Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-42338 (GCVE-0-2026-42338)
Vulnerability from cvelistv5 – Published: 2026-05-12 19:43 – Updated: 2026-07-06 12:04- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42338",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T14:46:11.633277Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T14:46:50.469Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2.6::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Ansible Automation Platform 2.6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhdh:1.9::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Developer Hub 1.9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:2.6::el8"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 2.6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.0::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.0",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.1::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.2::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.3::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:confidential_compute_attestation:1"
],
"defaultStatus": "affected",
"product": "Confidential Compute Attestation",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:cryostat:4"
],
"defaultStatus": "affected",
"product": "Cryostat 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:exploit_intelligence:0"
],
"defaultStatus": "affected",
"product": "Exploit Intelligence",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhmt:1"
],
"defaultStatus": "affected",
"product": "Migration Toolkit for Containers",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_engine"
],
"defaultStatus": "affected",
"product": "Multicluster Engine for Kubernetes",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_pipelines:1"
],
"defaultStatus": "affected",
"product": "OpenShift Pipelines",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:amq_broker:7"
],
"defaultStatus": "affected",
"product": "Red Hat AMQ Broker 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:apache_camel_hawtio:4"
],
"defaultStatus": "affected",
"product": "Red Hat build of Apache Camel - HawtIO 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:podman_desktop:1"
],
"defaultStatus": "affected",
"product": "Red Hat Build of Podman Desktop",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:podman_desktop:0"
],
"defaultStatus": "affected",
"product": "Red Hat Build of Podman Desktop - Tech Preview",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Spaces",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:satellite:6"
],
"defaultStatus": "affected",
"product": "Red Hat Satellite 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ansible_portal:2"
],
"defaultStatus": "affected",
"product": "Self-service automation portal 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:acm:2"
],
"defaultStatus": "unaffected",
"product": "Red Hat Advanced Cluster Management for Kubernetes 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:camel_spring_boot:4"
],
"defaultStatus": "unaffected",
"product": "Red Hat build of Apache Camel for Spring Boot 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-12T19:43:16.470Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in ip-address, a JavaScript library for parsing and manipulating IPv4 and IPv6 addresses. This vulnerability allows a remote attacker to perform cross-site scripting (XSS) by providing untrusted input to the Address6 constructor. When an application renders the output of Address6.group(), Address6.link(), or the AddressError.parseMessage as HTML without proper escaping, the attacker-controlled content can be executed in the user\u0027s browser."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T12:04:56.917Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-42338"
},
{
"name": "RHBZ#2476810",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2476810"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42338.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:35842"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:35841"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34374"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33574"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33155"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33160"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33163"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33173"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33183"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:35842: Red Hat Enterprise Linux AppStream (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:35841: Red Hat Enterprise Linux AppStream (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:34374: Red Hat Ansible Automation Platform 2.6"
},
{
"lang": "en",
"value": "RHSA-2026:33574: Red Hat Developer Hub 1.9"
},
{
"lang": "en",
"value": "RHSA-2026:33155: Red Hat OpenShift Service Mesh 2.6"
},
{
"lang": "en",
"value": "RHSA-2026:33160: Red Hat OpenShift Service Mesh 3.0"
},
{
"lang": "en",
"value": "RHSA-2026:33163: Red Hat OpenShift Service Mesh 3.1"
},
{
"lang": "en",
"value": "RHSA-2026:33173: Red Hat OpenShift Service Mesh 3.2"
},
{
"lang": "en",
"value": "RHSA-2026:33183: Red Hat OpenShift Service Mesh 3.3"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-12T21:01:14.436Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-12T19:43:16.470Z",
"value": "Made public."
}
],
"title": "ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "ip-address",
"vendor": "beaugunderson",
"versions": [
{
"status": "affected",
"version": "\u003c 10.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emitted by the Address6 constructor for invalid input) can contain unescaped attacker-controlled content in one branch. An application that (1) passes untrusted input to Address6 and (2) renders the output of these methods, or the thrown error\u0027s parseMessage, as HTML (e.g. via innerHTML) is vulnerable to cross-site scripting. This vulnerability is fixed in 10.1.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T19:43:16.470Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g"
}
],
"source": {
"advisory": "GHSA-v2v4-37r5-5v8g",
"discovery": "UNKNOWN"
},
"title": "ip-address: XSS in Address6 HTML-emitting methods"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42338",
"datePublished": "2026-05-12T19:43:16.470Z",
"dateReserved": "2026-04-26T13:26:14.514Z",
"dateUpdated": "2026-07-06T12:04:56.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-42338",
"date": "2026-07-05",
"epss": "0.00453",
"percentile": "0.36286"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-42338\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-12T20:16:41.130\",\"lastModified\":\"2026-07-06T13:16:54.673\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emitted by the Address6 constructor for invalid input) can contain unescaped attacker-controlled content in one branch. An application that (1) passes untrusted input to Address6 and (2) renders the output of these methods, or the thrown error\u0027s parseMessage, as HTML (e.g. via innerHTML) is vulnerable to cross-site scripting. This vulnerability is fixed in 10.1.1.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"beaugunderson\",\"product\":\"ip-address\",\"versions\":[{\"version\":\"\u003c 10.1.1\",\"status\":\"affected\"}]}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"affectedData\":[{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream (v. 10)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:10.2\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Ansible Automation Platform 2.6\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:ansible_automation_platform:2.6::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Developer Hub 1.9\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhdh:1.9::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Service Mesh 2.6\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:service_mesh:2.6::el8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Service Mesh 3.0\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:service_mesh:3.0::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Service Mesh 3.1\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:service_mesh:3.1::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Service Mesh 3.2\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:service_mesh:3.2::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Service Mesh 3.3\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:service_mesh:3.3::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Confidential Compute Attestation\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:confidential_compute_attestation:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Cryostat 4\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:cryostat:4\"]},{\"vendor\":\"Red Hat\",\"product\":\"Exploit Intelligence\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:exploit_intelligence:0\"]},{\"vendor\":\"Red Hat\",\"product\":\"Migration Toolkit for Containers\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhmt:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Multicluster Engine for Kubernetes\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:multicluster_engine\"]},{\"vendor\":\"Red Hat\",\"product\":\"OpenShift Pipelines\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_pipelines:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat AMQ Broker 7\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:amq_broker:7\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat build of Apache Camel - HawtIO 4\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:apache_camel_hawtio:4\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Build of Podman Desktop\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:podman_desktop:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Build of Podman Desktop - Tech Preview\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:podman_desktop:0\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 9\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AI (RHEL AI) 3\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:enterprise_linux_ai:3\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Hardened Images\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:hummingbird:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift AI (RHOAI)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_ai\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Container Platform 4\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift:4\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Dev Spaces\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:openshift_devspaces:3\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Satellite 6\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:satellite:6\"]},{\"vendor\":\"Red Hat\",\"product\":\"Self-service automation portal 2\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:ansible_portal:2\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Advanced Cluster Management for Kubernetes 2\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:acm:2\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat build of Apache Camel for Spring Boot 4\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:camel_spring_boot:4\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 10\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:10\"]}]}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-05-13T14:46:11.633277Z\",\"id\":\"CVE-2026-42338\",\"options\":[{\"exploitation\":\"poc\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:beaugunderson:ip-address:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"10.1.1\",\"matchCriteriaId\":\"2A574108-EE16-449B-8729-B727C061036B\"}]}]}],\"references\":[{\"url\":\"https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:33155\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:33160\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:33163\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:33173\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:33183\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:33574\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:34374\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:35841\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:35842\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/security/cve/CVE-2026-42338\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2476810\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42338.json\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input\", \"metrics\": [{\"other\": {\"type\": \"Red Hat severity rating\", \"content\": {\"value\": \"Important\", \"namespace\": \"https://access.redhat.com/security/updates/classification/\"}}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"cpes\": [\"cpe:/a:redhat:ansible_automation_platform:2.6::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Ansible Automation Platform 2.6\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:rhdh:1.9::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Developer Hub 1.9\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:service_mesh:2.6::el8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Service Mesh 2.6\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:service_mesh:3.0::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Service Mesh 3.0\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:service_mesh:3.1::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Service Mesh 3.1\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:service_mesh:3.2::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Service Mesh 3.2\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:service_mesh:3.3::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Service Mesh 3.3\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:confidential_compute_attestation:1\"], \"vendor\": \"Red Hat\", \"product\": \"Confidential Compute Attestation\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:cryostat:4\"], \"vendor\": \"Red Hat\", \"product\": \"Cryostat 4\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:exploit_intelligence:0\"], \"vendor\": \"Red Hat\", \"product\": \"Exploit Intelligence\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:rhmt:1\"], \"vendor\": \"Red Hat\", \"product\": \"Migration Toolkit for Containers\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:multicluster_engine\"], \"vendor\": \"Red Hat\", \"product\": \"Multicluster Engine for Kubernetes\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift_pipelines:1\"], \"vendor\": \"Red Hat\", \"product\": \"OpenShift Pipelines\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:amq_broker:7\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat AMQ Broker 7\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:apache_camel_hawtio:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Apache Camel - HawtIO 4\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:podman_desktop:1\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Build of Podman Desktop\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:podman_desktop:0\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Build of Podman Desktop - Tech Preview\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:10\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 10\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:enterprise_linux_ai:3\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux AI (RHEL AI) 3\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:hummingbird:1\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Hardened Images\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift_ai\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift AI (RHOAI)\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift_devspaces:3\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Dev Spaces\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:satellite:6\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Satellite 6\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:ansible_portal:2\"], \"vendor\": \"Red Hat\", \"product\": \"Self-service automation portal 2\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:acm:2\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Advanced Cluster Management for Kubernetes 2\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:camel_spring_boot:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Apache Camel for Spring Boot 4\", \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-05-12T21:01:14.436Z\", \"value\": \"Reported to Red Hat.\"}, {\"lang\": \"en\", \"time\": \"2026-05-12T19:43:16.470Z\", \"value\": \"Made public.\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"RHSA-2026:34374: Red Hat Ansible Automation Platform 2.6\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:33574: Red Hat Developer Hub 1.9\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:33155: Red Hat OpenShift Service Mesh 2.6\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:33160: Red Hat OpenShift Service Mesh 3.0\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:33163: Red Hat OpenShift Service Mesh 3.1\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:33173: Red Hat OpenShift Service Mesh 3.2\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:33183: Red Hat OpenShift Service Mesh 3.3\"}], \"x_adpType\": \"supplier\", \"datePublic\": \"2026-05-12T19:43:16.470Z\", \"references\": [{\"url\": \"https://access.redhat.com/security/cve/CVE-2026-42338\", \"tags\": [\"vdb-entry\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2476810\", \"name\": \"RHBZ#2476810\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42338.json\", \"tags\": [\"x_sadp-csaf-vex\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:34374\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:33574\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:33155\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:33160\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:33163\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:33173\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:33183\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.\"}], \"x_generator\": {\"engine\": \"sadp-cli 1.0.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A flaw was found in ip-address, a JavaScript library for parsing and manipulating IPv4 and IPv6 addresses. This vulnerability allows a remote attacker to perform cross-site scripting (XSS) by providing untrusted input to the Address6 constructor. When an application renders the output of Address6.group(), Address6.link(), or the AddressError.parseMessage as HTML without proper escaping, the attacker-controlled content can be executed in the user\u0027s browser.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\", \"shortName\": \"redhat-SADP\", \"dateUpdated\": \"2026-07-02T12:05:13.762Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-42338\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-13T14:46:11.633277Z\"}}}], \"references\": [{\"url\": \"https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-13T14:46:43.960Z\"}}], \"cna\": {\"title\": \"ip-address: XSS in Address6 HTML-emitting methods\", \"source\": {\"advisory\": \"GHSA-v2v4-37r5-5v8g\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"beaugunderson\", \"product\": \"ip-address\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 10.1.1\"}]}], \"references\": [{\"url\": \"https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g\", \"name\": \"https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emitted by the Address6 constructor for invalid input) can contain unescaped attacker-controlled content in one branch. An application that (1) passes untrusted input to Address6 and (2) renders the output of these methods, or the thrown error\u0027s parseMessage, as HTML (e.g. via innerHTML) is vulnerable to cross-site scripting. This vulnerability is fixed in 10.1.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-12T19:43:16.470Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-42338\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-07-02T12:05:13.762Z\", \"dateReserved\": \"2026-04-26T13:26:14.514Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-12T19:43:16.470Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
cleanstart-2026-be61221
Vulnerability from cleanstart
Multiple security vulnerabilities affect the opensearch-dashboards-fips package. These issues are resolved in later releases. See references for individual vulnerability details.
