Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-2950 (GCVE-0-2026-2950)
Vulnerability from cvelistv5 – Published: 2026-03-31 19:18 – Updated: 2026-04-01 13:43- CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
| Vendor | Product | Version | |
|---|---|---|---|
| lodash | lodash |
Affected:
4.17.23 , < 4.18.0
(semver)
Unaffected: 4.18.0 (semver) |
|
| lodash | lodash-es |
Affected:
4.17.23 , < 4.18.0
(semver)
Unaffected: 4.18.0 (semver) |
|
| lodash | lodash-amd |
Affected:
4.17.23 , < 4.18.0
(semver)
Unaffected: 4.18.0 (semver) |
|
| lodash | lodash.unset |
Affected:
4.0.0 , < 4.18.0
(semver)
Unaffected: 4.18.0 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2950",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T13:43:14.280375Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T13:43:21.491Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:npm/lodash",
"product": "lodash",
"vendor": "lodash",
"versions": [
{
"lessThan": "4.18.0",
"status": "affected",
"version": "4.17.23",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "4.18.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"packageURL": "pkg:npm/lodash-es",
"product": "lodash-es",
"vendor": "lodash",
"versions": [
{
"lessThan": "4.18.0",
"status": "affected",
"version": "4.17.23",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "4.18.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"packageURL": "pkg:npm/lodash-amd",
"product": "lodash-amd",
"vendor": "lodash",
"versions": [
{
"lessThan": "4.18.0",
"status": "affected",
"version": "4.17.23",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "4.18.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"packageURL": "pkg:npm/lodash.unset",
"product": "lodash.unset",
"vendor": "lodash",
"versions": [
{
"lessThan": "4.18.0",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "4.18.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Haruna38"
},
{
"lang": "en",
"type": "finder",
"value": "shpik-kr"
},
{
"lang": "en",
"type": "finder",
"value": "maru1009"
},
{
"lang": "en",
"type": "finder",
"value": "ott3r07"
},
{
"lang": "en",
"type": "finder",
"value": "zolbooo"
},
{
"lang": "en",
"type": "finder",
"value": "backuardo"
},
{
"lang": "en",
"type": "remediation developer",
"value": "falsyvalues"
},
{
"lang": "en",
"type": "remediation developer",
"value": "jonchurch"
},
{
"lang": "en",
"type": "analyst",
"value": "jdalton"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "UlisesGascon"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Impact:\n\nLodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.\n\nThe issue permits deletion of prototype properties but does not allow overwriting their original behavior.\n\nPatches:\n\nThis issue is patched in 4.18.0.\n\nWorkarounds:\n\nNone. Upgrade to the patched version."
}
],
"value": "Impact:\n\nLodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.\n\nThe issue permits deletion of prototype properties but does not allow overwriting their original behavior.\n\nPatches:\n\nThis issue is patched in 4.18.0.\n\nWorkarounds:\n\nNone. Upgrade to the patched version."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T19:18:35.796Z",
"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
"shortName": "openjs"
},
"references": [
{
"url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg"
}
],
"title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`",
"x_generator": {
"engine": "cve-kit 1.0.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
"assignerShortName": "openjs",
"cveId": "CVE-2026-2950",
"datePublished": "2026-03-31T19:18:35.796Z",
"dateReserved": "2026-02-21T20:04:35.087Z",
"dateUpdated": "2026-04-01T13:43:21.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-2950",
"date": "2026-07-09",
"epss": "0.00317",
"percentile": "0.23634"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-2950\",\"sourceIdentifier\":\"ce714d77-add3-4f53-aff5-83d477b104bb\",\"published\":\"2026-03-31T20:16:26.207\",\"lastModified\":\"2026-06-17T10:32:05.873\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Impact:\\n\\nLodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.\\n\\nThe issue permits deletion of prototype properties but does not allow overwriting their original behavior.\\n\\nPatches:\\n\\nThis issue is patched in 4.18.0.\\n\\nWorkarounds:\\n\\nNone. Upgrade to the patched version.\"}],\"affected\":[{\"source\":\"ce714d77-add3-4f53-aff5-83d477b104bb\",\"affectedData\":[{\"vendor\":\"lodash\",\"product\":\"lodash\",\"defaultStatus\":\"unaffected\",\"packageURL\":\"pkg:npm/lodash\",\"versions\":[{\"version\":\"4.17.23\",\"lessThan\":\"4.18.0\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"4.18.0\",\"versionType\":\"semver\",\"status\":\"unaffected\"}]},{\"vendor\":\"lodash\",\"product\":\"lodash-es\",\"defaultStatus\":\"unaffected\",\"packageURL\":\"pkg:npm/lodash-es\",\"versions\":[{\"version\":\"4.17.23\",\"lessThan\":\"4.18.0\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"4.18.0\",\"versionType\":\"semver\",\"status\":\"unaffected\"}]},{\"vendor\":\"lodash\",\"product\":\"lodash-amd\",\"defaultStatus\":\"unaffected\",\"packageURL\":\"pkg:npm/lodash-amd\",\"versions\":[{\"version\":\"4.17.23\",\"lessThan\":\"4.18.0\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"4.18.0\",\"versionType\":\"semver\",\"status\":\"unaffected\"}]},{\"vendor\":\"lodash\",\"product\":\"lodash.unset\",\"defaultStatus\":\"unaffected\",\"packageURL\":\"pkg:npm/lodash.unset\",\"versions\":[{\"version\":\"4.0.0\",\"lessThan\":\"4.18.0\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"4.18.0\",\"versionType\":\"semver\",\"status\":\"unaffected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"ce714d77-add3-4f53-aff5-83d477b104bb\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-04-01T13:43:14.280375Z\",\"id\":\"CVE-2026-2950\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"ce714d77-add3-4f53-aff5-83d477b104bb\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1321\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lodash:lodash:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"4.0.0\",\"versionEndExcluding\":\"4.17.23\",\"matchCriteriaId\":\"0F9E287B-784B-472D-9FA2-1469E4C8A810\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lodash:lodash-amd:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"4.0.0\",\"versionEndExcluding\":\"4.17.23\",\"matchCriteriaId\":\"3A1B5527-B25F-49B8-A289-E964EFFCF4E4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lodash:lodash-es:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"4.0.0\",\"versionEndExcluding\":\"4.17.23\",\"matchCriteriaId\":\"4C20325C-6B92-4775-89D7-2650F158B622\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lodash:lodash.unset:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"4.0.0\",\"matchCriteriaId\":\"43DC850D-9F26-4445-BAB1-9AF9BA37095C\"}]}]}],\"references\":[{\"url\":\"https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg\",\"source\":\"ce714d77-add3-4f53-aff5-83d477b104bb\",\"tags\":[\"Vendor Advisory\"]}]}}",
