {
"name": "golang-github-prometheus-prometheus-3.5.0-160000.2.1.x86_64",
"product_id": "golang-github-prometheus-prometheus-3.5.0-160000.2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-prometheus-prometheus-3.5.0-160000.2.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.aarch64"
},
"product_reference": "golang-github-prometheus-prometheus-3.5.0-160000.2.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-prometheus-prometheus-3.5.0-160000.2.1.ppc64le as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.ppc64le"
},
"product_reference": "golang-github-prometheus-prometheus-3.5.0-160000.2.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-prometheus-prometheus-3.5.0-160000.2.1.s390x as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.s390x"
},
"product_reference": "golang-github-prometheus-prometheus-3.5.0-160000.2.1.s390x",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-prometheus-prometheus-3.5.0-160000.2.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.x86_64"
},
"product_reference": "golang-github-prometheus-prometheus-3.5.0-160000.2.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-61140",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-61140"
}
],
"notes": [
{
"category": "general",
"text": "The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.aarch64",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.ppc64le",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.s390x",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-61140",
"url": "https://www.suse.com/security/cve/CVE-2025-61140"
},
{
"category": "external",
"summary": "SUSE Bug 1257442 for CVE-2025-61140",
"url": "https://bugzilla.suse.com/1257442"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.aarch64",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.ppc64le",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.s390x",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.aarch64",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.ppc64le",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.s390x",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-17T09:54:15Z",
"details": "important"
}
],
"title": "CVE-2025-61140"
},
{
"cve": "CVE-2026-1615",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-1615"
}
],
"notes": [
{
"category": "general",
"text": "Versions of the package jsonpath before 1.2.0 are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.aarch64",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.ppc64le",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.s390x",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-1615",
"url": "https://www.suse.com/security/cve/CVE-2026-1615"
},
{
"category": "external",
"summary": "SUSE Bug 1257897 for CVE-2026-1615",
"url": "https://bugzilla.suse.com/1257897"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.aarch64",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.ppc64le",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.s390x",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.aarch64",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.ppc64le",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.s390x",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-17T09:54:15Z",
"details": "critical"
}
],
"title": "CVE-2026-1615"
},
{
"cve": "CVE-2026-25547",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-25547"
}
],
"notes": [
{
"category": "general",
"text": "@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.aarch64",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.ppc64le",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.s390x",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-25547",
"url": "https://www.suse.com/security/cve/CVE-2026-25547"
},
{
"category": "external",
"summary": "SUSE Bug 1257834 for CVE-2026-25547",
"url": "https://bugzilla.suse.com/1257834"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.aarch64",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.ppc64le",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.s390x",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.aarch64",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.ppc64le",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.s390x",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-17T09:54:15Z",
"details": "important"
}
],
"title": "CVE-2026-25547"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…