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "opensearch-dashboards-fips"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.19.5-r0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the opensearch-dashboards-fips package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-BE61221",
"modified": "2026-05-10T11:41:43Z",
"published": "2026-05-18T13:36:50.922233Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-BE61221.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-62718"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-29045"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-29085"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-29086"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-29087"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2950"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-30827"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33750"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33891"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33894"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33895"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33896"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33916"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33937"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-34043"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-35213"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-39406"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-39407"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-39408"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-39409"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-39410"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-40175"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-41238"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-41239"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-41240"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42033"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42034"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42035"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42036"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42037"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42038"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42039"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42040"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42041"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42042"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42043"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42044"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42264"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42338"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-44455"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-44456"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-44457"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-44458"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-44459"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-4800"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-4923"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-4926"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-6321"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-6322"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2328-f5f3-gj25"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-26pp-8wgv-hjvm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-27v5-c462-wpq7"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2g4f-4pwh-qvx6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2qvq-rjwj-gvw9"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2w6w-674q-4c4q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-39q2-94rc-95cp"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3mfm-83xf-c92r"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3p68-rc4w-qgx5"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3v7f-55p6-f55p"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3w6x-2g7m-8v23"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-442j-39wm-28r2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-445q-vr5w-6q77"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-458j-xx4x-4375"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-46wh-pxpv-q5gq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-5c6j-r48x-rmvq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-5c9x-8gcm-mpgx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-5m6q-g25r-mvwx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-5pq2-9x2x-5p6w"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-62hf-57xw-28j9"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-69xw-7hcm-h432"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-6chq-wfr3-2hj9"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7rx3-28cr-v5wh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-92pp-h63x-v22m"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-9cx6-37pm-9jff"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-9vqf-7f2p-gf9v"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-c2c7-rcm5-vvqj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-crv5-9vww-q3g8"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f23m-r3pf-42rh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f886-m6hf-6m8v"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-fvcv-3m26-pcqx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-h7mw-gpvr-xq4m"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-j3q9-mxjg-w52f"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-jg4p-7fhp-p32p"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-m7pr-hjqh-92cm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-p6xx-57qc-3wxr"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-p77w-8qqv-26rm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-pf86-5x62-jrwf"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-pmwg-cvhr-8vh7"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-ppp5-5v6c-4jwp"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-q3j6-qgpj-74h6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-q5qw-h33p-qvwr"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-q67f-28xg-22rw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-q8qp-cvcw-x6jj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qj8w-gfj5-8c6v"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qp7p-654g-cw7p"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r4q5-vmmm-2653"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r5fr-rjxr-66jc"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r5rp-j6wh-rvv4"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v2v4-37r5-5v8g"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v39h-62p7-jpjc"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v8w9-8mx6-g223"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v9jr-rg53-9pgp"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-vf2m-468p-8v99"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-w9j2-pvgh-6h63"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-wc8c-qw6v-h7f6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-wmmm-f939-6g9c"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-xf4j-xp2r-rqqx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-xhjh-pmcv-23jw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-xhpv-hc6g-r9c6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-xjpj-3mr7-gcpf"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-xpcf-pg52-r92g"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-xx6v-rp6x-q39c"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62718"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29045"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29085"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29086"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29087"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2950"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30827"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33750"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33891"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33894"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33895"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33896"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33916"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33937"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34043"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35213"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39406"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39407"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39408"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39409"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39410"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40175"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41238"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41239"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41240"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42033"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42034"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42035"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42036"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42037"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42038"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42039"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42040"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42041"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42042"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42043"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42044"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42264"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42338"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44455"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44456"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44457"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44458"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44459"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4800"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4923"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4926"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6321"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6322"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2025-62718, CVE-2025-69873, CVE-2026-29045, CVE-2026-29085, CVE-2026-29086, CVE-2026-29087, CVE-2026-2950, CVE-2026-30827, CVE-2026-33750, CVE-2026-33891, CVE-2026-33894, CVE-2026-33895, CVE-2026-33896, CVE-2026-33916, CVE-2026-33937, CVE-2026-34043, CVE-2026-35213, CVE-2026-39406, CVE-2026-39407, CVE-2026-39408, CVE-2026-39409, CVE-2026-39410, CVE-2026-40175, CVE-2026-41238, CVE-2026-41239, CVE-2026-41240, CVE-2026-42033, CVE-2026-42034, CVE-2026-42035, CVE-2026-42036, CVE-2026-42037, CVE-2026-42038, CVE-2026-42039, CVE-2026-42040, CVE-2026-42041, CVE-2026-42042, CVE-2026-42043, CVE-2026-42044, CVE-2026-42264, CVE-2026-42338, CVE-2026-44455, CVE-2026-44456, CVE-2026-44457, CVE-2026-44458, CVE-2026-44459, CVE-2026-4800, CVE-2026-4923, CVE-2026-4926, CVE-2026-6321, CVE-2026-6322, ghsa-2328-f5f3-gj25, ghsa-26pp-8wgv-hjvm, ghsa-27v5-c462-wpq7, ghsa-2g4f-4pwh-qvx6, ghsa-2qvq-rjwj-gvw9, ghsa-2w6w-674q-4c4q, ghsa-39q2-94rc-95cp, ghsa-3mfm-83xf-c92r, ghsa-3p68-rc4w-qgx5, ghsa-3v7f-55p6-f55p, ghsa-3w6x-2g7m-8v23, ghsa-442j-39wm-28r2, ghsa-445q-vr5w-6q77, ghsa-458j-xx4x-4375, ghsa-46wh-pxpv-q5gq, ghsa-5c6j-r48x-rmvq, ghsa-5c9x-8gcm-mpgx, ghsa-5m6q-g25r-mvwx, ghsa-5pq2-9x2x-5p6w, ghsa-62hf-57xw-28j9, ghsa-69xw-7hcm-h432, ghsa-6chq-wfr3-2hj9, ghsa-7rx3-28cr-v5wh, ghsa-92pp-h63x-v22m, ghsa-9cx6-37pm-9jff, ghsa-9vqf-7f2p-gf9v, ghsa-c2c7-rcm5-vvqj, ghsa-crv5-9vww-q3g8, ghsa-f23m-r3pf-42rh, ghsa-f886-m6hf-6m8v, ghsa-fvcv-3m26-pcqx, ghsa-h7mw-gpvr-xq4m, ghsa-j3q9-mxjg-w52f, ghsa-jg4p-7fhp-p32p, ghsa-m7pr-hjqh-92cm, ghsa-p6xx-57qc-3wxr, ghsa-p77w-8qqv-26rm, ghsa-pf86-5x62-jrwf, ghsa-pmwg-cvhr-8vh7, ghsa-ppp5-5v6c-4jwp, ghsa-q3j6-qgpj-74h6, ghsa-q5qw-h33p-qvwr, ghsa-q67f-28xg-22rw, ghsa-q8qp-cvcw-x6jj, ghsa-qj8w-gfj5-8c6v, ghsa-qp7p-654g-cw7p, ghsa-r4q5-vmmm-2653, ghsa-r5fr-rjxr-66jc, ghsa-r5rp-j6wh-rvv4, ghsa-v2v4-37r5-5v8g, ghsa-v39h-62p7-jpjc, ghsa-v8w9-8mx6-g223, ghsa-v9jr-rg53-9pgp, ghsa-vf2m-468p-8v99, ghsa-w9j2-pvgh-6h63, ghsa-wc8c-qw6v-h7f6, ghsa-wmmm-f939-6g9c, ghsa-xf4j-xp2r-rqqx, ghsa-xhjh-pmcv-23jw, ghsa-xhpv-hc6g-r9c6, ghsa-xjpj-3mr7-gcpf, ghsa-xpcf-pg52-r92g, ghsa-xx6v-rp6x-q39c applied in versions: 2.19.5-r0",
"upstream": [
"CVE-2025-62718",
"CVE-2025-69873",
"CVE-2026-29045",
"CVE-2026-29085",
"CVE-2026-29086",
"CVE-2026-29087",
"CVE-2026-2950",
"CVE-2026-30827",
"CVE-2026-33750",
"CVE-2026-33891",
"CVE-2026-33894",
"CVE-2026-33895",
"CVE-2026-33896",
"CVE-2026-33916",
"CVE-2026-33937",
"CVE-2026-34043",
"CVE-2026-35213",
"CVE-2026-39406",
"CVE-2026-39407",
"CVE-2026-39408",
"CVE-2026-39409",
"CVE-2026-39410",
"CVE-2026-40175",
"CVE-2026-41238",
"CVE-2026-41239",
"CVE-2026-41240",
"CVE-2026-42033",
"CVE-2026-42034",
"CVE-2026-42035",
"CVE-2026-42036",
"CVE-2026-42037",
"CVE-2026-42038",
"CVE-2026-42039",
"CVE-2026-42040",
"CVE-2026-42041",
"CVE-2026-42042",
"CVE-2026-42043",
"CVE-2026-42044",
"CVE-2026-42264",
"CVE-2026-42338",
"CVE-2026-44455",
"CVE-2026-44456",
"CVE-2026-44457",
"CVE-2026-44458",
"CVE-2026-44459",
"CVE-2026-4800",
"CVE-2026-4923",
"CVE-2026-4926",
"CVE-2026-6321",
"CVE-2026-6322",
"ghsa-2328-f5f3-gj25",
"ghsa-26pp-8wgv-hjvm",
"ghsa-27v5-c462-wpq7",
"ghsa-2g4f-4pwh-qvx6",
"ghsa-2qvq-rjwj-gvw9",
"ghsa-2w6w-674q-4c4q",
"ghsa-39q2-94rc-95cp",
"ghsa-3mfm-83xf-c92r",
"ghsa-3p68-rc4w-qgx5",
"ghsa-3v7f-55p6-f55p",
"ghsa-3w6x-2g7m-8v23",
"ghsa-442j-39wm-28r2",
"ghsa-445q-vr5w-6q77",
"ghsa-458j-xx4x-4375",
"ghsa-46wh-pxpv-q5gq",
"ghsa-5c6j-r48x-rmvq",
"ghsa-5c9x-8gcm-mpgx",
"ghsa-5m6q-g25r-mvwx",
"ghsa-5pq2-9x2x-5p6w",
"ghsa-62hf-57xw-28j9",
"ghsa-69xw-7hcm-h432",
"ghsa-6chq-wfr3-2hj9",
"ghsa-7rx3-28cr-v5wh",
"ghsa-92pp-h63x-v22m",
"ghsa-9cx6-37pm-9jff",
"ghsa-9vqf-7f2p-gf9v",
"ghsa-c2c7-rcm5-vvqj",
"ghsa-crv5-9vww-q3g8",
"ghsa-f23m-r3pf-42rh",
"ghsa-f886-m6hf-6m8v",
"ghsa-fvcv-3m26-pcqx",
"ghsa-h7mw-gpvr-xq4m",
"ghsa-j3q9-mxjg-w52f",
"ghsa-jg4p-7fhp-p32p",
"ghsa-m7pr-hjqh-92cm",
"ghsa-p6xx-57qc-3wxr",
"ghsa-p77w-8qqv-26rm",
"ghsa-pf86-5x62-jrwf",
"ghsa-pmwg-cvhr-8vh7",
"ghsa-ppp5-5v6c-4jwp",
"ghsa-q3j6-qgpj-74h6",
"ghsa-q5qw-h33p-qvwr",
"ghsa-q67f-28xg-22rw",
"ghsa-q8qp-cvcw-x6jj",
"ghsa-qj8w-gfj5-8c6v",
"ghsa-qp7p-654g-cw7p",
"ghsa-r4q5-vmmm-2653",
"ghsa-r5fr-rjxr-66jc",
"ghsa-r5rp-j6wh-rvv4",
"ghsa-v2v4-37r5-5v8g",
"ghsa-v39h-62p7-jpjc",
"ghsa-v8w9-8mx6-g223",
"ghsa-v9jr-rg53-9pgp",
"ghsa-vf2m-468p-8v99",
"ghsa-w9j2-pvgh-6h63",
"ghsa-wc8c-qw6v-h7f6",
"ghsa-wmmm-f939-6g9c",
"ghsa-xf4j-xp2r-rqqx",
"ghsa-xhjh-pmcv-23jw",
"ghsa-xhpv-hc6g-r9c6",
"ghsa-xjpj-3mr7-gcpf",
"ghsa-xpcf-pg52-r92g",
"ghsa-xx6v-rp6x-q39c"
]
}
cleanstart-2026-ce10526
Vulnerability from cleanstart
Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.
| URL | Type | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "renovate"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "43.4.4-r0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-CE10526",
"modified": "2026-05-13T11:44:57Z",
"published": "2026-05-18T13:17:48.128214Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-CE10526.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-64756"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1525"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1526"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1527"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1528"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2229"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2327"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-23745"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2391"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-24842"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25128"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25547"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2581"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25896"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26278"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27143"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27144"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27601"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27903"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27904"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27942"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-28292"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2950"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32141"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32280"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32281"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32282"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32283"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32289"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33036"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33750"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33810"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-35209"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42338"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-4800"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-6951"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-23c5-xmqv-rm74"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-25h7-pfq9-p65f"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2g4f-4pwh-qvx6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2mjp-6q6p-2qxm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-34x7-hfp2-rc4v"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-37qj-frw5-hhjh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-38c4-r59v-3vqw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3ppc-4f35-3m26"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3v7f-55p6-f55p"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-4992-7rv2-5pvq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-5j98-mcp5-4vw2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-737v-mqg7-c878"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-73rr-hh4g-fpgx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7h2j-956f-4vf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7r86-cg39-jmmj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-83g3-92jg-28cx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8gc5-j5rx-235r"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8qq5-rm4j-mr97"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8wc6-vgrq-x6cf"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-9ppj-qmqm-q256"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-c2c7-rcm5-vvqj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f23m-r3pf-42rh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f269-vfmq-vjvj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f886-m6hf-6m8v"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-fj3w-jwp8-x2g3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-hffm-xvc3-vprc"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-jmr7-xgp7-cmfj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-m7jm-9gc2-mpf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-phc3-fgpg-7m6h"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qffp-2rhf-9h96"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qpx9-hpmf-5gmw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r275-fr43-pm7q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r5fr-rjxr-66jc"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r6q2-hw4h-h46w"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v2v4-37r5-5v8g"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v3rj-xjv7-4jmq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v9p9-hfj2-hcw8"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-vrm6-8vpv-qv8q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-w7fw-mjwx-w883"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-xq3m-2v4x-88gg"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64756"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1525"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1526"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1527"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1528"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2229"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2327"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23745"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2391"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24842"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25128"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25547"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2581"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25896"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26278"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27143"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27144"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27601"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27903"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27904"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27942"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28292"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2950"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32141"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32283"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32289"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33036"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33750"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33810"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35209"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42338"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4800"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6951"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2025-64756, CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-23745, CVE-2026-2391, CVE-2026-24842, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27143, CVE-2026-27144, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-2950, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32289, CVE-2026-33036, CVE-2026-33750, CVE-2026-33810, CVE-2026-35209, CVE-2026-42338, CVE-2026-4800, CVE-2026-6951, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-34x7-hfp2-rc4v, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-3v7f-55p6-f55p, ghsa-4992-7rv2-5pvq, ghsa-5j98-mcp5-4vw2, ghsa-737v-mqg7-c878, ghsa-73rr-hh4g-fpgx, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8qq5-rm4j-mr97, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-c2c7-rcm5-vvqj, ghsa-f23m-r3pf-42rh, ghsa-f269-vfmq-vjvj, ghsa-f886-m6hf-6m8v, ghsa-fj3w-jwp8-x2g3, ghsa-hffm-xvc3-vprc, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-r5fr-rjxr-66jc, ghsa-r6q2-hw4h-h46w, ghsa-v2v4-37r5-5v8g, ghsa-v3rj-xjv7-4jmq, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883, ghsa-xq3m-2v4x-88gg applied in versions: 43.123.6-r0, 43.123.8-r1, 43.123.8-r2, 43.123.8-r3, 43.4.4-r0",
"upstream": [
"CVE-2025-64756",
"CVE-2025-69873",
"CVE-2026-1525",
"CVE-2026-1526",
"CVE-2026-1527",
"CVE-2026-1528",
"CVE-2026-2229",
"CVE-2026-2327",
"CVE-2026-23745",
"CVE-2026-2391",
"CVE-2026-24842",
"CVE-2026-25128",
"CVE-2026-25547",
"CVE-2026-2581",
"CVE-2026-25896",
"CVE-2026-26278",
"CVE-2026-26960",
"CVE-2026-27143",
"CVE-2026-27144",
"CVE-2026-27601",
"CVE-2026-27903",
"CVE-2026-27904",
"CVE-2026-27942",
"CVE-2026-28292",
"CVE-2026-2950",
"CVE-2026-29786",
"CVE-2026-31802",
"CVE-2026-32141",
"CVE-2026-32280",
"CVE-2026-32281",
"CVE-2026-32282",
"CVE-2026-32283",
"CVE-2026-32289",
"CVE-2026-33036",
"CVE-2026-33750",
"CVE-2026-33810",
"CVE-2026-35209",
"CVE-2026-42338",
"CVE-2026-4800",
"CVE-2026-6951",
"ghsa-23c5-xmqv-rm74",
"ghsa-25h7-pfq9-p65f",
"ghsa-2g4f-4pwh-qvx6",
"ghsa-2mjp-6q6p-2qxm",
"ghsa-34x7-hfp2-rc4v",
"ghsa-37qj-frw5-hhjh",
"ghsa-38c4-r59v-3vqw",
"ghsa-3ppc-4f35-3m26",
"ghsa-3v7f-55p6-f55p",
"ghsa-4992-7rv2-5pvq",
"ghsa-5j98-mcp5-4vw2",
"ghsa-737v-mqg7-c878",
"ghsa-73rr-hh4g-fpgx",
"ghsa-7h2j-956f-4vf2",
"ghsa-7r86-cg39-jmmj",
"ghsa-83g3-92jg-28cx",
"ghsa-8gc5-j5rx-235r",
"ghsa-8qq5-rm4j-mr97",
"ghsa-8wc6-vgrq-x6cf",
"ghsa-9ppj-qmqm-q256",
"ghsa-c2c7-rcm5-vvqj",
"ghsa-f23m-r3pf-42rh",
"ghsa-f269-vfmq-vjvj",
"ghsa-f886-m6hf-6m8v",
"ghsa-fj3w-jwp8-x2g3",
"ghsa-hffm-xvc3-vprc",
"ghsa-jmr7-xgp7-cmfj",
"ghsa-m7jm-9gc2-mpf2",
"ghsa-phc3-fgpg-7m6h",
"ghsa-qffp-2rhf-9h96",
"ghsa-qpx9-hpmf-5gmw",
"ghsa-r275-fr43-pm7q",
"ghsa-r5fr-rjxr-66jc",
"ghsa-r6q2-hw4h-h46w",
"ghsa-v2v4-37r5-5v8g",
"ghsa-v3rj-xjv7-4jmq",
"ghsa-v9p9-hfj2-hcw8",
"ghsa-vrm6-8vpv-qv8q",
"ghsa-w7fw-mjwx-w883",
"ghsa-xq3m-2v4x-88gg"
]
}
cleanstart-2026-nb51079
Vulnerability from cleanstart
Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.