"redhat_vex": {
"aggregate_severity": "Moderate",
"current_release_date": "2026-07-03T14:59:20+00:00",
"cve": "CVE-2026-2950",
"id": "CVE-2026-2950",
"initial_release_date": "2026-03-31T19:18:35.796000+00:00",
"product_status:fixed": "12",
"product_status:known_affected": "385",
"product_status:known_not_affected": "6",
"source": "Red Hat CSAF VEX",
"status": "final",
"title": "lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-2950.json",
"version": "3"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-2950\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-01T13:43:14.280375Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-01T13:43:18.193Z\"}}], \"cna\": {\"title\": \"lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`\", \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Haruna38\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"shpik-kr\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"maru1009\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"ott3r07\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"zolbooo\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"backuardo\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"falsyvalues\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"jonchurch\"}, {\"lang\": \"en\", \"type\": \"analyst\", \"value\": \"jdalton\"}, {\"lang\": \"en\", \"type\": \"remediation reviewer\", \"value\": \"UlisesGascon\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"lodash\", \"product\": \"lodash\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.17.23\", \"lessThan\": \"4.18.0\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"4.18.0\", \"versionType\": \"semver\"}], \"packageURL\": \"pkg:npm/lodash\", \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"lodash\", \"product\": \"lodash-es\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.17.23\", \"lessThan\": \"4.18.0\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"4.18.0\", \"versionType\": \"semver\"}], \"packageURL\": \"pkg:npm/lodash-es\", \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"lodash\", \"product\": \"lodash-amd\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.17.23\", \"lessThan\": \"4.18.0\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"4.18.0\", \"versionType\": \"semver\"}], \"packageURL\": \"pkg:npm/lodash-amd\", \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"lodash\", \"product\": \"lodash.unset\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.0.0\", \"lessThan\": \"4.18.0\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"4.18.0\", \"versionType\": \"semver\"}], \"packageURL\": \"pkg:npm/lodash.unset\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg\"}], \"x_generator\": {\"engine\": \"cve-kit 1.0.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Impact:\\n\\nLodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.\\n\\nThe issue permits deletion of prototype properties but does not allow overwriting their original behavior.\\n\\nPatches:\\n\\nThis issue is patched in 4.18.0.\\n\\nWorkarounds:\\n\\nNone. Upgrade to the patched version.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Impact:\\n\\nLodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.\\n\\nThe issue permits deletion of prototype properties but does not allow overwriting their original behavior.\\n\\nPatches:\\n\\nThis issue is patched in 4.18.0.\\n\\nWorkarounds:\\n\\nNone. Upgrade to the patched version.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1321\", \"description\": \"CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"ce714d77-add3-4f53-aff5-83d477b104bb\", \"shortName\": \"openjs\", \"dateUpdated\": \"2026-03-31T19:18:35.796Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-2950\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-01T13:43:21.491Z\", \"dateReserved\": \"2026-02-21T20:04:35.087Z\", \"assignerOrgId\": \"ce714d77-add3-4f53-aff5-83d477b104bb\", \"datePublished\": \"2026-03-31T19:18:35.796Z\", \"assignerShortName\": \"openjs\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
RHSA-2026:7655
Vulnerability from csaf_redhat - Published: 2026-04-11 00:49 - Updated: 2026-07-09 21:13A flaw was found in Lodash. An attacker can exploit a prototype pollution vulnerability in the `_.unset` and `_.omit` functions by bypassing a security check. This bypass is achieved by providing array-wrapped path segments, which allows for the deletion of properties from built-in JavaScript prototypes such as `Object.prototype`. This could lead to unexpected application behavior or denial of service.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:yarnpkg-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:yarnpkg-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:yarnpkg-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in the brace-expansion library. This vulnerability allows an attacker to cause a Denial of Service (DoS) by providing a large numeric range for expansion. The library allocates excessive memory to generate all intermediate elements before applying the maximum limit, leading to high memory consumption and potential application crashes. This can impact the availability of systems using the library.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:yarnpkg-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:yarnpkg-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:yarnpkg-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in ws, an open source WebSocket client and server for Node.js. The `websocket.close()` implementation is vulnerable to uninitialized memory disclosure when a `TypedArray` is passed as the reason argument. This can lead to the disclosure of sensitive information from uninitialized memory.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Hardened Images RPMs is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "This update includes the following RPMs:\n\nyarnpkg:\n * yarnpkg-1.22.22-18.1.hum1 (aarch64, x86_64)\n * yarnpkg-1.22.22-18.1.hum1.src (src)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:7655",
"url": "https://access.redhat.com/errata/RHSA-2026:7655"
},
{
"category": "external",
"summary": "https://images.redhat.com/",
"url": "https://images.redhat.com/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-2950",
"url": "https://access.redhat.com/security/cve/CVE-2026-2950"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-45149",
"url": "https://access.redhat.com/security/cve/CVE-2026-45149"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-45736",
"url": "https://access.redhat.com/security/cve/CVE-2026-45736"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-59870",