| URL | Type | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "renovate"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "43.4.4-r0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-NB51079",
"modified": "2026-05-13T11:51:19Z",
"published": "2026-05-18T13:17:47.972643Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-NB51079.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-64756"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1525"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1526"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1527"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1528"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2229"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2327"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-23745"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2391"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-24842"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25128"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25547"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2581"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25896"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26278"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27143"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27144"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27601"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27903"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27904"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27942"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-28292"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2950"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32141"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32280"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32281"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32282"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32283"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32289"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33036"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33750"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33810"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-35209"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42338"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-4800"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-6951"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-23c5-xmqv-rm74"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-25h7-pfq9-p65f"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2g4f-4pwh-qvx6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2mjp-6q6p-2qxm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-34x7-hfp2-rc4v"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-37qj-frw5-hhjh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-38c4-r59v-3vqw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3ppc-4f35-3m26"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3v7f-55p6-f55p"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-4992-7rv2-5pvq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-5j98-mcp5-4vw2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-737v-mqg7-c878"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-73rr-hh4g-fpgx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7h2j-956f-4vf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7r86-cg39-jmmj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-83g3-92jg-28cx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8gc5-j5rx-235r"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8qq5-rm4j-mr97"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8wc6-vgrq-x6cf"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-9ppj-qmqm-q256"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-c2c7-rcm5-vvqj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f23m-r3pf-42rh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f269-vfmq-vjvj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f886-m6hf-6m8v"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-fj3w-jwp8-x2g3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-hffm-xvc3-vprc"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-jmr7-xgp7-cmfj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-m7jm-9gc2-mpf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-phc3-fgpg-7m6h"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qffp-2rhf-9h96"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qpx9-hpmf-5gmw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r275-fr43-pm7q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r5fr-rjxr-66jc"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r6q2-hw4h-h46w"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v2v4-37r5-5v8g"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v3rj-xjv7-4jmq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v9p9-hfj2-hcw8"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-vrm6-8vpv-qv8q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-w7fw-mjwx-w883"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-xq3m-2v4x-88gg"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64756"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1525"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1526"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1527"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1528"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2229"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2327"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23745"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2391"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24842"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25128"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25547"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2581"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25896"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26278"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27143"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27144"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27601"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27903"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27904"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27942"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28292"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2950"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32141"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32283"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32289"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33036"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33750"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33810"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35209"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42338"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4800"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6951"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2025-64756, CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-23745, CVE-2026-2391, CVE-2026-24842, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27143, CVE-2026-27144, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-2950, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32289, CVE-2026-33036, CVE-2026-33750, CVE-2026-33810, CVE-2026-35209, CVE-2026-42338, CVE-2026-4800, CVE-2026-6951, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-34x7-hfp2-rc4v, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-3v7f-55p6-f55p, ghsa-4992-7rv2-5pvq, ghsa-5j98-mcp5-4vw2, ghsa-737v-mqg7-c878, ghsa-73rr-hh4g-fpgx, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8qq5-rm4j-mr97, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-c2c7-rcm5-vvqj, ghsa-f23m-r3pf-42rh, ghsa-f269-vfmq-vjvj, ghsa-f886-m6hf-6m8v, ghsa-fj3w-jwp8-x2g3, ghsa-hffm-xvc3-vprc, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-r5fr-rjxr-66jc, ghsa-r6q2-hw4h-h46w, ghsa-v2v4-37r5-5v8g, ghsa-v3rj-xjv7-4jmq, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883, ghsa-xq3m-2v4x-88gg applied in versions: 43.123.6-r0, 43.123.8-r1, 43.123.8-r2, 43.123.8-r3, 43.4.4-r0",
"upstream": [
"CVE-2025-64756",
"CVE-2025-69873",
"CVE-2026-1525",
"CVE-2026-1526",
"CVE-2026-1527",
"CVE-2026-1528",
"CVE-2026-2229",
"CVE-2026-2327",
"CVE-2026-23745",
"CVE-2026-2391",
"CVE-2026-24842",
"CVE-2026-25128",
"CVE-2026-25547",
"CVE-2026-2581",
"CVE-2026-25896",
"CVE-2026-26278",
"CVE-2026-26960",
"CVE-2026-27143",
"CVE-2026-27144",
"CVE-2026-27601",
"CVE-2026-27903",
"CVE-2026-27904",
"CVE-2026-27942",
"CVE-2026-28292",
"CVE-2026-2950",
"CVE-2026-29786",
"CVE-2026-31802",
"CVE-2026-32141",
"CVE-2026-32280",
"CVE-2026-32281",
"CVE-2026-32282",
"CVE-2026-32283",
"CVE-2026-32289",
"CVE-2026-33036",
"CVE-2026-33750",
"CVE-2026-33810",
"CVE-2026-35209",
"CVE-2026-42338",
"CVE-2026-4800",
"CVE-2026-6951",
"ghsa-23c5-xmqv-rm74",
"ghsa-25h7-pfq9-p65f",
"ghsa-2g4f-4pwh-qvx6",
"ghsa-2mjp-6q6p-2qxm",
"ghsa-34x7-hfp2-rc4v",
"ghsa-37qj-frw5-hhjh",
"ghsa-38c4-r59v-3vqw",
"ghsa-3ppc-4f35-3m26",
"ghsa-3v7f-55p6-f55p",
"ghsa-4992-7rv2-5pvq",
"ghsa-5j98-mcp5-4vw2",
"ghsa-737v-mqg7-c878",
"ghsa-73rr-hh4g-fpgx",
"ghsa-7h2j-956f-4vf2",
"ghsa-7r86-cg39-jmmj",
"ghsa-83g3-92jg-28cx",
"ghsa-8gc5-j5rx-235r",
"ghsa-8qq5-rm4j-mr97",
"ghsa-8wc6-vgrq-x6cf",
"ghsa-9ppj-qmqm-q256",
"ghsa-c2c7-rcm5-vvqj",
"ghsa-f23m-r3pf-42rh",
"ghsa-f269-vfmq-vjvj",
"ghsa-f886-m6hf-6m8v",
"ghsa-fj3w-jwp8-x2g3",
"ghsa-hffm-xvc3-vprc",
"ghsa-jmr7-xgp7-cmfj",
"ghsa-m7jm-9gc2-mpf2",
"ghsa-phc3-fgpg-7m6h",
"ghsa-qffp-2rhf-9h96",
"ghsa-qpx9-hpmf-5gmw",
"ghsa-r275-fr43-pm7q",
"ghsa-r5fr-rjxr-66jc",
"ghsa-r6q2-hw4h-h46w",
"ghsa-v2v4-37r5-5v8g",
"ghsa-v3rj-xjv7-4jmq",
"ghsa-v9p9-hfj2-hcw8",
"ghsa-vrm6-8vpv-qv8q",
"ghsa-w7fw-mjwx-w883",
"ghsa-xq3m-2v4x-88gg"
]
}
FKIE_CVE-2026-42338
Vulnerability from fkie_nvd - Published: 2026-05-12 20:16 - Updated: 2026-07-02 12:178.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g | Exploit, Mitigation, Vendor Advisory | |
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | https://access.redhat.com/errata/RHSA-2026:33155 | ||
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | https://access.redhat.com/errata/RHSA-2026:33160 | ||
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | https://access.redhat.com/errata/RHSA-2026:33163 | ||
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | https://access.redhat.com/errata/RHSA-2026:33173 | ||
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | https://access.redhat.com/errata/RHSA-2026:33183 | ||
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | https://access.redhat.com/errata/RHSA-2026:33574 | ||
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | https://access.redhat.com/errata/RHSA-2026:34374 | ||
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | https://access.redhat.com/security/cve/CVE-2026-42338 | ||
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | https://bugzilla.redhat.com/show_bug.cgi?id=2476810 | ||
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g | Exploit, Mitigation, Vendor Advisory | |
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42338.json |
| Vendor | Product | Version | |
|---|---|---|---|
| beaugunderson | ip-address | * |
{
"affected": [
{
"affectedData": [
{
"product": "ip-address",
"vendor": "beaugunderson",
"versions": [
{
"status": "affected",
"version": "\u003c 10.1.1"
}
]
}
],
"source": "security-advisories@github.com"
},
{
"affectedData": [
{
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2.6::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Ansible Automation Platform 2.6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhdh:1.9::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Developer Hub 1.9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:2.6::el8"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 2.6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.0::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.0",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.1::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.2::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.3::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:confidential_compute_attestation:1"
],
"defaultStatus": "affected",
"product": "Confidential Compute Attestation",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:cryostat:4"
],
"defaultStatus": "affected",
"product": "Cryostat 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:exploit_intelligence:0"
],
"defaultStatus": "affected",
"product": "Exploit Intelligence",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhmt:1"
],
"defaultStatus": "affected",
"product": "Migration Toolkit for Containers",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_engine"
],
"defaultStatus": "affected",
"product": "Multicluster Engine for Kubernetes",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_pipelines:1"
],
"defaultStatus": "affected",
"product": "OpenShift Pipelines",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:amq_broker:7"
],
"defaultStatus": "affected",
"product": "Red Hat AMQ Broker 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:apache_camel_hawtio:4"
],
"defaultStatus": "affected",
"product": "Red Hat build of Apache Camel - HawtIO 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:podman_desktop:1"
],
"defaultStatus": "affected",
"product": "Red Hat Build of Podman Desktop",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:podman_desktop:0"
],
"defaultStatus": "affected",
"product": "Red Hat Build of Podman Desktop - Tech Preview",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Spaces",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:satellite:6"
],
"defaultStatus": "affected",
"product": "Red Hat Satellite 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ansible_portal:2"
],
"defaultStatus": "affected",
"product": "Self-service automation portal 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:acm:2"
],
"defaultStatus": "unaffected",
"product": "Red Hat Advanced Cluster Management for Kubernetes 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:camel_spring_boot:4"
],
"defaultStatus": "unaffected",
"product": "Red Hat build of Apache Camel for Spring Boot 4",
"vendor": "Red Hat"
}
],
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:beaugunderson:ip-address:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "2A574108-EE16-449B-8729-B727C061036B",
"versionEndExcluding": "10.1.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emitted by the Address6 constructor for invalid input) can contain unescaped attacker-controlled content in one branch. An application that (1) passes untrusted input to Address6 and (2) renders the output of these methods, or the thrown error\u0027s parseMessage, as HTML (e.g. via innerHTML) is vulnerable to cross-site scripting. This vulnerability is fixed in 10.1.1."
}
],
"id": "CVE-2026-42338",
"lastModified": "2026-07-02T12:17:16.770",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"type": "Secondary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-42338",
"options": [
{
"exploitation": "poc"
},
{
"automatable": "no"
},
{
"technicalImpact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T14:46:11.633277Z",
"version": "2.0.3"
}
}
]
},
"published": "2026-05-12T20:16:41.130",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:33155"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:33160"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:33163"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:33173"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:33183"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:33574"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:34374"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/security/cve/CVE-2026-42338"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2476810"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42338.json"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"type": "Secondary"
}
]
}
GHSA-V2V4-37R5-5V8G
Vulnerability from github – Published: 2026-05-05 21:50 – Updated: 2026-05-13 16:27Summary
Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emitted by the Address6 constructor for invalid input) can contain unescaped attacker-controlled content in one branch. An application that (1) passes untrusted input to Address6 and (2) renders the output of these methods, or the thrown error's parseMessage, as HTML (e.g. via innerHTML) is vulnerable to cross-site scripting. A related issue in v6.helpers.spanAll() produced malformed markup but was not exploitable; it is hardened in the same release for consistency.
Details
Four related issues were identified and fixed together:
Address6.group(): zone ID injection. TheAddress6constructor stores the raw input (including any IPv6 zone ID) inthis.addressbefore zone stripping.group()then passedthis.addresstohelpers.simpleGroup(), which wrapped each:-separated segment in a<span>element without HTML-escaping the content. A zone ID containing HTML markup was embedded verbatim.Address6.link({ prefix, className }): attribute-value injection.link()concatenated user-suppliedprefixandclassNameinto thehref="…"andclass="…"attributes without escaping. A caller passing untrusted content through these options could inject event handlers (e.g.onmouseover) and achieve XSS.Address6constructor: leading-zero IPv4 error path. The leading-zero branch inparse4in6()builtAddressError.parseMessageby concatenating the raw address throughString.replace(). Becauseparse4in6()runs before the bad-character check, any characters in the groups preceding the IPv4 suffix flowed into the error's HTML unescaped. Consumers who renderparseMessageas HTML (its documented purpose — it already contains<span class="parse-error">markup) could be XSS'd by a crafted input such as<img src=x onerror=alert(1)>:10.0.01.1.v6.helpers.spanAll(): attribute-value injection (defense in depth).spanAll()embedded each character of its input into aclass="digit value-${n} …"attribute without escaping. Becausesplit('')limitsnto a single character this was not exploitable in practice, but it produced malformed markup and is fixed for consistency.
Affected Versions
All versions up to and including 10.1.0.
Patched Version
10.1.1.
Impact
Real-world exposure is believed to be extremely limited. Analysis of all 425 dependent npm packages as well as GitHub code search found zero consumers of group(), link(), or spanAll(): these HTML-emitting surfaces appear to be unused across published npm packages and public repositories. Applications using only the address-parsing and comparison APIs (isValid, correctForm, isInSubnet, bigInt, etc.) are not affected.
Consumers who do render the output of group(), link(), spanAll(), or AddressError.parseMessage as HTML against untrusted input should upgrade.
PoC
const { Address6 } = require('ip-address');
const addr = new Address6('fe80::1%<img src=x onerror=alert(1)>');
document.body.innerHTML = addr.group(); // fires the onerror handler in 10.1.0
Workarounds
If users cannot upgrade immediately:
- Do not pass untrusted input to the
Address6constructor, or - Never render the output of
group(),link(), orspanAll(), nor theparseMessagefield of any thrownAddressError, as HTML; treat these values as text only, or run them through DOMPurify before inserting into the DOM (DOMPurify's default configuration preserves the library's intended<span>wrapping while stripping any injected event handlers), or - Validate input with
Address6.isValid()and reject anything that contains a zone identifier (a%character) or characters outside[0-9a-fA-F:/]before passing it to the constructor.
Lack of separate CVEs
Given the evidence that these methods are not used, and given that they are all of the same construction, maintainers do not think it's relevant or useful to create a separate CVE for each library method.
Credit
ip-address thanks @scovetta for reporting this issue.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.1.0"
},
"package": {
"ecosystem": "npm",
"name": "ip-address"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42338"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-05T21:50:58Z",
"nvd_published_at": "2026-05-12T20:16:41Z",
"severity": "MODERATE"
},
"details": "### Summary\n\n`Address6.group()` and `Address6.link()` do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and `AddressError.parseMessage` (emitted by the `Address6` constructor for invalid input) can contain unescaped attacker-controlled content in one branch. An application that (1) passes untrusted input to `Address6` and (2) renders the output of these methods, or the thrown error\u0027s `parseMessage`, as HTML (e.g. via `innerHTML`) is vulnerable to cross-site scripting. A related issue in `v6.helpers.spanAll()` produced malformed markup but was not exploitable; it is hardened in the same release for consistency.\n\n### Details\n\nFour related issues were identified and fixed together:\n\n1. **`Address6.group()`: zone ID injection.** The `Address6` constructor stores the raw input (including any IPv6 zone ID) in `this.address` before zone stripping. `group()` then passed `this.address` to `helpers.simpleGroup()`, which wrapped each `:`-separated segment in a `\u003cspan\u003e` element without HTML-escaping the content. A zone ID containing HTML markup was embedded verbatim.\n2. **`Address6.link({ prefix, className })`: attribute-value injection.** `link()` concatenated user-supplied `prefix` and `className` into the `href=\"\u2026\"` and `class=\"\u2026\"` attributes without escaping. A caller passing untrusted content through these options could inject event handlers (e.g. `onmouseover`) and achieve XSS.\n3. **`Address6` constructor: leading-zero IPv4 error path.** The leading-zero branch in `parse4in6()` built `AddressError.parseMessage` by concatenating the raw address through `String.replace()`. Because `parse4in6()` runs before the bad-character check, any characters in the groups preceding the IPv4 suffix flowed into the error\u0027s HTML unescaped. Consumers who render `parseMessage` as HTML (its documented purpose \u2014 it already contains `\u003cspan class=\"parse-error\"\u003e` markup) could be XSS\u0027d by a crafted input such as `\u003cimg src=x onerror=alert(1)\u003e:10.0.01.1`.\n4. **`v6.helpers.spanAll()`: attribute-value injection (defense in depth).** `spanAll()` embedded each character of its input into a `class=\"digit value-${n} \u2026\"` attribute without escaping. Because `split(\u0027\u0027)` limits `n` to a single character this was not exploitable in practice, but it produced malformed markup and is fixed for consistency.\n\n### Affected Versions\n\nAll versions up to and including `10.1.0`.\n\n### Patched Version\n\n`10.1.1`.\n\n### Impact\n\nReal-world exposure is believed to be extremely limited. Analysis of all 425 dependent npm packages as well as GitHub code search found zero consumers of `group()`, `link()`, or `spanAll()`: these HTML-emitting surfaces appear to be unused across published npm packages and public repositories. Applications using only the address-parsing and comparison APIs (`isValid`, `correctForm`, `isInSubnet`, `bigInt`, etc.) are not affected.\n\nConsumers who **do** render the output of `group()`, `link()`, `spanAll()`, or `AddressError.parseMessage` as HTML against untrusted input should upgrade.\n\n### PoC\n\n```javascript\nconst { Address6 } = require(\u0027ip-address\u0027);\nconst addr = new Address6(\u0027fe80::1%\u003cimg src=x onerror=alert(1)\u003e\u0027);\ndocument.body.innerHTML = addr.group(); // fires the onerror handler in 10.1.0\n```\n\n### Workarounds\n\nIf users cannot upgrade immediately:\n\n- Do not pass untrusted input to the `Address6` constructor, or\n- Never render the output of `group()`, `link()`, or `spanAll()`, nor the `parseMessage` field of any thrown `AddressError`, as HTML; treat these values as text only, or run them through [DOMPurify](https://github.com/cure53/DOMPurify) before inserting into the DOM (DOMPurify\u0027s default configuration preserves the library\u0027s intended `\u003cspan\u003e` wrapping while stripping any injected event handlers), or\n- Validate input with `Address6.isValid()` and reject anything that contains a zone identifier (a `%` character) or characters outside `[0-9a-fA-F:/]` before passing it to the constructor.\n\n### Lack of separate CVEs\n\nGiven the evidence that these methods are not used, and given that they are all of the same construction, maintainers do not think it\u0027s relevant or useful to create a separate CVE for each library method.\n\n### Credit\n\nip-address thanks @scovetta for reporting this issue.",
"id": "GHSA-v2v4-37r5-5v8g",
"modified": "2026-05-13T16:27:24Z",
"published": "2026-05-05T21:50:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42338"
},
{
"type": "PACKAGE",
"url": "https://github.com/beaugunderson/ip-address"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "ip-address has XSS in Address6 HTML-emitting methods"
}
OPENSUSE-SU-2026:11121-1
Vulnerability from csaf_opensuse - Published: 2026-06-25 00:00 - Updated: 2026-06-25 00:00| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64 | — |
Vendor Fix
|
| URL | Category |
|---|---|
| https://www.suse.com/support/security/rating/ | external |
| https://ftp.suse.com/pub/projects/security/csaf/o… | self |
| https://www.suse.com/security/cve/CVE-2026-11525/ | self |
| https://www.suse.com/security/cve/CVE-2026-12151/ | self |
| https://www.suse.com/security/cve/CVE-2026-2581/ | self |
| https://www.suse.com/security/cve/CVE-2026-27135/ | self |
| https://www.suse.com/security/cve/CVE-2026-40170/ | self |
| https://www.suse.com/security/cve/CVE-2026-42338/ | self |
| https://www.suse.com/security/cve/CVE-2026-48615/ | self |
| https://www.suse.com/security/cve/CVE-2026-48617/ | self |
| https://www.suse.com/security/cve/CVE-2026-48618/ | self |
| https://www.suse.com/security/cve/CVE-2026-48619/ | self |
| https://www.suse.com/security/cve/CVE-2026-48928/ | self |
| https://www.suse.com/security/cve/CVE-2026-48930/ | self |
| https://www.suse.com/security/cve/CVE-2026-48931/ | self |
| https://www.suse.com/security/cve/CVE-2026-48933/ | self |
| https://www.suse.com/security/cve/CVE-2026-48934/ | self |
| https://www.suse.com/security/cve/CVE-2026-48935/ | self |
| https://www.suse.com/security/cve/CVE-2026-48937/ | self |
| https://www.suse.com/security/cve/CVE-2026-6733/ | self |
| https://www.suse.com/security/cve/CVE-2026-9496/ | self |
| https://www.suse.com/security/cve/CVE-2026-9678/ | self |
| https://www.suse.com/security/cve/CVE-2026-9679/ | self |
| https://www.suse.com/security/cve/CVE-2026-11525 | external |
| https://bugzilla.suse.com/1268481 | external |
| https://www.suse.com/security/cve/CVE-2026-12151 | external |
| https://bugzilla.suse.com/1268482 | external |
| https://www.suse.com/security/cve/CVE-2026-2581 | external |
| https://bugzilla.suse.com/1268480 | external |
| https://www.suse.com/security/cve/CVE-2026-27135 | external |
| https://bugzilla.suse.com/1259835 | external |
| https://www.suse.com/security/cve/CVE-2026-40170 | external |
| https://bugzilla.suse.com/1262273 | external |
| https://www.suse.com/security/cve/CVE-2026-42338 | external |
| https://bugzilla.suse.com/1268097 | external |
| https://www.suse.com/security/cve/CVE-2026-48615 | external |
| https://bugzilla.suse.com/1268598 | external |
| https://www.suse.com/security/cve/CVE-2026-48617 | external |
| https://bugzilla.suse.com/1268554 | external |
| https://www.suse.com/security/cve/CVE-2026-48618 | external |
| https://bugzilla.suse.com/1268593 | external |
| https://www.suse.com/security/cve/CVE-2026-48619 | external |
| https://bugzilla.suse.com/1268618 | external |
| https://www.suse.com/security/cve/CVE-2026-48928 | external |
| https://bugzilla.suse.com/1268605 | external |
| https://www.suse.com/security/cve/CVE-2026-48930 | external |
| https://bugzilla.suse.com/1268606 | external |
| https://www.suse.com/security/cve/CVE-2026-48931 | external |
| https://bugzilla.suse.com/1268611 | external |
| https://www.suse.com/security/cve/CVE-2026-48933 | external |
| https://bugzilla.suse.com/1268592 | external |
| https://www.suse.com/security/cve/CVE-2026-48934 | external |
| https://bugzilla.suse.com/1268608 | external |
| https://www.suse.com/security/cve/CVE-2026-48935 | external |
| https://bugzilla.suse.com/1268609 | external |
| https://www.suse.com/security/cve/CVE-2026-48937 | external |
| https://bugzilla.suse.com/1268555 | external |
| https://www.suse.com/security/cve/CVE-2026-6733 | external |
| https://bugzilla.suse.com/1268479 | external |
| https://www.suse.com/security/cve/CVE-2026-9496 | external |
| https://bugzilla.suse.com/1266318 | external |
| https://www.suse.com/security/cve/CVE-2026-9678 | external |
| https://bugzilla.suse.com/1268478 | external |
| https://www.suse.com/security/cve/CVE-2026-9679 | external |
| https://bugzilla.suse.com/1268477 | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "corepack24-24.17.0-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the corepack24-24.17.0-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-11121",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_11121-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-11525 page",
"url": "https://www.suse.com/security/cve/CVE-2026-11525/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-12151 page",
"url": "https://www.suse.com/security/cve/CVE-2026-12151/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-2581 page",
"url": "https://www.suse.com/security/cve/CVE-2026-2581/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-27135 page",
"url": "https://www.suse.com/security/cve/CVE-2026-27135/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-40170 page",
"url": "https://www.suse.com/security/cve/CVE-2026-40170/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42338 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42338/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-48615 page",
"url": "https://www.suse.com/security/cve/CVE-2026-48615/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-48617 page",
"url": "https://www.suse.com/security/cve/CVE-2026-48617/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-48618 page",
"url": "https://www.suse.com/security/cve/CVE-2026-48618/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-48619 page",
"url": "https://www.suse.com/security/cve/CVE-2026-48619/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-48928 page",
"url": "https://www.suse.com/security/cve/CVE-2026-48928/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-48930 page",
"url": "https://www.suse.com/security/cve/CVE-2026-48930/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-48931 page",
"url": "https://www.suse.com/security/cve/CVE-2026-48931/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-48933 page",
"url": "https://www.suse.com/security/cve/CVE-2026-48933/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-48934 page",
"url": "https://www.suse.com/security/cve/CVE-2026-48934/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-48935 page",
"url": "https://www.suse.com/security/cve/CVE-2026-48935/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-48937 page",
"url": "https://www.suse.com/security/cve/CVE-2026-48937/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-6733 page",
"url": "https://www.suse.com/security/cve/CVE-2026-6733/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-9496 page",
"url": "https://www.suse.com/security/cve/CVE-2026-9496/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-9678 page",
"url": "https://www.suse.com/security/cve/CVE-2026-9678/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-9679 page",
"url": "https://www.suse.com/security/cve/CVE-2026-9679/"
}
],
"title": "corepack24-24.17.0-1.1 on GA media",
"tracking": {
"current_release_date": "2026-06-25T00:00:00Z",
"generator": {
"date": "2026-06-25T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:11121-1",
"initial_release_date": "2026-06-25T00:00:00Z",
"revision_history": [
{
"date": "2026-06-25T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "corepack24-24.17.0-1.1.aarch64",
"product": {
"name": "corepack24-24.17.0-1.1.aarch64",
"product_id": "corepack24-24.17.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs24-24.17.0-1.1.aarch64",
"product": {
"name": "nodejs24-24.17.0-1.1.aarch64",
"product_id": "nodejs24-24.17.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs24-devel-24.17.0-1.1.aarch64",
"product": {
"name": "nodejs24-devel-24.17.0-1.1.aarch64",
"product_id": "nodejs24-devel-24.17.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs24-docs-24.17.0-1.1.aarch64",
"product": {
"name": "nodejs24-docs-24.17.0-1.1.aarch64",
"product_id": "nodejs24-docs-24.17.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "npm24-24.17.0-1.1.aarch64",
"product": {
"name": "npm24-24.17.0-1.1.aarch64",
"product_id": "npm24-24.17.0-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack24-24.17.0-1.1.ppc64le",
"product": {
"name": "corepack24-24.17.0-1.1.ppc64le",
"product_id": "corepack24-24.17.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs24-24.17.0-1.1.ppc64le",
"product": {
"name": "nodejs24-24.17.0-1.1.ppc64le",
"product_id": "nodejs24-24.17.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs24-devel-24.17.0-1.1.ppc64le",
"product": {
"name": "nodejs24-devel-24.17.0-1.1.ppc64le",
"product_id": "nodejs24-devel-24.17.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs24-docs-24.17.0-1.1.ppc64le",
"product": {
"name": "nodejs24-docs-24.17.0-1.1.ppc64le",
"product_id": "nodejs24-docs-24.17.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "npm24-24.17.0-1.1.ppc64le",
"product": {
"name": "npm24-24.17.0-1.1.ppc64le",
"product_id": "npm24-24.17.0-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack24-24.17.0-1.1.s390x",
"product": {
"name": "corepack24-24.17.0-1.1.s390x",
"product_id": "corepack24-24.17.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "nodejs24-24.17.0-1.1.s390x",
"product": {
"name": "nodejs24-24.17.0-1.1.s390x",
"product_id": "nodejs24-24.17.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "nodejs24-devel-24.17.0-1.1.s390x",
"product": {
"name": "nodejs24-devel-24.17.0-1.1.s390x",
"product_id": "nodejs24-devel-24.17.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "nodejs24-docs-24.17.0-1.1.s390x",
"product": {
"name": "nodejs24-docs-24.17.0-1.1.s390x",
"product_id": "nodejs24-docs-24.17.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "npm24-24.17.0-1.1.s390x",
"product": {
"name": "npm24-24.17.0-1.1.s390x",
"product_id": "npm24-24.17.0-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack24-24.17.0-1.1.x86_64",
"product": {
"name": "corepack24-24.17.0-1.1.x86_64",
"product_id": "corepack24-24.17.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs24-24.17.0-1.1.x86_64",
"product": {
"name": "nodejs24-24.17.0-1.1.x86_64",
"product_id": "nodejs24-24.17.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs24-devel-24.17.0-1.1.x86_64",
"product": {
"name": "nodejs24-devel-24.17.0-1.1.x86_64",
"product_id": "nodejs24-devel-24.17.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs24-docs-24.17.0-1.1.x86_64",
"product": {
"name": "nodejs24-docs-24.17.0-1.1.x86_64",
"product_id": "nodejs24-docs-24.17.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "npm24-24.17.0-1.1.x86_64",
"product": {
"name": "npm24-24.17.0-1.1.x86_64",
"product_id": "npm24-24.17.0-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack24-24.17.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64"
},
"product_reference": "corepack24-24.17.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack24-24.17.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le"
},
"product_reference": "corepack24-24.17.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack24-24.17.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x"
},
"product_reference": "corepack24-24.17.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack24-24.17.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64"
},
"product_reference": "corepack24-24.17.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.17.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64"
},
"product_reference": "nodejs24-24.17.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.17.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le"
},
"product_reference": "nodejs24-24.17.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.17.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x"
},
"product_reference": "nodejs24-24.17.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.17.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64"
},
"product_reference": "nodejs24-24.17.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.17.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64"
},
"product_reference": "nodejs24-devel-24.17.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.17.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le"
},
"product_reference": "nodejs24-devel-24.17.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.17.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x"
},
"product_reference": "nodejs24-devel-24.17.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.17.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64"
},
"product_reference": "nodejs24-devel-24.17.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-docs-24.17.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64"
},
"product_reference": "nodejs24-docs-24.17.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-docs-24.17.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le"
},
"product_reference": "nodejs24-docs-24.17.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-docs-24.17.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x"
},
"product_reference": "nodejs24-docs-24.17.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-docs-24.17.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64"
},
"product_reference": "nodejs24-docs-24.17.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.17.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64"
},
"product_reference": "npm24-24.17.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.17.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le"
},
"product_reference": "npm24-24.17.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.17.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x"
},
"product_reference": "npm24-24.17.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.17.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
},
"product_reference": "npm24-24.17.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-11525",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-11525"
}
],
"notes": [
{
"category": "general",
"text": "Impact:\nWhen undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently mapped to one of the three standard tokens. For example, SameSite=NoneOfYourBusiness is parsed as None (the most permissive setting), and SameSite=StrictLax is parsed as Lax (a downgrade from Strict).\n\nAffected applications are those that consume Set-Cookie headers from server responses (for example via undici\u0027s fetch or proxy code paths) and then forward or rely on the parsed sameSite attribute. A malicious or non-compliant server can coerce the consumer\u0027s view of a cookie\u0027s SameSite policy to a weaker value, silently degrading the SameSite enforcement the cookie is supposed to provide.\n\nThis was introduced in undici 5.15.0 when the cookies feature was added.\n\nPatches:\nUpgrade to undici v6.26.0, v7.28.0 or v8.5.0.\n\nWorkarounds:\nAfter parsing a Set-Cookie header, validate that the resulting sameSite attribute is one of \u0027Strict\u0027, \u0027Lax\u0027, or \u0027None\u0027 (exact, case-insensitive) before forwarding or relying on it.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-11525",
"url": "https://www.suse.com/security/cve/CVE-2026-11525"
},
{
"category": "external",
"summary": "SUSE Bug 1268481 for CVE-2026-11525",
"url": "https://bugzilla.suse.com/1268481"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2026-11525"
},
{
"cve": "CVE-2026-12151",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-12151"
}
],
"notes": [
{
"category": "general",
"text": "Impact:\nThe undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service.\n\nAffected applications are those using the undici WebSocket client (new WebSocket(...)) or the WebSocketStream API that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint.\n\nAll releases starting at undici 6.17.0 are affected.\n\nPatches: Upgrade to undici \u003e= 6.26.0, \u003e= 7.28.0, or \u003e= 8.5.0. Workarounds:\nNo workaround is available. The fix must be applied through an upgrade.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-12151",
"url": "https://www.suse.com/security/cve/CVE-2026-12151"
},
{
"category": "external",
"summary": "SUSE Bug 1268482 for CVE-2026-12151",
"url": "https://bugzilla.suse.com/1268482"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-12151"
},
{
"cve": "CVE-2026-2581",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-2581"
}
],
"notes": [
{
"category": "general",
"text": "This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS).\n\nIn vulnerable Undici versions, when interceptors.deduplicate() is enabled, response data for deduplicated requests could be accumulated in memory for downstream handlers. An attacker-controlled or untrusted upstream endpoint can exploit this with large/chunked responses and concurrent identical requests, causing high memory usage and potential OOM process termination.\n\nImpacted users are applications that use Undici\u0027s deduplication interceptor against endpoints that may produce large or long-lived response bodies.\n\nPatchesThe issue has been patched by changing deduplication behavior to stream response chunks to downstream handlers as they arrive (instead of full-body accumulation), and by preventing late deduplication when body streaming has already started.\n\nUsers should upgrade to the first official Undici (and Node.js, where applicable) releases that include this patch.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-2581",
"url": "https://www.suse.com/security/cve/CVE-2026-2581"
},
{
"category": "external",
"summary": "SUSE Bug 1268480 for CVE-2026-2581",
"url": "https://bugzilla.suse.com/1268480"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-2581"
},
{
"cve": "CVE-2026-27135",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-27135"
}
],
"notes": [
{
"category": "general",
"text": "nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-27135",
"url": "https://www.suse.com/security/cve/CVE-2026-27135"
},
{
"category": "external",
"summary": "SUSE Bug 1259835 for CVE-2026-27135",
"url": "https://bugzilla.suse.com/1259835"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-27135"
},
{
"cve": "CVE-2026-40170",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-40170"
}
],
"notes": [
{
"category": "general",
"text": "ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1, ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack buffer without bounds checking. When qlog is enabled, a remote peer can send sufficiently large transport parameters during the QUIC handshake to cause writes beyond the buffer boundary, resulting in a stack buffer overflow. This affects deployments that enable the qlog callback and process untrusted peer transport parameters. This issue has been fixed in version 1.22.1. If developers are unable to immediately upgrade, they can disable the qlog on client.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-40170",
"url": "https://www.suse.com/security/cve/CVE-2026-40170"
},
{
"category": "external",
"summary": "SUSE Bug 1262273 for CVE-2026-40170",
"url": "https://bugzilla.suse.com/1262273"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-40170"
},
{
"cve": "CVE-2026-42338",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42338"
}
],
"notes": [
{
"category": "general",
"text": "ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emitted by the Address6 constructor for invalid input) can contain unescaped attacker-controlled content in one branch. An application that (1) passes untrusted input to Address6 and (2) renders the output of these methods, or the thrown error\u0027s parseMessage, as HTML (e.g. via innerHTML) is vulnerable to cross-site scripting. This vulnerability is fixed in 10.1.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42338",
"url": "https://www.suse.com/security/cve/CVE-2026-42338"
},
{
"category": "external",
"summary": "SUSE Bug 1268097 for CVE-2026-42338",
"url": "https://bugzilla.suse.com/1268097"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-42338"
},
{
"cve": "CVE-2026-48615",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-48615"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages.\r\n\r\nWhen proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-48615",
"url": "https://www.suse.com/security/cve/CVE-2026-48615"
},
{
"category": "external",
"summary": "SUSE Bug 1268598 for CVE-2026-48615",
"url": "https://bugzilla.suse.com/1268598"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-48615"
},
{
"cve": "CVE-2026-48617",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-48617"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js Permission Model enforcement allows Bypass via `process.report.writeReport()` Path Misvalidation. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-48617",
"url": "https://www.suse.com/security/cve/CVE-2026-48617"
},
{
"category": "external",
"summary": "SUSE Bug 1268554 for CVE-2026-48617",
"url": "https://bugzilla.suse.com/1268554"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 2.9,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-48617"
},
{
"cve": "CVE-2026-48618",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-48618"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat.\r\n\r\nThis can lead to confidentiality impact or bypass of the intended security boundary under affected configurations.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-48618",
"url": "https://www.suse.com/security/cve/CVE-2026-48618"
},
{
"category": "external",
"summary": "SUSE Bug 1268593 for CVE-2026-48618",
"url": "https://bugzilla.suse.com/1268593"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-48618"
},
{
"cve": "CVE-2026-48619",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-48619"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-48619",
"url": "https://www.suse.com/security/cve/CVE-2026-48619"
},
{
"category": "external",
"summary": "SUSE Bug 1268618 for CVE-2026-48619",
"url": "https://bugzilla.suse.com/1268618"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-48619"
},
{
"cve": "CVE-2026-48928",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-48928"
}
],
"notes": [
{
"category": "general",
"text": "A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-48928",
"url": "https://www.suse.com/security/cve/CVE-2026-48928"
},
{
"category": "external",
"summary": "SUSE Bug 1268605 for CVE-2026-48928",
"url": "https://bugzilla.suse.com/1268605"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-48928"
},
{
"cve": "CVE-2026-48930",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-48930"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-48930",
"url": "https://www.suse.com/security/cve/CVE-2026-48930"
},
{
"category": "external",
"summary": "SUSE Bug 1268606 for CVE-2026-48930",
"url": "https://bugzilla.suse.com/1268606"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-48930"
},
{
"cve": "CVE-2026-48931",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-48931"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-48931",
"url": "https://www.suse.com/security/cve/CVE-2026-48931"
},
{
"category": "external",
"summary": "SUSE Bug 1268611 for CVE-2026-48931",
"url": "https://bugzilla.suse.com/1268611"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2026-48931"
},
{
"cve": "CVE-2026-48933",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-48933"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-48933",
"url": "https://www.suse.com/security/cve/CVE-2026-48933"
},
{
"category": "external",
"summary": "SUSE Bug 1268592 for CVE-2026-48933",
"url": "https://bugzilla.suse.com/1268592"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-48933"
},
{
"cve": "CVE-2026-48934",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-48934"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-48934",
"url": "https://www.suse.com/security/cve/CVE-2026-48934"
},
{
"category": "external",
"summary": "SUSE Bug 1268608 for CVE-2026-48934",
"url": "https://bugzilla.suse.com/1268608"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-48934"
},
{