"url": "https://access.redhat.com/security/cve/CVE-2026-59870"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-59868",
"url": "https://access.redhat.com/security/cve/CVE-2026-59868"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_7655.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-07-09T21:13:30+00:00",
"generator": {
"date": "2026-07-09T21:13:30+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.2"
}
},
"id": "RHSA-2026:7655",
"initial_release_date": "2026-04-11T00:49:50+00:00",
"revision_history": [
{
"date": "2026-04-11T00:49:50+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-07-09T05:11:42+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-09T21:13:30+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Hardened Images",
"product": {
"name": "Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:hummingbird:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Hardened Images"
},
{
"branches": [
{
"category": "product_version",
"name": "yarnpkg-main@aarch64",
"product": {
"name": "yarnpkg-main@aarch64",
"product_id": "yarnpkg-main@aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/yarnpkg@1.22.22-18.1.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "yarnpkg-main@src",
"product": {
"name": "yarnpkg-main@src",
"product_id": "yarnpkg-main@src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/yarnpkg@1.22.22-18.1.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "yarnpkg-main@x86_64",
"product": {
"name": "yarnpkg-main@x86_64",
"product_id": "yarnpkg-main@x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/yarnpkg@1.22.22-18.1.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "yarnpkg-main@aarch64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:yarnpkg-main@aarch64"
},
"product_reference": "yarnpkg-main@aarch64",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yarnpkg-main@src as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:yarnpkg-main@src"
},
"product_reference": "yarnpkg-main@src",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yarnpkg-main@x86_64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:yarnpkg-main@x86_64"
},
"product_reference": "yarnpkg-main@x86_64",
"relates_to_product_reference": "Red Hat Hardened Images"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-2950",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-03-31T20:01:38.424064+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2453499"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Lodash. An attacker can exploit a prototype pollution vulnerability in the `_.unset` and `_.omit` functions by bypassing a security check. This bypass is achieved by providing array-wrapped path segments, which allows for the deletion of properties from built-in JavaScript prototypes such as `Object.prototype`. This could lead to unexpected application behavior or denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:yarnpkg-main@aarch64",
"Red Hat Hardened Images:yarnpkg-main@src",
"Red Hat Hardened Images:yarnpkg-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-2950"
},
{
"category": "external",
"summary": "RHBZ#2453499",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453499"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-2950",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2950"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-2950",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2950"
},
{
"category": "external",
"summary": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg",
"url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg"
}
],
"release_date": "2026-03-31T19:18:35.796000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-11T00:49:50+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:yarnpkg-main@aarch64",
"Red Hat Hardened Images:yarnpkg-main@src",
"Red Hat Hardened Images:yarnpkg-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7655"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Hardened Images:yarnpkg-main@aarch64",
"Red Hat Hardened Images:yarnpkg-main@src",
"Red Hat Hardened Images:yarnpkg-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:yarnpkg-main@aarch64",
"Red Hat Hardened Images:yarnpkg-main@src",
"Red Hat Hardened Images:yarnpkg-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass"
},
{
"cve": "CVE-2026-45149",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-05-29T21:02:00.092772+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2483481"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the brace-expansion library. This vulnerability allows an attacker to cause a Denial of Service (DoS) by providing a large numeric range for expansion. The library allocates excessive memory to generate all intermediate elements before applying the maximum limit, leading to high memory consumption and potential application crashes. This can impact the availability of systems using the library.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "brace-expansion: brace-expansion: Denial of Service due to excessive memory allocation when expanding large numeric ranges",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat products ship brace-expansion versions 1.x and 2.x, which are not affected by this vulnerability. The flaw exists only in versions 5.0.0 through 5.0.5.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:yarnpkg-main@aarch64",
"Red Hat Hardened Images:yarnpkg-main@src",
"Red Hat Hardened Images:yarnpkg-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-45149"
},
{
"category": "external",
"summary": "RHBZ#2483481",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2483481"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-45149",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45149"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-45149",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45149"
},
{
"category": "external",
"summary": "https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-jxxr-4gwj-5jf2",
"url": "https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-jxxr-4gwj-5jf2"
}
],
"release_date": "2026-05-29T19:55:07.337000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-11T00:49:50+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:yarnpkg-main@aarch64",
"Red Hat Hardened Images:yarnpkg-main@src",
"Red Hat Hardened Images:yarnpkg-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7655"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Hardened Images:yarnpkg-main@aarch64",
"Red Hat Hardened Images:yarnpkg-main@src",
"Red Hat Hardened Images:yarnpkg-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:yarnpkg-main@aarch64",
"Red Hat Hardened Images:yarnpkg-main@src",
"Red Hat Hardened Images:yarnpkg-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "brace-expansion: brace-expansion: Denial of Service due to excessive memory allocation when expanding large numeric ranges"
},
{
"cve": "CVE-2026-45736",
"cwe": {
"id": "CWE-824",
"name": "Access of Uninitialized Pointer"
},
"discovery_date": "2026-05-15T16:00:55.786944+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2477914"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in ws, an open source WebSocket client and server for Node.js. The `websocket.close()` implementation is vulnerable to uninitialized memory disclosure when a `TypedArray` is passed as the reason argument. This can lead to the disclosure of sensitive information from uninitialized memory.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ws: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray`",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important vulnerability in the `ws` WebSocket library for Node.js could lead to sensitive information disclosure. The flaw occurs when a `TypedArray` is specifically provided as the `reason` argument to the `websocket.close()` function, potentially exposing uninitialized memory. Red Hat products utilizing this library may be affected if their implementations allow for such a crafted `close()` call.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:yarnpkg-main@aarch64",
"Red Hat Hardened Images:yarnpkg-main@src",
"Red Hat Hardened Images:yarnpkg-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-45736"
},
{
"category": "external",
"summary": "RHBZ#2477914",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477914"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-45736",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45736"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-45736",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45736"
},
{
"category": "external",
"summary": "https://github.com/websockets/ws/commit/c0327ec15a54d701eb6ccefaa8bef328cfc03086",
"url": "https://github.com/websockets/ws/commit/c0327ec15a54d701eb6ccefaa8bef328cfc03086"
},
{
"category": "external",
"summary": "https://github.com/websockets/ws/security/advisories/GHSA-58qx-3vcg-4xpx",
"url": "https://github.com/websockets/ws/security/advisories/GHSA-58qx-3vcg-4xpx"
}
],
"release_date": "2026-05-15T14:53:57.263000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-11T00:49:50+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:yarnpkg-main@aarch64",
"Red Hat Hardened Images:yarnpkg-main@src",
"Red Hat Hardened Images:yarnpkg-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7655"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:yarnpkg-main@aarch64",
"Red Hat Hardened Images:yarnpkg-main@src",
"Red Hat Hardened Images:yarnpkg-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ws: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray`"
}
]
}
RHSA-2026:9455
Vulnerability from csaf_redhat - Published: 2026-04-21 17:31 - Updated: 2026-07-09 05:46A flaw was found in Lodash. An attacker can exploit a prototype pollution vulnerability in the `_.unset` and `_.omit` functions by bypassing a security check. This bypass is achieved by providing array-wrapped path segments, which allows for the deletion of properties from built-in JavaScript prototypes such as `Object.prototype`. This could lead to unexpected application behavior or denial of service.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in the brace-expansion library. This vulnerability allows an attacker to cause a Denial of Service (DoS) by providing a large numeric range for expansion. The library allocates excessive memory to generate all intermediate elements before applying the maximum limit, leading to high memory consumption and potential application crashes. This can impact the availability of systems using the library.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Node.js. When proxy credentials are embedded in a proxy URL, an issue in the proxy tunnel error handling can lead to the exposure of these credentials. This information disclosure vulnerability allows an attacker to potentially capture sensitive proxy credentials through logs, diagnostics, or other error-consuming mechanisms.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Node.js. This flaw involves a mismatch in how Node.js handles TLS (Transport Layer Security) hostnames and unicode dot separators during authentication. This mismatch can lead to a wildcard-depth authentication bypass. An attacker could exploit this to bypass intended security boundaries, potentially leading to unauthorized access and confidentiality impact.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Node.js. A malicious server can exploit the HTTP/2 client by sending an unlimited number of ORIGIN frames. This can lead to an Out of Memory error on the client, resulting in a denial of service.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Node.js. An inconsistency in how Node.js matches hostnames can be exploited by a remote attacker in multi-context mTLS (mutual Transport Layer Security) setups. This vulnerability allows for a trust-policy bypass, potentially leading to unauthorized access to sensitive information or integrity compromise within the affected system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Node.js. This vulnerability in the TLS (Transport Layer Security) hostname handling allows embedded null characters in hostnames. This can lead to silent authority rebinding, potentially enabling an attacker to redirect network traffic to an unintended server and disclose sensitive information.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in the Node.js WebCrypto implementation. A remote attacker could exploit this vulnerability by providing an input to the `subtle.encrypt()` function that is a multiple of 2 gigabytes (GiB). This could lead to a denial of service (DoS) by crashing the Node.js process.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Node.js. An attacker can exploit a vulnerability in the Transport Layer Security (TLS) host verification process to bypass certification validation. This bypass could allow an attacker to intercept or alter communications, potentially leading to information disclosure or integrity compromise.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Node.js. The Permission API allows a local user to modify file metadata on paths that have been explicitly set as read-only. This can lead to unauthorized changes in file properties, impacting the integrity of the file system.
CWE-279 - Incorrect Execution-Assigned Permissions| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Node.js. The Node.js Permission API can allow a local server to be started through a Unix domain socket, even when the `--allow-net` permission is not explicitly granted. This bypasses intended security restrictions, potentially leading to unintended local network exposure or integrity impact.