"cve": "CVE-2026-48935",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-48935"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. `--allow-fs-read`.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-48935",
"url": "https://www.suse.com/security/cve/CVE-2026-48935"
},
{
"category": "external",
"summary": "SUSE Bug 1268609 for CVE-2026-48935",
"url": "https://bugzilla.suse.com/1268609"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-48935"
},
{
"cve": "CVE-2026-48937",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-48937"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a `GOAWAY` frame. This vulnerability affects two supported release lines: **Node.js 22** and **Node.js 24**.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-48937",
"url": "https://www.suse.com/security/cve/CVE-2026-48937"
},
{
"category": "external",
"summary": "SUSE Bug 1268555 for CVE-2026-48937",
"url": "https://bugzilla.suse.com/1268555"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-48937"
},
{
"cve": "CVE-2026-6733",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-6733"
}
],
"notes": [
{
"category": "general",
"text": "Impact:\nUndici\u0027s HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes. When the client dispatches the next request on that socket, it associates the injected response with the new request, causing responses to be delivered to the wrong requests.\n\nThis requires an attacker-controlled or compromised upstream HTTP/1.1 server and keep-alive connection reuse.\n\nPatches:\nUpgrade to undici v6.26.0, v7.28.0 or v8.5.0.\n\nWorkarounds:\nDisable keep-alive connection reuse by setting keepAliveTimeout: 0 on the Client or Pool.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-6733",
"url": "https://www.suse.com/security/cve/CVE-2026-6733"
},
{
"category": "external",
"summary": "SUSE Bug 1268479 for CVE-2026-6733",
"url": "https://bugzilla.suse.com/1268479"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2026-6733"
},
{
"cve": "CVE-2026-9496",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-9496"
}
],
"notes": [
{
"category": "general",
"text": "Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function\u0027s regex replacement and string-manipulation logic, causing excessive CPU consumption and potentially stalling or crashing the process.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-9496",
"url": "https://www.suse.com/security/cve/CVE-2026-9496"
},
{
"category": "external",
"summary": "SUSE Bug 1266318 for CVE-2026-9496",
"url": "https://bugzilla.suse.com/1266318"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-9496"
},
{
"cve": "CVE-2026-9678",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-9678"
}
],
"notes": [
{
"category": "general",
"text": "Impact:\nUndici\u0027s cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=\" authorization\" or no-cache=\"\\tauthorization\". The parser preserves the surrounding whitespace, so later comparisons against the literal authorization field name fail and the response is stored.\n\nIn shared-cache mode, this allows a response containing one user\u0027s authenticated data to be served from cache to a subsequent caller, including an unauthenticated caller, when both requests resolve to the same cache key.\n\nAffected applications are those that explicitly enable the cache interceptor (interceptors.cache()) in shared mode, forward Authorization headers upstream, and receive cacheable responses with non-canonical qualified private or no-cache directives.\n\nPatches:\nUpgrade to undici v7.28.0 or v8.5.0.\n\nWorkarounds:\nIf upgrade is not immediately possible, disable shared-cache mode for traffic that includes Authorization headers, avoid caching responses to authenticated requests, or add Vary: Authorization upstream.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-9678",
"url": "https://www.suse.com/security/cve/CVE-2026-9678"
},
{
"category": "external",
"summary": "SUSE Bug 1268478 for CVE-2026-9678",
"url": "https://bugzilla.suse.com/1268478"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-9678"
},
{
"cve": "CVE-2026-9679",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-9679"
}
],
"notes": [
{
"category": "general",
"text": "Impact:\nundici\u0027s cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 5.4 does not specify any decoding and browsers do not decode either.\n\nApplications that parse a Set-Cookie header and then forward the parsed value into a response header (proxies, middleware, SSR frameworks) become vulnerable to HTTP response header injection: an attacker-controlled upstream can inject arbitrary Set-Cookie, Location, or Cache-Control headers into the application\u0027s downstream response, enabling session fixation, open redirect, or cache poisoning.\n\nAffected applications are those that use undici\u0027s cookie parsing (parseSetCookie, parseCookie, getSetCookies) and forward the parsed cookie value into a response header.\n\nThis was introduced in undici 7.0.0 via PR #3789.\n\nPatches:\nUpgrade to undici v6.26.0, v7.28.0 or v8.5.0.\n\nWorkarounds:\nIf upgrade is not immediately possible, do not forward values returned by parseSetCookie/parseCookie/getSetCookies directly into response headers; sanitize the value first to strip or reject CR, LF, NUL, ;, and = bytes.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-9679",
"url": "https://www.suse.com/security/cve/CVE-2026-9679"
},
{
"category": "external",
"summary": "SUSE Bug 1268477 for CVE-2026-9679",
"url": "https://bugzilla.suse.com/1268477"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:corepack24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.17.0-1.1.x86_64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.aarch64",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.s390x",
"openSUSE Tumbleweed:npm24-24.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-9679"
}
]
}
RHSA-2026:33155
Vulnerability from csaf_redhat - Published: 2026-06-29 16:07 - Updated: 2026-07-06 12:13A flaw was found in form-data, a library for creating readable multipart/form-data streams. A remote attacker can exploit this vulnerability by injecting carriage return (CR), line feed (LF), or double-quote (") characters into the `field` argument of `FormData#append` or the `filename` option. This allows the attacker to inject additional headers or smuggle entire additional multipart parts into requests, potentially enabling them to add or override form fields and compromise data integrity.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in golang.org/x/net/idna. ToASCII and ToUnicode incorrectly accept Punycode-encoded labels that decode to an ASCII-only hostname (for example, xn--example-.com returns example.com instead of an error). Applications that validate the ASCII form then convert to Unicode may grant access to a restricted hostname the ASCII check would have rejected.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64 | — |
Workaround
|
A flaw was found in ip-address, a JavaScript library for parsing and manipulating IPv4 and IPv6 addresses. This vulnerability allows a remote attacker to perform cross-site scripting (XSS) by providing untrusted input to the Address6 constructor. When an application renders the output of Address6.group(), Address6.link(), or the AddressError.parseMessage as HTML without proper escaping, the attacker-controlled content can be executed in the user's browser.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Axios, a promise-based HTTP client, specifically in its Node.js HTTP adapter. When Axios is configured to use an authenticated proxy and follows a redirect, it may inadvertently send the Proxy-Authorization header, containing proxy credentials, to the redirect target. This can lead to the disclosure of sensitive proxy credentials to an unintended remote server.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Axios. During specific proxy-to-direct redirect flows in the Node.js HTTP adapter, a remote attacker could exploit this vulnerability. The Proxy-Authorization header, which contains proxy credentials and is intended only for the outbound proxy, may be forwarded to the final redirected origin. This can lead to the disclosure of sensitive proxy credentials to an unintended third party.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Axios, a promise-based HTTP client. When using the fetch adapter, Axios did not properly enforce configured request and response size limits. This vulnerability allows a remote attacker, through a malicious or compromised server, or by supplying a large data URL, to send or receive oversized data bodies. This can lead to resource exhaustion in server-side applications, resulting in a Denial of Service (DoS).
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Axios, a promise-based HTTP client. This vulnerability occurs because Axios does not properly normalize IPv4-mapped IPv6 addresses. When a NO_PROXY setting is configured to block direct access to specific IPv4 addresses, an attacker can bypass this restriction by using the IPv4-mapped IPv6 form of the address in a request URL. This allows the request to be routed through the proxy, potentially exposing internal services or sensitive information that should otherwise be inaccessible.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Axios. This vulnerability, a Prototype Pollution "Gadget" attack, allows an attacker to escalate any existing Object.prototype pollution in an application's dependency tree into a full Man-in-the-Middle (MITM) attack. This enables the attacker to intercept, read, and modify all HTTP traffic, including sensitive authentication credentials. The flaw occurs because the `config.proxy` setting is susceptible to prototype pollution, allowing an attacker to inject a malicious proxy server.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Axios, a promise-based HTTP client. This vulnerability involves prototype pollution gadgets in the request configuration processing. If another vulnerability has already polluted the Object.prototype.transformResponse, affected Axios versions may incorrectly interpret this inherited value as part of the request configuration or as an option validator. Axios does not itself create the prototype pollution. Exploitability requires a separate prototype-pollution vulnerability or equivalent attacker control over Object.prototype before Axios creates a request.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Axios. A remote attacker, by influencing the XSRF cookie name in a browser environment, could cause the application to construct a regular expression that leads to excessive processing. This can result in a client-side Denial of Service (DoS), where the affected browser tab may freeze, impacting the availability of the application for the user.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in ws, an open source WebSocket client and server. A remote attacker can exploit this memory exhaustion vulnerability by sending a high volume of exceptionally small fragments and data chunks. This action forces the affected component to allocate and hold structural wrappers that consume excessive memory. Consequently, this leads to process termination and a denial of service (DoS) for the remote peer.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64 | — |
Vendor Fix
fix
Workaround
|
| URL | Category |
|---|---|
| https://access.redhat.com/errata/RHSA-2026:33155 | self |
| https://access.redhat.com/security/cve/CVE-2026-12143 | external |
| https://access.redhat.com/security/cve/CVE-2026-39821 | external |
| https://access.redhat.com/security/cve/CVE-2026-42338 | external |
| https://access.redhat.com/security/cve/CVE-2026-44486 | external |
| https://access.redhat.com/security/cve/CVE-2026-44487 | external |
| https://access.redhat.com/security/cve/CVE-2026-44488 | external |
| https://access.redhat.com/security/cve/CVE-2026-44492 | external |
| https://access.redhat.com/security/cve/CVE-2026-44494 | external |
| https://access.redhat.com/security/cve/CVE-2026-44495 | external |
| https://access.redhat.com/security/cve/CVE-2026-44496 | external |
| https://access.redhat.com/security/cve/CVE-2026-48779 | external |
| https://access.redhat.com/security/updates/classi… | external |
| https://access.redhat.com/security/updates/classi… | external |
| https://security.access.redhat.com/data/csaf/v2/a… | self |
| https://access.redhat.com/security/cve/CVE-2026-12143 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2488480 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-12143 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-12143 | external |
| https://cwe.mitre.org/data/definitions/93.html | external |
| https://github.com/form-data/form-data/commit/641… | external |
| https://github.com/form-data/form-data/commit/be3… | external |
| https://github.com/form-data/form-data/commit/c71… | external |
| https://github.com/form-data/form-data/security/a… | external |
| https://html.spec.whatwg.org/multipage/form-contr… | external |
| https://www.npmjs.com/package/form-data | external |
| https://access.redhat.com/security/cve/CVE-2026-39821 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2480756 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-39821 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-39821 | external |
| https://go.dev/cl/767220 | external |
| https://go.dev/issue/78760 | external |
| https://groups.google.com/g/golang-announce/c/iI-… | external |
| https://pkg.go.dev/vuln/GO-2026-5026 | external |
| https://access.redhat.com/security/cve/CVE-2026-42338 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2476810 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-42338 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-42338 | external |
| https://github.com/beaugunderson/ip-address/secur… | external |
| https://access.redhat.com/security/cve/CVE-2026-44486 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2487947 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-44486 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-44486 | external |
| https://github.com/axios/axios/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-44487 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2487948 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-44487 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-44487 | external |
| https://github.com/axios/axios/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-44488 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2487949 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-44488 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-44488 | external |
| https://github.com/axios/axios/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-44492 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2487938 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-44492 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-44492 | external |
| https://github.com/axios/axios/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-44494 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2487942 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-44494 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-44494 | external |
| https://github.com/axios/axios/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-44495 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2487937 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-44495 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-44495 | external |
| https://github.com/axios/axios/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-44496 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2487943 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-44496 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-44496 | external |
| https://github.com/axios/axios/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-48779 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2489661 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-48779 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-48779 | external |
| https://github.com/websockets/ws/commit/86d3e8a5f… | external |
| https://github.com/websockets/ws/commit/b5372ac67… | external |
| https://github.com/websockets/ws/commit/bca91adf1… | external |
| https://github.com/websockets/ws/commit/fd36cd864… | external |
| https://github.com/websockets/ws/security/advisor… | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Kiali 1.73.33 for Red Hat OpenShift Service Mesh 2.6 is now available.\nAn update is now available for Red Hat OpenShift Service Mesh 2.6. This advisory contains the RPM packages for the Kiali component.\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Kiali 1.73.33, for Red Hat OpenShift Service Mesh 2.6, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently.\n\nSecurity Fix(es):\n\n* CVE-2026-42338 openshift-service-mesh/kiali-ossmc-rhel9: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (OSSM-14066)\n* CVE-2026-42338 openshift-service-mesh/kiali-rhel9: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (OSSM-14067)\n* CVE-2026-39821 openshift-service-mesh/kiali-rhel9: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing (OSSM-14073)\n* CVE-2026-44495 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Information disclosure due to prototype pollution vulnerability (OSSM-14141)\n* CVE-2026-44495 openshift-service-mesh/kiali-rhel9: Axios: Information disclosure due to prototype pollution vulnerability (OSSM-14142)\n* CVE-2026-44488 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Denial of Service due to unenforced request and response size limits (OSSM-14152)\n* CVE-2026-44488 openshift-service-mesh/kiali-rhel9: Axios: Denial of Service due to unenforced request and response size limits (OSSM-14156)\n* CVE-2026-44487 openshift-service-mesh/kiali-rhel9: Axios: Information disclosure of proxy credentials via redirect flows (OSSM-14168)\n* CVE-2026-44487 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Information disclosure of proxy credentials via redirect flows (OSSM-14182)\n* CVE-2026-44494 openshift-service-mesh/kiali-rhel9: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution (OSSM-14177)\n* CVE-2026-44494 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution (OSSM-14186)\n* CVE-2026-44496 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name (OSSM-14210)\n* CVE-2026-44496 openshift-service-mesh/kiali-rhel9: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name (OSSM-14206)\n* CVE-2026-44486 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Information disclosure of proxy credentials via HTTP redirects (OSSM-14201)\n* CVE-2026-44486 openshift-service-mesh/kiali-rhel9: Axios: Information disclosure of proxy credentials via HTTP redirects (OSSM-14187)\n* CVE-2026-44492 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization (OSSM-14219)\n* CVE-2026-44492 openshift-service-mesh/kiali-rhel9: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization (OSSM-14224)\n* CVE-2026-48779 openshift-service-mesh/kiali-rhel9: ws: Denial of Service via memory exhaustion from small WebSocket fragments (OSSM-14305)\n* CVE-2026-48779 openshift-service-mesh/kiali-ossmc-rhel9: ws: Denial of Service via memory exhaustion from small WebSocket fragments (OSSM-14303)\n* CVE-2026-12143 openshift-service-mesh/kiali-ossmc-rhel9: form-data: Form field override via CRLF injection (OSSM-14335)\n* CVE-2026-12143 openshift-service-mesh/kiali-rhel9: form-data: Form field override via CRLF injection (OSSM-14327)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:33155",
"url": "https://access.redhat.com/errata/RHSA-2026:33155"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-12143",
"url": "https://access.redhat.com/security/cve/CVE-2026-12143"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-39821",
"url": "https://access.redhat.com/security/cve/CVE-2026-39821"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-42338",
"url": "https://access.redhat.com/security/cve/CVE-2026-42338"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44486",
"url": "https://access.redhat.com/security/cve/CVE-2026-44486"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44487",
"url": "https://access.redhat.com/security/cve/CVE-2026-44487"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44488",
"url": "https://access.redhat.com/security/cve/CVE-2026-44488"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44492",
"url": "https://access.redhat.com/security/cve/CVE-2026-44492"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44494",
"url": "https://access.redhat.com/security/cve/CVE-2026-44494"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44495",
"url": "https://access.redhat.com/security/cve/CVE-2026-44495"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44496",
"url": "https://access.redhat.com/security/cve/CVE-2026-44496"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-48779",
"url": "https://access.redhat.com/security/cve/CVE-2026-48779"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification",
"url": "https://access.redhat.com/security/updates/classification"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_33155.json"
}
],
"title": "Red Hat Security Advisory: Kiali 1.73.33 for Red Hat OpenShift Service Mesh 2.6",
"tracking": {
"current_release_date": "2026-07-06T12:13:30+00:00",
"generator": {
"date": "2026-07-06T12:13:30+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:33155",
"initial_release_date": "2026-06-29T16:07:52+00:00",
"revision_history": [
{
"date": "2026-06-29T16:07:52+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-06-29T16:08:11+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-06T12:13:30+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Service Mesh 2.6",
"product": {
"name": "Red Hat OpenShift Service Mesh 2.6",
"product_id": "Red Hat OpenShift Service Mesh 2.6",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:service_mesh:2.6::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Service Mesh"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel8@sha256%3Aeff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel8\u0026tag=1782287580"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel8@sha256%3A431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8\u0026tag=1781937133"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel8@sha256%3A70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel8\u0026tag=1782287580"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel8@sha256%3Af71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8\u0026tag=1781937133"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel8@sha256%3Acf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel8\u0026tag=1782287580"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel8@sha256%3A75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8\u0026tag=1781937133"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel8@sha256%3Aed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel8\u0026tag=1782287580"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel8@sha256%3A71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8\u0026tag=1781937133"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64 as a component of Red Hat OpenShift Service Mesh 2.6",
"product_id": "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x as a component of Red Hat OpenShift Service Mesh 2.6",
"product_id": "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le as a component of Red Hat OpenShift Service Mesh 2.6",
"product_id": "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64 as a component of Red Hat OpenShift Service Mesh 2.6",
"product_id": "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64 as a component of Red Hat OpenShift Service Mesh 2.6",
"product_id": "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le as a component of Red Hat OpenShift Service Mesh 2.6",
"product_id": "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x as a component of Red Hat OpenShift Service Mesh 2.6",
"product_id": "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64 as a component of Red Hat OpenShift Service Mesh 2.6",
"product_id": "Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 2.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-12143",
"cwe": {
"id": "CWE-93",
"name": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)"
},
"discovery_date": "2026-06-12T19:00:57.360953+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2488480"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in form-data, a library for creating readable multipart/form-data streams. A remote attacker can exploit this vulnerability by injecting carriage return (CR), line feed (LF), or double-quote (\") characters into the `field` argument of `FormData#append` or the `filename` option. This allows the attacker to inject additional headers or smuggle entire additional multipart parts into requests, potentially enabling them to add or override form fields and compromise data integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "form-data: form-data: Form field override via CRLF injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important impact flaw in the form-data library: a remote attacker can inject arbitrary headers or additional multipart parts via CRLF injection in field names or filenames, potentially overriding sensitive form fields and affecting data integrity.\n\nFor RHOAI and RHEL AI, severity is Moderate because affected versions appear only as a transitive npm dependency in RHOAI (dashboard, mod-arch plugins, MLflow UI) and RHEL AI 3.4 bootc images, and those products use fixed field names for uploads rather than passing untrusted user input as multipart field names or filenames. The documented exploit path is therefore not reachable in default deployments. Practical impact is limited to non-default or custom integrations that forward multipart requests using attacker-controlled field names.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-12143"
},
{
"category": "external",
"summary": "RHBZ#2488480",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488480"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-12143",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-12143"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-12143",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12143"
},
{
"category": "external",
"summary": "https://cwe.mitre.org/data/definitions/93.html",
"url": "https://cwe.mitre.org/data/definitions/93.html"
},
{
"category": "external",
"summary": "https://github.com/form-data/form-data/commit/64190db548c0179e37206858e39f27cf513e9435",
"url": "https://github.com/form-data/form-data/commit/64190db548c0179e37206858e39f27cf513e9435"
},
{
"category": "external",
"summary": "https://github.com/form-data/form-data/commit/be3f3cf553978bac15a5182f1f3c3d2d38ccf229",
"url": "https://github.com/form-data/form-data/commit/be3f3cf553978bac15a5182f1f3c3d2d38ccf229"
},
{
"category": "external",
"summary": "https://github.com/form-data/form-data/commit/c7133499c2ee1b80c678e411244f4442bf902045",
"url": "https://github.com/form-data/form-data/commit/c7133499c2ee1b80c678e411244f4442bf902045"
},
{
"category": "external",
"summary": "https://github.com/form-data/form-data/security/advisories/GHSA-hmw2-7cc7-3qxx",
"url": "https://github.com/form-data/form-data/security/advisories/GHSA-hmw2-7cc7-3qxx"
},
{
"category": "external",
"summary": "https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#multipart-form-data",
"url": "https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#multipart-form-data"
},
{
"category": "external",
"summary": "https://www.npmjs.com/package/form-data",
"url": "https://www.npmjs.com/package/form-data"
}
],
"release_date": "2026-06-12T18:01:30.362000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T16:07:52+00:00",
"details": "See Kiali 1.73.33 documentation at https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/service_mesh/service-mesh-2-x",
"product_ids": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33155"
},
{
"category": "workaround",
"details": "Applications using the `form-data` library should implement strict input validation and sanitization for all field names and filenames derived from untrusted sources. This prevents the injection of control characters (CR, LF, \") that could lead to header injection or form field overrides. Deployments that exclusively use fixed or trusted field names are not impacted.",
"product_ids": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "form-data: form-data: Form field override via CRLF injection"
},
{
"cve": "CVE-2026-39821",
"cwe": {
"id": "CWE-1289",
"name": "Improper Validation of Unsafe Equivalence in Input"
},
"discovery_date": "2026-05-22T16:00:52.844126+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480756"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang.org/x/net/idna. ToASCII and ToUnicode incorrectly accept Punycode-encoded labels that decode to an ASCII-only hostname (for example, xn--example-.com returns example.com instead of an error). Applications that validate the ASCII form then convert to Unicode may grant access to a restricted hostname the ASCII check would have rejected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "golang.org/x/net/idna is vulnerable to privilege escalation through incorrect Punycode label handling in ToASCII and ToUnicode. An attacker who can supply a Punycode hostname that passes an ASCII-only authorization check may have it normalized to a restricted ASCII name the application intended to block. Red Hat exposure is broad across products shipping the Go toolchain or bundling golang.org/x/net, including RHEL and RHEL-AI golang RPMs, hummingbird Go runtimes, OpenShift and ODF container builds, and Ceph/OpenShift components compiled against affected x/net versions.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
],
"known_not_affected": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-39821"
},
{
"category": "external",
"summary": "RHBZ#2480756",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480756"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-39821",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39821"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-39821",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39821"
},
{
"category": "external",
"summary": "https://go.dev/cl/767220",
"url": "https://go.dev/cl/767220"
},
{
"category": "external",
"summary": "https://go.dev/issue/78760",
"url": "https://go.dev/issue/78760"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8",
"url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-5026",
"url": "https://pkg.go.dev/vuln/GO-2026-5026"
}
],
"release_date": "2026-05-22T15:01:21.462000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T16:07:52+00:00",
"details": "See Kiali 1.73.33 documentation at https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/service_mesh/service-mesh-2-x",
"product_ids": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33155"
},
{
"category": "workaround",
"details": "Upgrade to a fixed golang.org/x/net release that includes the idna correction, via updated golang or dependent package rebuilds.",
"product_ids": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing"
},
{
"cve": "CVE-2026-42338",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-05-12T21:01:14.436876+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2476810"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in ip-address, a JavaScript library for parsing and manipulating IPv4 and IPv6 addresses. This vulnerability allows a remote attacker to perform cross-site scripting (XSS) by providing untrusted input to the Address6 constructor. When an application renders the output of Address6.group(), Address6.link(), or the AddressError.parseMessage as HTML without proper escaping, the attacker-controlled content can be executed in the user\u0027s browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in the `ip-address` JavaScript library is rated as Important. It allows for cross-site scripting (XSS) when an application processes untrusted input through the `Address6` constructor and subsequently renders the unescaped output of methods like `Address6.group()`, `Address6.link()`, or `AddressError.parseMessage` directly as HTML. While the library itself is affected, exploitation is contingent on specific application-level rendering practices that may not be common in Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42338"
},
{
"category": "external",
"summary": "RHBZ#2476810",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2476810"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42338",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42338"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42338",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42338"
},
{
"category": "external",
"summary": "https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g",
"url": "https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g"
}
],
"release_date": "2026-05-12T19:43:16.470000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T16:07:52+00:00",
"details": "See Kiali 1.73.33 documentation at https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/service_mesh/service-mesh-2-x",
"product_ids": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33155"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input"
},
{
"cve": "CVE-2026-44486",
"cwe": {
"id": "CWE-201",
"name": "Insertion of Sensitive Information Into Sent Data"
},
"discovery_date": "2026-06-11T17:01:30.944384+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487947"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client, specifically in its Node.js HTTP adapter. When Axios is configured to use an authenticated proxy and follows a redirect, it may inadvertently send the Proxy-Authorization header, containing proxy credentials, to the redirect target. This can lead to the disclosure of sensitive proxy credentials to an unintended remote server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Information disclosure of proxy credentials via HTTP redirects",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important information disclosure flaw in the Axios Node.js HTTP adapter. Red Hat products utilizing Axios in a Node.js environment with an authenticated proxy and automatic redirects enabled are susceptible. The vulnerability arises when a request, initially sent through an authenticated proxy, is redirected to a target that no longer uses the proxy, potentially leaking `Proxy-Authorization` headers containing sensitive credentials to an untrusted remote server. This risk is heightened in deployments where applications interact with untrusted HTTP origins.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44486"
},
{
"category": "external",
"summary": "RHBZ#2487947",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487947"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44486",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44486"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44486",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44486"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-j5f8-grm9-p9fc",
"url": "https://github.com/axios/axios/security/advisories/GHSA-j5f8-grm9-p9fc"
}
],
"release_date": "2026-06-11T15:39:07.714000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T16:07:52+00:00",
"details": "See Kiali 1.73.33 documentation at https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/service_mesh/service-mesh-2-x",
"product_ids": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33155"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Information disclosure of proxy credentials via HTTP redirects"
},
{
"cve": "CVE-2026-44487",
"cwe": {
"id": "CWE-201",
"name": "Insertion of Sensitive Information Into Sent Data"
},
"discovery_date": "2026-06-11T17:01:34.091476+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487948"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios. During specific proxy-to-direct redirect flows in the Node.js HTTP adapter, a remote attacker could exploit this vulnerability. The Proxy-Authorization header, which contains proxy credentials and is intended only for the outbound proxy, may be forwarded to the final redirected origin. This can lead to the disclosure of sensitive proxy credentials to an unintended third party.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Information disclosure of proxy credentials via redirect flows",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important information disclosure flaw in Axios affecting Node.js environments. When an application uses Axios with an authenticated HTTP proxy and follows redirects from an HTTP to a non-proxied HTTPS destination, the Proxy-Authorization header may be inadvertently sent to the final origin server. This could lead to the exposure of sensitive proxy credentials to an unintended third party.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44487"
},
{
"category": "external",
"summary": "RHBZ#2487948",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487948"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44487",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44487"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44487",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44487"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-p92q-9vqr-4j8v",
"url": "https://github.com/axios/axios/security/advisories/GHSA-p92q-9vqr-4j8v"
}
],
"release_date": "2026-06-11T15:38:25.150000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T16:07:52+00:00",
"details": "See Kiali 1.73.33 documentation at https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/service_mesh/service-mesh-2-x",
"product_ids": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33155"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Information disclosure of proxy credentials via redirect flows"
},
{
"cve": "CVE-2026-44488",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-06-11T17:01:36.836488+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487949"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client. When using the fetch adapter, Axios did not properly enforce configured request and response size limits. This vulnerability allows a remote attacker, through a malicious or compromised server, or by supplying a large data URL, to send or receive oversized data bodies. This can lead to resource exhaustion in server-side applications, resulting in a Denial of Service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Denial of Service due to unenforced request and response size limits",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Important: A denial of service flaw was found in Axios, a JavaScript HTTP client library. This issue arises when applications utilize the `fetch` adapter, as configured request and response size limits are not properly enforced. A remote attacker could exploit this by sending or receiving excessively large data bodies, leading to resource exhaustion and potential denial of service in affected server-side applications.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44488"
},
{
"category": "external",
"summary": "RHBZ#2487949",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487949"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44488",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44488"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44488",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44488"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf",
"url": "https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf"
}
],
"release_date": "2026-06-11T15:37:38.013000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T16:07:52+00:00",
"details": "See Kiali 1.73.33 documentation at https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/service_mesh/service-mesh-2-x",
"product_ids": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33155"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Denial of Service due to unenforced request and response size limits"
},
{
"cve": "CVE-2026-44492",
"cwe": {
"id": "CWE-289",
"name": "Authentication Bypass by Alternate Name"
},
"discovery_date": "2026-06-11T17:00:56.761751+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487938"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client. This vulnerability occurs because Axios does not properly normalize IPv4-mapped IPv6 addresses. When a NO_PROXY setting is configured to block direct access to specific IPv4 addresses, an attacker can bypass this restriction by using the IPv4-mapped IPv6 form of the address in a request URL. This allows the request to be routed through the proxy, potentially exposing internal services or sensitive information that should otherwise be inaccessible.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important flaw in Axios, a JavaScript HTTP client library, that allows for a proxy bypass. When a `NO_PROXY` environment variable is configured to prevent direct connections to specific IPv4 addresses, an attacker can craft a request URL using the IPv4-mapped IPv6 address format. This bypasses the intended `NO_PROXY` exclusion, routing the request through the configured proxy and potentially exposing internal services or sensitive information, such as cloud instance metadata credentials.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44492"
},
{
"category": "external",
"summary": "RHBZ#2487938",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487938"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44492",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44492"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44492",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44492"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-pjwm-pj3p-43mv",
"url": "https://github.com/axios/axios/security/advisories/GHSA-pjwm-pj3p-43mv"
}
],
"release_date": "2026-06-11T15:29:13.890000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T16:07:52+00:00",
"details": "See Kiali 1.73.33 documentation at https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/service_mesh/service-mesh-2-x",
"product_ids": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33155"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization"
},
{
"cve": "CVE-2026-44494",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-06-11T17:01:12.945664+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487942"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios. This vulnerability, a Prototype Pollution \"Gadget\" attack, allows an attacker to escalate any existing Object.prototype pollution in an application\u0027s dependency tree into a full Man-in-the-Middle (MITM) attack. This enables the attacker to intercept, read, and modify all HTTP traffic, including sensitive authentication credentials. The flaw occurs because the `config.proxy` setting is susceptible to prototype pollution, allowing an attacker to inject a malicious proxy server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important flaw in the Axios library allows an attacker to escalate existing prototype pollution vulnerabilities within an application\u0027s dependency tree into a full Man-in-the-Middle (MITM) attack. By injecting a malicious proxy configuration into the `Object.prototype`, an attacker can intercept, read, and modify all HTTP traffic, including sensitive authentication credentials, without direct user interaction. This poses a significant risk to data confidentiality and integrity in Red Hat products that utilize the Axios library.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44494"
},
{
"category": "external",
"summary": "RHBZ#2487942",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487942"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44494",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44494"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44494",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44494"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-35jp-ww65-95wh",
"url": "https://github.com/axios/axios/security/advisories/GHSA-35jp-ww65-95wh"
}
],
"release_date": "2026-06-11T15:32:03.155000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T16:07:52+00:00",
"details": "See Kiali 1.73.33 documentation at https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/service_mesh/service-mesh-2-x",
"product_ids": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33155"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution"
},
{
"cve": "CVE-2026-44495",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-06-11T17:00:53.999811+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487937"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client. This vulnerability involves prototype pollution gadgets in the request configuration processing. If another vulnerability has already polluted the Object.prototype.transformResponse, affected Axios versions may incorrectly interpret this inherited value as part of the request configuration or as an option validator. Axios does not itself create the prototype pollution. Exploitability requires a separate prototype-pollution vulnerability or equivalent attacker control over Object.prototype before Axios creates a request.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Information disclosure due to prototype pollution vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important vulnerability in Axios, a promise-based HTTP client, can lead to information disclosure, including credential theft and response hijacking, or denial of service. Exploitation requires a separate prototype pollution vulnerability in the same JavaScript process, allowing an attacker to control `Object.prototype.transformResponse`. Red Hat products using affected Axios versions are at risk if another component introduces such pollution.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44495"
},
{
"category": "external",
"summary": "RHBZ#2487937",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487937"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44495",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44495"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44495",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44495"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-3g43-6gmg-66jw",
"url": "https://github.com/axios/axios/security/advisories/GHSA-3g43-6gmg-66jw"
}
],
"release_date": "2026-06-11T15:33:12.433000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T16:07:52+00:00",
"details": "See Kiali 1.73.33 documentation at https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/service_mesh/service-mesh-2-x",
"product_ids": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33155"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Information disclosure due to prototype pollution vulnerability"
},
{
"cve": "CVE-2026-44496",
"cwe": {
"id": "CWE-1333",
"name": "Inefficient Regular Expression Complexity"
},
"discovery_date": "2026-06-11T17:01:15.856386+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487943"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios. A remote attacker, by influencing the XSRF cookie name in a browser environment, could cause the application to construct a regular expression that leads to excessive processing. This can result in a client-side Denial of Service (DoS), where the affected browser tab may freeze, impacting the availability of the application for the user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important flaw in Axios can lead to a client-side Denial of Service. An attacker capable of influencing the XSRF cookie name within a browser environment could trigger excessive regular expression processing, causing the affected browser tab to freeze and degrade user availability. This issue specifically impacts browser-based applications and does not affect Node.js HTTP adapter usage, React Native, or web workers.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44496"
},
{
"category": "external",
"summary": "RHBZ#2487943",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487943"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44496",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44496"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44496",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44496"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-hfxv-24rg-xrqf",
"url": "https://github.com/axios/axios/security/advisories/GHSA-hfxv-24rg-xrqf"
}
],
"release_date": "2026-06-11T15:34:28.492000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T16:07:52+00:00",
"details": "See Kiali 1.73.33 documentation at https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/service_mesh/service-mesh-2-x",
"product_ids": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33155"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name"
},
{