CWE-648 - Incorrect Use of Privileged APIs| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Hardened Images RPMs is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "This update includes the following RPMs:\n\nnodejs20:\n * nodejs20-20.20.2-1.hum1 (aarch64, x86_64)\n * nodejs20-bin-20.20.2-1.hum1 (noarch)\n * nodejs20-devel-20.20.2-1.hum1 (aarch64, x86_64)\n * nodejs20-docs-20.20.2-1.hum1 (noarch)\n * nodejs20-full-i18n-20.20.2-1.hum1 (aarch64, x86_64)\n * nodejs20-libs-20.20.2-1.hum1 (aarch64, x86_64)\n * nodejs20-npm-10.8.2-1.20.20.2.1.hum1 (noarch)\n * nodejs20-npm-bin-20.20.2-1.hum1 (noarch)\n * v8-11.3-devel-11.3.244.8-1.20.20.2.1.hum1 (aarch64, x86_64)\n * nodejs20-20.20.2-1.hum1.src (src)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:9455",
"url": "https://access.redhat.com/errata/RHSA-2026:9455"
},
{
"category": "external",
"summary": "https://images.redhat.com/",
"url": "https://images.redhat.com/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-2950",
"url": "https://access.redhat.com/security/cve/CVE-2026-2950"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-45149",
"url": "https://access.redhat.com/security/cve/CVE-2026-45149"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-8723",
"url": "https://access.redhat.com/security/cve/CVE-2026-8723"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-48618",
"url": "https://access.redhat.com/security/cve/CVE-2026-48618"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-48933",
"url": "https://access.redhat.com/security/cve/CVE-2026-48933"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-48615",
"url": "https://access.redhat.com/security/cve/CVE-2026-48615"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-48936",
"url": "https://access.redhat.com/security/cve/CVE-2026-48936"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-48934",
"url": "https://access.redhat.com/security/cve/CVE-2026-48934"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-48928",
"url": "https://access.redhat.com/security/cve/CVE-2026-48928"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-48930",
"url": "https://access.redhat.com/security/cve/CVE-2026-48930"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-48619",
"url": "https://access.redhat.com/security/cve/CVE-2026-48619"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-48935",
"url": "https://access.redhat.com/security/cve/CVE-2026-48935"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-59870",
"url": "https://access.redhat.com/security/cve/CVE-2026-59870"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-59868",
"url": "https://access.redhat.com/security/cve/CVE-2026-59868"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_9455.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-07-09T05:46:00+00:00",
"generator": {
"date": "2026-07-09T05:46:00+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:9455",
"initial_release_date": "2026-04-21T17:31:07+00:00",
"revision_history": [
{
"date": "2026-04-21T17:31:07+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-07-09T05:11:38+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-09T05:46:00+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Hardened Images",
"product": {
"name": "Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:hummingbird:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Hardened Images"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs20-main@aarch64",
"product": {
"name": "nodejs20-main@aarch64",
"product_id": "nodejs20-main@aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs20@20.20.2-1.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs20-main@src",
"product": {
"name": "nodejs20-main@src",
"product_id": "nodejs20-main@src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs20@20.20.2-1.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs20-main@x86_64",
"product": {
"name": "nodejs20-main@x86_64",
"product_id": "nodejs20-main@x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs20@20.20.2-1.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs20-main@noarch",
"product": {
"name": "nodejs20-main@noarch",
"product_id": "nodejs20-main@noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs20-bin@20.20.2-1.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs20-main@aarch64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs20-main@aarch64"
},
"product_reference": "nodejs20-main@aarch64",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs20-main@noarch as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs20-main@noarch"
},
"product_reference": "nodejs20-main@noarch",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs20-main@src as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs20-main@src"
},
"product_reference": "nodejs20-main@src",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs20-main@x86_64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs20-main@x86_64"
},
"product_reference": "nodejs20-main@x86_64",
"relates_to_product_reference": "Red Hat Hardened Images"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-2950",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-03-31T20:01:38.424064+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2453499"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Lodash. An attacker can exploit a prototype pollution vulnerability in the `_.unset` and `_.omit` functions by bypassing a security check. This bypass is achieved by providing array-wrapped path segments, which allows for the deletion of properties from built-in JavaScript prototypes such as `Object.prototype`. This could lead to unexpected application behavior or denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-2950"
},
{
"category": "external",
"summary": "RHBZ#2453499",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453499"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-2950",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2950"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-2950",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2950"
},
{
"category": "external",
"summary": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg",
"url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg"
}
],
"release_date": "2026-03-31T19:18:35.796000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-21T17:31:07+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:9455"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass"
},
{
"cve": "CVE-2026-45149",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-05-29T21:02:00.092772+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2483481"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the brace-expansion library. This vulnerability allows an attacker to cause a Denial of Service (DoS) by providing a large numeric range for expansion. The library allocates excessive memory to generate all intermediate elements before applying the maximum limit, leading to high memory consumption and potential application crashes. This can impact the availability of systems using the library.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "brace-expansion: brace-expansion: Denial of Service due to excessive memory allocation when expanding large numeric ranges",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat products ship brace-expansion versions 1.x and 2.x, which are not affected by this vulnerability. The flaw exists only in versions 5.0.0 through 5.0.5.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-45149"
},
{
"category": "external",
"summary": "RHBZ#2483481",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2483481"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-45149",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45149"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-45149",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45149"
},
{
"category": "external",
"summary": "https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-jxxr-4gwj-5jf2",
"url": "https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-jxxr-4gwj-5jf2"
}
],
"release_date": "2026-05-29T19:55:07.337000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-21T17:31:07+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:9455"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "brace-expansion: brace-expansion: Denial of Service due to excessive memory allocation when expanding large numeric ranges"