"cve": "CVE-2026-48779",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2026-06-16T22:01:24.571224+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2489661"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in ws, an open source WebSocket client and server. A remote attacker can exploit this memory exhaustion vulnerability by sending a high volume of exceptionally small fragments and data chunks. This action forces the affected component to allocate and hold structural wrappers that consume excessive memory. Consequently, this leads to process termination and a denial of service (DoS) for the remote peer.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ws: ws: Denial of Service via memory exhaustion from small WebSocket fragments",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important denial of service vulnerability in the `ws` WebSocket library. A remote attacker can exploit this flaw by sending a high volume of small, fragmented data, leading to excessive memory consumption and subsequent process termination. This can result in service disruption for Red Hat products that utilize `ws` for WebSocket communication.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48779"
},
{
"category": "external",
"summary": "RHBZ#2489661",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489661"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48779",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48779"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48779",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48779"
},
{
"category": "external",
"summary": "https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7",
"url": "https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7"
},
{
"category": "external",
"summary": "https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53",
"url": "https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53"
},
{
"category": "external",
"summary": "https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94",
"url": "https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94"
},
{
"category": "external",
"summary": "https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8",
"url": "https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8"
},
{
"category": "external",
"summary": "https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p",
"url": "https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p"
}
],
"release_date": "2026-06-16T21:26:22.537000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T16:07:52+00:00",
"details": "See Kiali 1.73.33 documentation at https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/service_mesh/service-mesh-2-x",
"product_ids": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33155"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:431be7a67581ddb521dc3e8a2d7fb59fdc2bfe8362e364aed4cdc8bb441495c0_amd64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:71bf14b0c1b05f821567971253f304ccc8a58cc682aa9dfe2805dc096f29ce39_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:75a4205abf3e9d948907598c52e18b89d5656e3bab72846319ca9d7162c9b123_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel8@sha256:f71032abc7a0d0885b56bf99a59c0b8800844297c0ff96fb2561edc493a0a0a2_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:70f6b5471f8994330a6659bc2b863bff2792552231237d217825d432c166dfd9_arm64",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:cf60d7a68c8b997e899f71a049e0d43d6d07115ed544a79db569bc8c33306e75_ppc64le",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:ed47a2c0145d0e71f6c7dca89f1cb502098ab54c679367b2c7374fd6ca2da413_s390x",
"Red Hat OpenShift Service Mesh 2.6:registry.redhat.io/openshift-service-mesh/kiali-rhel8@sha256:eff6e4643347f77c419cb3e32b4c9d914762b9f2114e832126964850b7179967_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ws: ws: Denial of Service via memory exhaustion from small WebSocket fragments"
}
]
}
RHSA-2026:33160
Vulnerability from csaf_redhat - Published: 2026-06-29 16:36 - Updated: 2026-07-06 12:13A flaw was found in form-data, a library for creating readable multipart/form-data streams. A remote attacker can exploit this vulnerability by injecting carriage return (CR), line feed (LF), or double-quote (") characters into the `field` argument of `FormData#append` or the `filename` option. This allows the attacker to inject additional headers or smuggle entire additional multipart parts into requests, potentially enabling them to add or override form fields and compromise data integrity.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in golang.org/x/net/idna. ToASCII and ToUnicode incorrectly accept Punycode-encoded labels that decode to an ASCII-only hostname (for example, xn--example-.com returns example.com instead of an error). Applications that validate the ASCII form then convert to Unicode may grant access to a restricted hostname the ASCII check would have rejected.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le | — |
Workaround
|
A flaw was found in ip-address, a JavaScript library for parsing and manipulating IPv4 and IPv6 addresses. This vulnerability allows a remote attacker to perform cross-site scripting (XSS) by providing untrusted input to the Address6 constructor. When an application renders the output of Address6.group(), Address6.link(), or the AddressError.parseMessage as HTML without proper escaping, the attacker-controlled content can be executed in the user's browser.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Axios, a promise-based HTTP client, specifically in its Node.js HTTP adapter. When Axios is configured to use an authenticated proxy and follows a redirect, it may inadvertently send the Proxy-Authorization header, containing proxy credentials, to the redirect target. This can lead to the disclosure of sensitive proxy credentials to an unintended remote server.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Axios. During specific proxy-to-direct redirect flows in the Node.js HTTP adapter, a remote attacker could exploit this vulnerability. The Proxy-Authorization header, which contains proxy credentials and is intended only for the outbound proxy, may be forwarded to the final redirected origin. This can lead to the disclosure of sensitive proxy credentials to an unintended third party.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Axios, a promise-based HTTP client. When using the fetch adapter, Axios did not properly enforce configured request and response size limits. This vulnerability allows a remote attacker, through a malicious or compromised server, or by supplying a large data URL, to send or receive oversized data bodies. This can lead to resource exhaustion in server-side applications, resulting in a Denial of Service (DoS).
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Axios, a promise-based HTTP client. This vulnerability occurs because Axios does not properly normalize IPv4-mapped IPv6 addresses. When a NO_PROXY setting is configured to block direct access to specific IPv4 addresses, an attacker can bypass this restriction by using the IPv4-mapped IPv6 form of the address in a request URL. This allows the request to be routed through the proxy, potentially exposing internal services or sensitive information that should otherwise be inaccessible.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Axios. This vulnerability, a Prototype Pollution "Gadget" attack, allows an attacker to escalate any existing Object.prototype pollution in an application's dependency tree into a full Man-in-the-Middle (MITM) attack. This enables the attacker to intercept, read, and modify all HTTP traffic, including sensitive authentication credentials. The flaw occurs because the `config.proxy` setting is susceptible to prototype pollution, allowing an attacker to inject a malicious proxy server.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Axios, a promise-based HTTP client. This vulnerability involves prototype pollution gadgets in the request configuration processing. If another vulnerability has already polluted the Object.prototype.transformResponse, affected Axios versions may incorrectly interpret this inherited value as part of the request configuration or as an option validator. Axios does not itself create the prototype pollution. Exploitability requires a separate prototype-pollution vulnerability or equivalent attacker control over Object.prototype before Axios creates a request.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Axios. A remote attacker, by influencing the XSRF cookie name in a browser environment, could cause the application to construct a regular expression that leads to excessive processing. This can result in a client-side Denial of Service (DoS), where the affected browser tab may freeze, impacting the availability of the application for the user.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in ws, an open source WebSocket client and server. A remote attacker can exploit this memory exhaustion vulnerability by sending a high volume of exceptionally small fragments and data chunks. This action forces the affected component to allocate and hold structural wrappers that consume excessive memory. Consequently, this leads to process termination and a denial of service (DoS) for the remote peer.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64 | — |
Vendor Fix
fix
Workaround
|
| URL | Category |
|---|---|
| https://access.redhat.com/errata/RHSA-2026:33160 | self |
| https://access.redhat.com/security/cve/CVE-2026-12143 | external |
| https://access.redhat.com/security/cve/CVE-2026-39821 | external |
| https://access.redhat.com/security/cve/CVE-2026-42338 | external |
| https://access.redhat.com/security/cve/CVE-2026-44486 | external |
| https://access.redhat.com/security/cve/CVE-2026-44487 | external |
| https://access.redhat.com/security/cve/CVE-2026-44488 | external |
| https://access.redhat.com/security/cve/CVE-2026-44492 | external |
| https://access.redhat.com/security/cve/CVE-2026-44494 | external |
| https://access.redhat.com/security/cve/CVE-2026-44495 | external |
| https://access.redhat.com/security/cve/CVE-2026-44496 | external |
| https://access.redhat.com/security/cve/CVE-2026-48779 | external |
| https://access.redhat.com/security/updates/classi… | external |
| https://access.redhat.com/security/updates/classi… | external |
| https://security.access.redhat.com/data/csaf/v2/a… | self |
| https://access.redhat.com/security/cve/CVE-2026-12143 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2488480 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-12143 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-12143 | external |
| https://cwe.mitre.org/data/definitions/93.html | external |
| https://github.com/form-data/form-data/commit/641… | external |
| https://github.com/form-data/form-data/commit/be3… | external |
| https://github.com/form-data/form-data/commit/c71… | external |
| https://github.com/form-data/form-data/security/a… | external |
| https://html.spec.whatwg.org/multipage/form-contr… | external |
| https://www.npmjs.com/package/form-data | external |
| https://access.redhat.com/security/cve/CVE-2026-39821 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2480756 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-39821 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-39821 | external |
| https://go.dev/cl/767220 | external |
| https://go.dev/issue/78760 | external |
| https://groups.google.com/g/golang-announce/c/iI-… | external |
| https://pkg.go.dev/vuln/GO-2026-5026 | external |
| https://access.redhat.com/security/cve/CVE-2026-42338 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2476810 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-42338 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-42338 | external |
| https://github.com/beaugunderson/ip-address/secur… | external |
| https://access.redhat.com/security/cve/CVE-2026-44486 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2487947 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-44486 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-44486 | external |
| https://github.com/axios/axios/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-44487 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2487948 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-44487 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-44487 | external |
| https://github.com/axios/axios/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-44488 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2487949 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-44488 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-44488 | external |
| https://github.com/axios/axios/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-44492 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2487938 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-44492 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-44492 | external |
| https://github.com/axios/axios/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-44494 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2487942 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-44494 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-44494 | external |
| https://github.com/axios/axios/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-44495 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2487937 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-44495 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-44495 | external |
| https://github.com/axios/axios/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-44496 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2487943 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-44496 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-44496 | external |
| https://github.com/axios/axios/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-48779 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2489661 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-48779 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-48779 | external |
| https://github.com/websockets/ws/commit/86d3e8a5f… | external |
| https://github.com/websockets/ws/commit/b5372ac67… | external |
| https://github.com/websockets/ws/commit/bca91adf1… | external |
| https://github.com/websockets/ws/commit/fd36cd864… | external |
| https://github.com/websockets/ws/security/advisor… | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Kiali 2.4.19 for Red Hat OpenShift Service Mesh 3.0 is now available.\nAn update is now available for Red Hat OpenShift Service Mesh 3.0. This advisory contains the RPM packages for the Kiali component.\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Kiali 2.4.19, for Red Hat OpenShift Service Mesh 3.0, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently.\n\nSecurity Fix(es):\n\n* CVE-2026-42338 openshift-service-mesh/kiali-ossmc-rhel9: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (OSSM-14061)\n* CVE-2026-42338 openshift-service-mesh/kiali-rhel9: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (OSSM-14069)\n* CVE-2026-39821 openshift-service-mesh/kiali-rhel9: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing (OSSM-14072)\n* CVE-2026-44495 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Information disclosure due to prototype pollution vulnerability (OSSM-14136)\n* CVE-2026-44495 openshift-service-mesh/kiali-rhel9: Axios: Information disclosure due to prototype pollution vulnerability (OSSM-14140)\n* CVE-2026-44488 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Denial of Service due to unenforced request and response size limits (OSSM-14150)\n* CVE-2026-44488 openshift-service-mesh/kiali-rhel9: Axios: Denial of Service due to unenforced request and response size limits (OSSM-14155)\n* CVE-2026-44487 openshift-service-mesh/kiali-rhel9: Axios: Information disclosure of proxy credentials via redirect flows (OSSM-14169)\n* CVE-2026-44487 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Information disclosure of proxy credentials via redirect flows (OSSM-14178)\n* CVE-2026-44494 openshift-service-mesh/kiali-rhel9: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution (OSSM-14181)\n* CVE-2026-44494 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution (OSSM-14183)\n* CVE-2026-44496 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name (OSSM-14190)\n* CVE-2026-44496 openshift-service-mesh/kiali-rhel9: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name (OSSM-14192)\n* CVE-2026-44486 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Information disclosure of proxy credentials via HTTP redirects (OSSM-14194)\n* CVE-2026-44486 openshift-service-mesh/kiali-rhel9: Axios: Information disclosure of proxy credentials via HTTP redirects (OSSM-14208)\n* CVE-2026-44492 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization (OSSM-14218)\n* CVE-2026-44492 openshift-service-mesh/kiali-rhel9: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization (OSSM-14225)\n* CVE-2026-48779 openshift-service-mesh/kiali-rhel9: ws: Denial of Service via memory exhaustion from small WebSocket fragments (OSSM-14302)\n* CVE-2026-48779 openshift-service-mesh/kiali-ossmc-rhel9: ws: Denial of Service via memory exhaustion from small WebSocket fragments (OSSM-14306)\n* CVE-2026-12143 openshift-service-mesh/kiali-ossmc-rhel9: form-data: Form field override via CRLF injection (OSSM-14334)\n* CVE-2026-12143 openshift-service-mesh/kiali-rhel9: form-data: Form field override via CRLF injection (OSSM-14339)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:33160",
"url": "https://access.redhat.com/errata/RHSA-2026:33160"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-12143",
"url": "https://access.redhat.com/security/cve/CVE-2026-12143"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-39821",
"url": "https://access.redhat.com/security/cve/CVE-2026-39821"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-42338",
"url": "https://access.redhat.com/security/cve/CVE-2026-42338"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44486",
"url": "https://access.redhat.com/security/cve/CVE-2026-44486"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44487",
"url": "https://access.redhat.com/security/cve/CVE-2026-44487"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44488",
"url": "https://access.redhat.com/security/cve/CVE-2026-44488"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44492",
"url": "https://access.redhat.com/security/cve/CVE-2026-44492"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44494",
"url": "https://access.redhat.com/security/cve/CVE-2026-44494"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44495",
"url": "https://access.redhat.com/security/cve/CVE-2026-44495"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44496",
"url": "https://access.redhat.com/security/cve/CVE-2026-44496"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-48779",
"url": "https://access.redhat.com/security/cve/CVE-2026-48779"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification",
"url": "https://access.redhat.com/security/updates/classification"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_33160.json"
}
],
"title": "Red Hat Security Advisory: Kiali 2.4.19 for Red Hat OpenShift Service Mesh 3.0",
"tracking": {
"current_release_date": "2026-07-06T12:13:31+00:00",
"generator": {
"date": "2026-07-06T12:13:31+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:33160",
"initial_release_date": "2026-06-29T16:36:30+00:00",
"revision_history": [
{
"date": "2026-06-29T16:36:30+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-06-29T16:36:34+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-06T12:13:31+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Service Mesh 3.0",
"product": {
"name": "Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:service_mesh:3.0::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Service Mesh"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3A12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel9\u0026tag=1782201833"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9\u0026tag=1782201894"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3Acf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel9\u0026tag=1782201833"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9\u0026tag=1782201894"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3A1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel9\u0026tag=1782201833"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3Aab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9\u0026tag=1782201894"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3Ac878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel9\u0026tag=1782201833"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9\u0026tag=1782201894"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64 as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64 as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64 as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64 as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-12143",
"cwe": {
"id": "CWE-93",
"name": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)"
},
"discovery_date": "2026-06-12T19:00:57.360953+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2488480"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in form-data, a library for creating readable multipart/form-data streams. A remote attacker can exploit this vulnerability by injecting carriage return (CR), line feed (LF), or double-quote (\") characters into the `field` argument of `FormData#append` or the `filename` option. This allows the attacker to inject additional headers or smuggle entire additional multipart parts into requests, potentially enabling them to add or override form fields and compromise data integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "form-data: form-data: Form field override via CRLF injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important impact flaw in the form-data library: a remote attacker can inject arbitrary headers or additional multipart parts via CRLF injection in field names or filenames, potentially overriding sensitive form fields and affecting data integrity.\n\nFor RHOAI and RHEL AI, severity is Moderate because affected versions appear only as a transitive npm dependency in RHOAI (dashboard, mod-arch plugins, MLflow UI) and RHEL AI 3.4 bootc images, and those products use fixed field names for uploads rather than passing untrusted user input as multipart field names or filenames. The documented exploit path is therefore not reachable in default deployments. Practical impact is limited to non-default or custom integrations that forward multipart requests using attacker-controlled field names.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-12143"
},
{
"category": "external",
"summary": "RHBZ#2488480",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488480"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-12143",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-12143"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-12143",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12143"
},
{
"category": "external",
"summary": "https://cwe.mitre.org/data/definitions/93.html",
"url": "https://cwe.mitre.org/data/definitions/93.html"
},
{
"category": "external",
"summary": "https://github.com/form-data/form-data/commit/64190db548c0179e37206858e39f27cf513e9435",
"url": "https://github.com/form-data/form-data/commit/64190db548c0179e37206858e39f27cf513e9435"
},
{
"category": "external",
"summary": "https://github.com/form-data/form-data/commit/be3f3cf553978bac15a5182f1f3c3d2d38ccf229",
"url": "https://github.com/form-data/form-data/commit/be3f3cf553978bac15a5182f1f3c3d2d38ccf229"
},
{
"category": "external",
"summary": "https://github.com/form-data/form-data/commit/c7133499c2ee1b80c678e411244f4442bf902045",
"url": "https://github.com/form-data/form-data/commit/c7133499c2ee1b80c678e411244f4442bf902045"
},
{
"category": "external",
"summary": "https://github.com/form-data/form-data/security/advisories/GHSA-hmw2-7cc7-3qxx",
"url": "https://github.com/form-data/form-data/security/advisories/GHSA-hmw2-7cc7-3qxx"
},
{
"category": "external",
"summary": "https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#multipart-form-data",
"url": "https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#multipart-form-data"
},
{
"category": "external",