},
{
"cve": "CVE-2026-48615",
"cwe": {
"id": "CWE-209",
"name": "Generation of Error Message Containing Sensitive Information"
},
"discovery_date": "2026-06-26T02:01:59.112093+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2493335"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. When proxy credentials are embedded in a proxy URL, an issue in the proxy tunnel error handling can lead to the exposure of these credentials. This information disclosure vulnerability allows an attacker to potentially capture sensitive proxy credentials through logs, diagnostics, or other error-consuming mechanisms.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48615"
},
{
"category": "external",
"summary": "RHBZ#2493335",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493335"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48615",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48615"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48615",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48615"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
],
"release_date": "2026-06-26T01:14:36.524000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-21T17:31:07+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:9455"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling"
},
{
"cve": "CVE-2026-48618",
"cwe": {
"id": "CWE-289",
"name": "Authentication Bypass by Alternate Name"
},
"discovery_date": "2026-06-26T02:02:10.741725+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2493337"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. This flaw involves a mismatch in how Node.js handles TLS (Transport Layer Security) hostnames and unicode dot separators during authentication. This mismatch can lead to a wildcard-depth authentication bypass. An attacker could exploit this to bypass intended security boundaries, potentially leading to unauthorized access and confidentiality impact.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important flaw in Node.js allows for a TLS wildcard-depth authentication bypass due to a mismatch in how hostnames and unicode dot separators are handled during authentication. This could enable an attacker to circumvent security boundaries, potentially leading to unauthorized access and compromise of sensitive information in applications utilizing Node.js for TLS connections. The issue affects Node.js versions 22, 24, and 26 as shipped in Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48618"
},
{
"category": "external",
"summary": "RHBZ#2493337",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493337"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48618",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48618"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48618",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48618"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
],
"release_date": "2026-06-26T01:14:36.868000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-21T17:31:07+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:9455"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch"
},
{
"cve": "CVE-2026-48619",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-06-26T02:01:06.466413+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2493325"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. A malicious server can exploit the HTTP/2 client by sending an unlimited number of ORIGIN frames. This can lead to an Out of Memory error on the client, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Moderate flaw in the Node.js HTTP/2 client can lead to a denial of service. A malicious server could exploit this by sending an excessive number of ORIGIN frames, causing the client to consume all available memory. This affects Red Hat products utilizing Node.js as an HTTP/2 client.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48619"
},
{
"category": "external",
"summary": "RHBZ#2493325",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493325"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48619",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48619"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48619",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48619"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
],
"release_date": "2026-06-26T01:14:36.541000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-21T17:31:07+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:9455"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames"
},
{
"cve": "CVE-2026-48928",
"cwe": {
"id": "CWE-289",
"name": "Authentication Bypass by Alternate Name"
},
"discovery_date": "2026-06-26T02:01:48.441706+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2493333"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. An inconsistency in how Node.js matches hostnames can be exploited by a remote attacker in multi-context mTLS (mutual Transport Layer Security) setups. This vulnerability allows for a trust-policy bypass, potentially leading to unauthorized access to sensitive information or integrity compromise within the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48928"
},
{
"category": "external",
"summary": "RHBZ#2493333",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493333"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48928",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48928"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48928",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48928"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
],
"release_date": "2026-06-26T01:14:36.981000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-21T17:31:07+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:9455"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency"
},
{
"cve": "CVE-2026-48930",
"cwe": {
"id": "CWE-170",
"name": "Improper Null Termination"
},
"discovery_date": "2026-06-26T02:01:11.476251+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2493326"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. This vulnerability in the TLS (Transport Layer Security) hostname handling allows embedded null characters in hostnames. This can lead to silent authority rebinding, potentially enabling an attacker to redirect network traffic to an unintended server and disclose sensitive information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48930"
},
{
"category": "external",
"summary": "RHBZ#2493326",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493326"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48930",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48930"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48930",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48930"
},
{
"category": "external",
"summary": "https://github.com/nodejs/node/commit/7dafafa2424710ded8b77eb7c878e884c1aef64e",
"url": "https://github.com/nodejs/node/commit/7dafafa2424710ded8b77eb7c878e884c1aef64e"
},
{
"category": "external",
"summary": "https://hackerone.com/reports/3656716",
"url": "https://hackerone.com/reports/3656716"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
],
"release_date": "2026-06-26T01:14:37.006000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-21T17:31:07+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:9455"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling"
},
{
"cve": "CVE-2026-48933",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-06-26T02:01:39.107538+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2493331"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Node.js WebCrypto implementation. A remote attacker could exploit this vulnerability by providing an input to the `subtle.encrypt()` function that is a multiple of 2 gigabytes (GiB). This could lead to a denial of service (DoS) by crashing the Node.js process.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt()",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important denial of service vulnerability in Node.js WebCrypto, as a remote attacker can crash the Node.js process by providing a specially crafted large input to the `subtle.encrypt()` function. This could lead to service unavailability in Red Hat environments where Node.js applications process untrusted data with WebCrypto.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48933"
},
{
"category": "external",
"summary": "RHBZ#2493331",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493331"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48933",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48933"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48933",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48933"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
],
"release_date": "2026-06-26T01:14:36.823000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-21T17:31:07+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:9455"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt()"
},
{
"cve": "CVE-2026-48934",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"discovery_date": "2026-06-26T02:01:43.284771+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2493332"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. An attacker can exploit a vulnerability in the Transport Layer Security (TLS) host verification process to bypass certification validation. This bypass could allow an attacker to intercept or alter communications, potentially leading to information disclosure or integrity compromise.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Node.js: Certification validation bypass in TLS host verification",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48934"
},
{
"category": "external",
"summary": "RHBZ#2493332",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493332"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48934",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48934"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48934",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48934"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
],
"release_date": "2026-06-26T01:14:36.894000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-21T17:31:07+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:9455"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Node.js: Certification validation bypass in TLS host verification"
},
{
"cve": "CVE-2026-48935",
"cwe": {
"id": "CWE-279",
"name": "Incorrect Execution-Assigned Permissions"
},
"discovery_date": "2026-06-26T02:01:29.191932+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2493329"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. The Permission API allows a local user to modify file metadata on paths that have been explicitly set as read-only. This can lead to unauthorized changes in file properties, impacting the integrity of the file system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Node.js: Unauthorized file metadata modification",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48935"
},
{
"category": "external",
"summary": "RHBZ#2493329",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493329"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48935",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48935"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48935",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48935"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
],
"release_date": "2026-06-26T01:14:36.641000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-21T17:31:07+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:9455"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs: Node.js: Unauthorized file metadata modification"
},
{
"cve": "CVE-2026-48936",
"cwe": {
"id": "CWE-648",
"name": "Incorrect Use of Privileged APIs"
},
"discovery_date": "2026-06-26T02:02:04.921691+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2493336"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. The Node.js Permission API can allow a local server to be started through a Unix domain socket, even when the `--allow-net` permission is not explicitly granted. This bypasses intended security restrictions, potentially leading to unintended local network exposure or integrity impact.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Node.js: Local server can be started without network permission via Permission API flaw",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48936"
},
{
"category": "external",
"summary": "RHBZ#2493336",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493336"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48936",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48936"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48936",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48936"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
],
"release_date": "2026-06-26T01:14:36.878000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-21T17:31:07+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:9455"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs: Node.js: Local server can be started without network permission via Permission API flaw"
}
]
}
WID-SEC-W-2026-1328
Vulnerability from csaf_certbund - Published: 2026-05-03 22:00 - Updated: 2026-06-08 22:00| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux Multicluster Global Hub <1.5.4
Red Hat / Enterprise Linux
|
Multicluster Global Hub <1.5.4 | ||
|
Red Hat Enterprise Linux
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
IBM QRadar SIEM
IBM
|
cpe:/a:ibm:qradar_siem:-
|
— | |
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Red Hat Enterprise Linux Hardened Images RPMs
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:hardened_images_rpms
|
Hardened Images RPMs | |
|
IBM MQ
IBM
|
cpe:/a:ibm:mq:-
|
— | |
|
HCL BigFix WebUI
HCL / BigFix
|
cpe:/a:hcltech:bigfix:webui
|
WebUI | |
|
IBM Storage Scale <6.0.1.0
IBM / Storage Scale
|
<6.0.1.0 | ||
|
Fedora Linux
Fedora
|
cpe:/o:fedoraproject:fedora:-
|
— | |
|
IBM Storage Scale <5.2.3.8
IBM / Storage Scale
|
<5.2.3.8 |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux Multicluster Global Hub <1.5.4
Red Hat / Enterprise Linux
|
Multicluster Global Hub <1.5.4 | ||
|
Red Hat Enterprise Linux
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
IBM QRadar SIEM
IBM
|
cpe:/a:ibm:qradar_siem:-
|
— | |
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Red Hat Enterprise Linux Hardened Images RPMs
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:hardened_images_rpms
|
Hardened Images RPMs | |
|
IBM MQ
IBM
|
cpe:/a:ibm:mq:-
|
— | |
|
HCL BigFix WebUI
HCL / BigFix
|
cpe:/a:hcltech:bigfix:webui
|
WebUI | |
|
IBM Storage Scale <6.0.1.0
IBM / Storage Scale
|
<6.0.1.0 | ||
|
Fedora Linux
Fedora
|
cpe:/o:fedoraproject:fedora:-
|
— | |
|
IBM Storage Scale <5.2.3.8
IBM / Storage Scale
|
<5.2.3.8 |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux Multicluster Global Hub <1.5.4
Red Hat / Enterprise Linux
|
Multicluster Global Hub <1.5.4 | ||
|
Red Hat Enterprise Linux
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
IBM QRadar SIEM
IBM
|
cpe:/a:ibm:qradar_siem:-
|
— | |
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Red Hat Enterprise Linux Hardened Images RPMs
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:hardened_images_rpms
|
Hardened Images RPMs | |
|
IBM MQ
IBM
|
cpe:/a:ibm:mq:-
|
— | |
|
HCL BigFix WebUI
HCL / BigFix
|
cpe:/a:hcltech:bigfix:webui
|
WebUI | |
|
IBM Storage Scale <6.0.1.0
IBM / Storage Scale
|
<6.0.1.0 | ||
|
Fedora Linux
Fedora
|
cpe:/o:fedoraproject:fedora:-
|
— | |
|
IBM Storage Scale <5.2.3.8
IBM / Storage Scale
|
<5.2.3.8 |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux Multicluster Global Hub <1.5.4
Red Hat / Enterprise Linux
|
Multicluster Global Hub <1.5.4 | ||
|
Red Hat Enterprise Linux
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
IBM QRadar SIEM
IBM
|
cpe:/a:ibm:qradar_siem:-
|
— | |
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Red Hat Enterprise Linux Hardened Images RPMs
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:hardened_images_rpms
|
Hardened Images RPMs | |
|
IBM MQ
IBM
|
cpe:/a:ibm:mq:-
|
— | |
|
HCL BigFix WebUI
HCL / BigFix
|
cpe:/a:hcltech:bigfix:webui
|
WebUI | |
|
IBM Storage Scale <6.0.1.0
IBM / Storage Scale
|
<6.0.1.0 | ||
|
Fedora Linux
Fedora
|
cpe:/o:fedoraproject:fedora:-
|
— | |
|
IBM Storage Scale <5.2.3.8
IBM / Storage Scale
|
<5.2.3.8 |
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Red Hat Enterprise Linux (RHEL) ist eine popul\u00e4re Linux-Distribution.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen in Red Hat Hardened Images RPMs ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren oder Daten zu manipulieren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- Sonstiges",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2026-1328 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1328.json"
},
{
"category": "self",
"summary": "WID-SEC-2026-1328 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1328"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:12430 vom 2026-05-03",
"url": "https://access.redhat.com/errata/RHSA-2026:12430"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:12682 vom 2026-05-03",
"url": "https://access.redhat.com/errata/RHSA-2026:12682"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:7655 vom 2026-05-03",
"url": "https://access.redhat.com/errata/RHSA-2026:7655"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:8291 vom 2026-05-03",
"url": "https://access.redhat.com/errata/RHSA-2026:8291"
},
{
"category": "external",
"summary": "NIST CVE-2026-33813 vom 2026-05-03",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33813"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:7378 vom 2026-05-04",
"url": "https://access.redhat.com/errata/RHSA-2026:7378"
},
{
"category": "external",
"summary": "Fedora Security Advisory FEDORA-2026-C66EAAE759 vom 2026-05-06",
"url": "https://bodhi.fedoraproject.org/updates/FEDORA-2026-c66eaae759"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2026:10682-1 vom 2026-05-06",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XLRSQ4ZEPLCSV4ZOWTAQ6SMT4FCRCX66/"
},
{
"category": "external",
"summary": "HCL Security Bulletin",
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0130587"
},
{
"category": "external",
"summary": "Fedora Security Advisory FEDORA-2026-8DF732BE8A vom 2026-05-11",
"url": "https://bodhi.fedoraproject.org/updates/FEDORA-2026-8df732be8a"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7273145 vom 2026-05-15",
"url": "https://www.ibm.com/support/pages/node/7273145"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:21769 vom 2026-05-28",
"url": "https://access.redhat.com/errata/RHSA-2026:21769"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7274746 vom 2026-06-01",
"url": "https://www.ibm.com/support/pages/node/7274746"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:22347 vom 2026-06-02",
"url": "https://access.redhat.com/errata/RHSA-2026:22347"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7275270 vom 2026-06-05",
"url": "https://www.ibm.com/support/pages/node/7275270"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:24503 vom 2026-06-08",
"url": "https://access.redhat.com/errata/RHSA-2026:24503"
}
],
"source_lang": "en-US",
"title": "Red Hat Hardened Images RPMs: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2026-06-08T22:00:00.000+00:00",
"generator": {
"date": "2026-06-09T09:02:19.018+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.6.0"
}
},
"id": "WID-SEC-W-2026-1328",
"initial_release_date": "2026-05-03T22:00:00.000+00:00",
"revision_history": [
{
"date": "2026-05-03T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2026-05-05T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Fedora aufgenommen"
},
{
"date": "2026-05-06T22:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von openSUSE aufgenommen"
},
{
"date": "2026-05-10T22:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von HCL aufgenommen"
},
{
"date": "2026-05-11T22:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von Fedora aufgenommen"
},
{
"date": "2026-05-17T22:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2026-05-28T22:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2026-06-01T22:00:00.000+00:00",
"number": "8",
"summary": "Neue Updates von IBM und Red Hat aufgenommen"
},
{
"date": "2026-06-07T22:00:00.000+00:00",
"number": "9",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2026-06-08T22:00:00.000+00:00",
"number": "10",
"summary": "Neue Updates von Red Hat aufgenommen"
}
],
"status": "final",
"version": "10"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Fedora Linux",
"product": {
"name": "Fedora Linux",
"product_id": "74185",
"product_identification_helper": {
"cpe": "cpe:/o:fedoraproject:fedora:-"
}
}
}
],
"category": "vendor",
"name": "Fedora"
},
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "WebUI",
"product": {
"name": "HCL BigFix WebUI",
"product_id": "T036098",
"product_identification_helper": {
"cpe": "cpe:/a:hcltech:bigfix:webui"
}
}
}
],
"category": "product_name",
"name": "BigFix"
}
],
"category": "vendor",
"name": "HCL"
},
{
"branches": [
{
"category": "product_name",
"name": "IBM MQ",
"product": {
"name": "IBM MQ",
"product_id": "T021398",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:mq:-"
}
}
},
{
"category": "product_name",
"name": "IBM QRadar SIEM",
"product": {
"name": "IBM QRadar SIEM",
"product_id": "T021415",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:qradar_siem:-"
}
}
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c5.2.3.8",
"product": {
"name": "IBM Storage Scale \u003c5.2.3.8",
"product_id": "T055027"
}
},
{
"category": "product_version",
"name": "5.2.3.8",
"product": {
"name": "IBM Storage Scale 5.2.3.8",
"product_id": "T055027-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:spectrum_scale:5.2.3.8"
}
}
},
{
"category": "product_version_range",
"name": "\u003c6.0.1.0",
"product": {
"name": "IBM Storage Scale \u003c6.0.1.0",
"product_id": "T055028"
}
},
{
"category": "product_version",
"name": "6.0.1.0",
"product": {
"name": "IBM Storage Scale 6.0.1.0",
"product_id": "T055028-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:spectrum_scale:6.0.1.0"
}
}
}
],
"category": "product_name",
"name": "Storage Scale"
}
],
"category": "vendor",
"name": "IBM"
},
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
},
{
"category": "product_version",
"name": "Hardened Images RPMs",
"product": {
"name": "Red Hat Enterprise Linux Hardened Images RPMs",
"product_id": "T053469",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:hardened_images_rpms"
}
}
},
{
"category": "product_version_range",
"name": "Multicluster Global Hub \u003c1.5.4",
"product": {
"name": "Red Hat Enterprise Linux Multicluster Global Hub \u003c1.5.4",
"product_id": "T054839"
}
},
{
"category": "product_version",
"name": "Multicluster Global Hub 1.5.4",
"product": {
"name": "Red Hat Enterprise Linux Multicluster Global Hub 1.5.4",
"product_id": "T054839-fixed",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:multicluster_global_hub__1.5.4"
}
}
}
],
"category": "product_name",
"name": "Enterprise Linux"
}
],
"category": "vendor",
"name": "Red Hat"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE openSUSE",
"product": {
"name": "SUSE openSUSE",
"product_id": "T027843",
"product_identification_helper": {
"cpe": "cpe:/o:suse:opensuse:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-2625",
"product_status": {
"known_affected": [
"T054839",
"67646",
"T021415",
"T027843",
"T053469",
"T021398",
"T036098",
"T055028",
"74185",
"T055027"
]
},
"release_date": "2026-05-03T22:00:00.000+00:00",
"title": "CVE-2026-2625"
},
{
"cve": "CVE-2026-2950",
"product_status": {
"known_affected": [
"T054839",
"67646",
"T021415",
"T027843",
"T053469",
"T021398",
"T036098",
"T055028",
"74185",
"T055027"
]
},
"release_date": "2026-05-03T22:00:00.000+00:00",
"title": "CVE-2026-2950"
},
{
"cve": "CVE-2026-33813",
"product_status": {
"known_affected": [
"T054839",
"67646",
"T021415",
"T027843",
"T053469",
"T021398",
"T036098",
"T055028",
"74185",
"T055027"
]
},
"release_date": "2026-05-03T22:00:00.000+00:00",
"title": "CVE-2026-33813"
},
{
"cve": "CVE-2026-42371",
"product_status": {
"known_affected": [
"T054839",
"67646",
"T021415",
"T027843",
"T053469",
"T021398",
"T036098",
"T055028",
"74185",
"T055027"
]
},
"release_date": "2026-05-03T22:00:00.000+00:00",
"title": "CVE-2026-42371"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.