"summary": "https://www.npmjs.com/package/form-data",
"url": "https://www.npmjs.com/package/form-data"
}
],
"release_date": "2026-06-12T18:01:30.362000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T16:36:30+00:00",
"details": "See Kiali 2.4.19 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.0/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33160"
},
{
"category": "workaround",
"details": "Applications using the `form-data` library should implement strict input validation and sanitization for all field names and filenames derived from untrusted sources. This prevents the injection of control characters (CR, LF, \") that could lead to header injection or form field overrides. Deployments that exclusively use fixed or trusted field names are not impacted.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "form-data: form-data: Form field override via CRLF injection"
},
{
"cve": "CVE-2026-39821",
"cwe": {
"id": "CWE-1289",
"name": "Improper Validation of Unsafe Equivalence in Input"
},
"discovery_date": "2026-05-22T16:00:52.844126+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480756"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang.org/x/net/idna. ToASCII and ToUnicode incorrectly accept Punycode-encoded labels that decode to an ASCII-only hostname (for example, xn--example-.com returns example.com instead of an error). Applications that validate the ASCII form then convert to Unicode may grant access to a restricted hostname the ASCII check would have rejected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "golang.org/x/net/idna is vulnerable to privilege escalation through incorrect Punycode label handling in ToASCII and ToUnicode. An attacker who can supply a Punycode hostname that passes an ASCII-only authorization check may have it normalized to a restricted ASCII name the application intended to block. Red Hat exposure is broad across products shipping the Go toolchain or bundling golang.org/x/net, including RHEL and RHEL-AI golang RPMs, hummingbird Go runtimes, OpenShift and ODF container builds, and Ceph/OpenShift components compiled against affected x/net versions.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
],
"known_not_affected": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-39821"
},
{
"category": "external",
"summary": "RHBZ#2480756",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480756"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-39821",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39821"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-39821",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39821"
},
{
"category": "external",
"summary": "https://go.dev/cl/767220",
"url": "https://go.dev/cl/767220"
},
{
"category": "external",
"summary": "https://go.dev/issue/78760",
"url": "https://go.dev/issue/78760"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8",
"url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-5026",
"url": "https://pkg.go.dev/vuln/GO-2026-5026"
}
],
"release_date": "2026-05-22T15:01:21.462000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T16:36:30+00:00",
"details": "See Kiali 2.4.19 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.0/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33160"
},
{
"category": "workaround",
"details": "Upgrade to a fixed golang.org/x/net release that includes the idna correction, via updated golang or dependent package rebuilds.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing"
},
{
"cve": "CVE-2026-42338",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-05-12T21:01:14.436876+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2476810"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in ip-address, a JavaScript library for parsing and manipulating IPv4 and IPv6 addresses. This vulnerability allows a remote attacker to perform cross-site scripting (XSS) by providing untrusted input to the Address6 constructor. When an application renders the output of Address6.group(), Address6.link(), or the AddressError.parseMessage as HTML without proper escaping, the attacker-controlled content can be executed in the user\u0027s browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in the `ip-address` JavaScript library is rated as Important. It allows for cross-site scripting (XSS) when an application processes untrusted input through the `Address6` constructor and subsequently renders the unescaped output of methods like `Address6.group()`, `Address6.link()`, or `AddressError.parseMessage` directly as HTML. While the library itself is affected, exploitation is contingent on specific application-level rendering practices that may not be common in Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42338"
},
{
"category": "external",
"summary": "RHBZ#2476810",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2476810"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42338",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42338"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42338",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42338"
},
{
"category": "external",
"summary": "https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g",
"url": "https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g"
}
],
"release_date": "2026-05-12T19:43:16.470000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T16:36:30+00:00",
"details": "See Kiali 2.4.19 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.0/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33160"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input"
},
{
"cve": "CVE-2026-44486",
"cwe": {
"id": "CWE-201",
"name": "Insertion of Sensitive Information Into Sent Data"
},
"discovery_date": "2026-06-11T17:01:30.944384+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487947"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client, specifically in its Node.js HTTP adapter. When Axios is configured to use an authenticated proxy and follows a redirect, it may inadvertently send the Proxy-Authorization header, containing proxy credentials, to the redirect target. This can lead to the disclosure of sensitive proxy credentials to an unintended remote server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Information disclosure of proxy credentials via HTTP redirects",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important information disclosure flaw in the Axios Node.js HTTP adapter. Red Hat products utilizing Axios in a Node.js environment with an authenticated proxy and automatic redirects enabled are susceptible. The vulnerability arises when a request, initially sent through an authenticated proxy, is redirected to a target that no longer uses the proxy, potentially leaking `Proxy-Authorization` headers containing sensitive credentials to an untrusted remote server. This risk is heightened in deployments where applications interact with untrusted HTTP origins.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44486"
},
{
"category": "external",
"summary": "RHBZ#2487947",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487947"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44486",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44486"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44486",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44486"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-j5f8-grm9-p9fc",
"url": "https://github.com/axios/axios/security/advisories/GHSA-j5f8-grm9-p9fc"
}
],
"release_date": "2026-06-11T15:39:07.714000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T16:36:30+00:00",
"details": "See Kiali 2.4.19 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.0/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33160"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Information disclosure of proxy credentials via HTTP redirects"
},
{
"cve": "CVE-2026-44487",
"cwe": {
"id": "CWE-201",
"name": "Insertion of Sensitive Information Into Sent Data"
},
"discovery_date": "2026-06-11T17:01:34.091476+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487948"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios. During specific proxy-to-direct redirect flows in the Node.js HTTP adapter, a remote attacker could exploit this vulnerability. The Proxy-Authorization header, which contains proxy credentials and is intended only for the outbound proxy, may be forwarded to the final redirected origin. This can lead to the disclosure of sensitive proxy credentials to an unintended third party.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Information disclosure of proxy credentials via redirect flows",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important information disclosure flaw in Axios affecting Node.js environments. When an application uses Axios with an authenticated HTTP proxy and follows redirects from an HTTP to a non-proxied HTTPS destination, the Proxy-Authorization header may be inadvertently sent to the final origin server. This could lead to the exposure of sensitive proxy credentials to an unintended third party.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44487"
},
{
"category": "external",
"summary": "RHBZ#2487948",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487948"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44487",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44487"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44487",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44487"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-p92q-9vqr-4j8v",
"url": "https://github.com/axios/axios/security/advisories/GHSA-p92q-9vqr-4j8v"
}
],
"release_date": "2026-06-11T15:38:25.150000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T16:36:30+00:00",
"details": "See Kiali 2.4.19 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.0/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33160"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Information disclosure of proxy credentials via redirect flows"
},
{
"cve": "CVE-2026-44488",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-06-11T17:01:36.836488+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487949"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client. When using the fetch adapter, Axios did not properly enforce configured request and response size limits. This vulnerability allows a remote attacker, through a malicious or compromised server, or by supplying a large data URL, to send or receive oversized data bodies. This can lead to resource exhaustion in server-side applications, resulting in a Denial of Service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Denial of Service due to unenforced request and response size limits",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Important: A denial of service flaw was found in Axios, a JavaScript HTTP client library. This issue arises when applications utilize the `fetch` adapter, as configured request and response size limits are not properly enforced. A remote attacker could exploit this by sending or receiving excessively large data bodies, leading to resource exhaustion and potential denial of service in affected server-side applications.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44488"
},
{
"category": "external",
"summary": "RHBZ#2487949",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487949"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44488",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44488"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44488",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44488"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf",
"url": "https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf"
}
],
"release_date": "2026-06-11T15:37:38.013000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T16:36:30+00:00",
"details": "See Kiali 2.4.19 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.0/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33160"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Denial of Service due to unenforced request and response size limits"
},
{
"cve": "CVE-2026-44492",
"cwe": {
"id": "CWE-289",
"name": "Authentication Bypass by Alternate Name"
},
"discovery_date": "2026-06-11T17:00:56.761751+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487938"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client. This vulnerability occurs because Axios does not properly normalize IPv4-mapped IPv6 addresses. When a NO_PROXY setting is configured to block direct access to specific IPv4 addresses, an attacker can bypass this restriction by using the IPv4-mapped IPv6 form of the address in a request URL. This allows the request to be routed through the proxy, potentially exposing internal services or sensitive information that should otherwise be inaccessible.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important flaw in Axios, a JavaScript HTTP client library, that allows for a proxy bypass. When a `NO_PROXY` environment variable is configured to prevent direct connections to specific IPv4 addresses, an attacker can craft a request URL using the IPv4-mapped IPv6 address format. This bypasses the intended `NO_PROXY` exclusion, routing the request through the configured proxy and potentially exposing internal services or sensitive information, such as cloud instance metadata credentials.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44492"
},
{
"category": "external",
"summary": "RHBZ#2487938",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487938"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44492",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44492"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44492",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44492"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-pjwm-pj3p-43mv",
"url": "https://github.com/axios/axios/security/advisories/GHSA-pjwm-pj3p-43mv"
}
],
"release_date": "2026-06-11T15:29:13.890000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T16:36:30+00:00",
"details": "See Kiali 2.4.19 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.0/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33160"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization"
},
{
"cve": "CVE-2026-44494",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-06-11T17:01:12.945664+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487942"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios. This vulnerability, a Prototype Pollution \"Gadget\" attack, allows an attacker to escalate any existing Object.prototype pollution in an application\u0027s dependency tree into a full Man-in-the-Middle (MITM) attack. This enables the attacker to intercept, read, and modify all HTTP traffic, including sensitive authentication credentials. The flaw occurs because the `config.proxy` setting is susceptible to prototype pollution, allowing an attacker to inject a malicious proxy server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important flaw in the Axios library allows an attacker to escalate existing prototype pollution vulnerabilities within an application\u0027s dependency tree into a full Man-in-the-Middle (MITM) attack. By injecting a malicious proxy configuration into the `Object.prototype`, an attacker can intercept, read, and modify all HTTP traffic, including sensitive authentication credentials, without direct user interaction. This poses a significant risk to data confidentiality and integrity in Red Hat products that utilize the Axios library.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44494"
},
{
"category": "external",
"summary": "RHBZ#2487942",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487942"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44494",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44494"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44494",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44494"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-35jp-ww65-95wh",
"url": "https://github.com/axios/axios/security/advisories/GHSA-35jp-ww65-95wh"
}
],
"release_date": "2026-06-11T15:32:03.155000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T16:36:30+00:00",
"details": "See Kiali 2.4.19 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.0/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33160"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution"
},
{
"cve": "CVE-2026-44495",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-06-11T17:00:53.999811+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487937"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client. This vulnerability involves prototype pollution gadgets in the request configuration processing. If another vulnerability has already polluted the Object.prototype.transformResponse, affected Axios versions may incorrectly interpret this inherited value as part of the request configuration or as an option validator. Axios does not itself create the prototype pollution. Exploitability requires a separate prototype-pollution vulnerability or equivalent attacker control over Object.prototype before Axios creates a request.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Information disclosure due to prototype pollution vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important vulnerability in Axios, a promise-based HTTP client, can lead to information disclosure, including credential theft and response hijacking, or denial of service. Exploitation requires a separate prototype pollution vulnerability in the same JavaScript process, allowing an attacker to control `Object.prototype.transformResponse`. Red Hat products using affected Axios versions are at risk if another component introduces such pollution.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44495"
},
{
"category": "external",
"summary": "RHBZ#2487937",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487937"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44495",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44495"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44495",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44495"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-3g43-6gmg-66jw",
"url": "https://github.com/axios/axios/security/advisories/GHSA-3g43-6gmg-66jw"
}
],
"release_date": "2026-06-11T15:33:12.433000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T16:36:30+00:00",
"details": "See Kiali 2.4.19 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.0/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33160"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Information disclosure due to prototype pollution vulnerability"
},
{
"cve": "CVE-2026-44496",
"cwe": {
"id": "CWE-1333",
"name": "Inefficient Regular Expression Complexity"
},
"discovery_date": "2026-06-11T17:01:15.856386+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487943"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios. A remote attacker, by influencing the XSRF cookie name in a browser environment, could cause the application to construct a regular expression that leads to excessive processing. This can result in a client-side Denial of Service (DoS), where the affected browser tab may freeze, impacting the availability of the application for the user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important flaw in Axios can lead to a client-side Denial of Service. An attacker capable of influencing the XSRF cookie name within a browser environment could trigger excessive regular expression processing, causing the affected browser tab to freeze and degrade user availability. This issue specifically impacts browser-based applications and does not affect Node.js HTTP adapter usage, React Native, or web workers.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44496"
},
{
"category": "external",
"summary": "RHBZ#2487943",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487943"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44496",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44496"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44496",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44496"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-hfxv-24rg-xrqf",
"url": "https://github.com/axios/axios/security/advisories/GHSA-hfxv-24rg-xrqf"
}
],
"release_date": "2026-06-11T15:34:28.492000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T16:36:30+00:00",
"details": "See Kiali 2.4.19 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.0/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33160"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name"
},
{
"cve": "CVE-2026-48779",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2026-06-16T22:01:24.571224+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2489661"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in ws, an open source WebSocket client and server. A remote attacker can exploit this memory exhaustion vulnerability by sending a high volume of exceptionally small fragments and data chunks. This action forces the affected component to allocate and hold structural wrappers that consume excessive memory. Consequently, this leads to process termination and a denial of service (DoS) for the remote peer.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ws: ws: Denial of Service via memory exhaustion from small WebSocket fragments",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important denial of service vulnerability in the `ws` WebSocket library. A remote attacker can exploit this flaw by sending a high volume of small, fragmented data, leading to excessive memory consumption and subsequent process termination. This can result in service disruption for Red Hat products that utilize `ws` for WebSocket communication.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48779"
},
{
"category": "external",
"summary": "RHBZ#2489661",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489661"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48779",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48779"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48779",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48779"
},
{
"category": "external",
"summary": "https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7",
"url": "https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7"
},
{
"category": "external",
"summary": "https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53",
"url": "https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53"
},
{
"category": "external",
"summary": "https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94",
"url": "https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94"
},
{
"category": "external",
"summary": "https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8",
"url": "https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8"
},
{
"category": "external",
"summary": "https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p",
"url": "https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p"
}
],
"release_date": "2026-06-16T21:26:22.537000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T16:36:30+00:00",
"details": "See Kiali 2.4.19 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.0/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33160"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:163c0867091d50fae1acfc08b5631ada2be4a49c056adbee9a60166b97a88d5d_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:527644abdbe3cabab1f48223a1c0ee8048d7ced2b331c6b50cb0f08decfd6b4c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7072a730964e67001c15c156743e2726bb6dbaf7d8ee6338c337d94fafb079ed_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ab8453c70ec43c8782332d31f81758a47d79703bbfc06965947ab7d72404c374_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:12ce2d6283ac3fe295e53ac099b14222722fdcb9c549fbe2243ae83069f3cfa4_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:1b110d69b83fa0ed08e2cf38a981ad4fcadc8d01b0f9e4b1c0f4f93eba00df55_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c878bf475fb5ded36d666d59a5d1d7a15e4ec3ba0b54893cc09180e1af431db6_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf2dbdd1c93fe967961000699880b74f2234de06335682f264dac8fdd96fef09_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ws: ws: Denial of Service via memory exhaustion from small WebSocket fragments"
}
]
}
RHSA-2026:33163
Vulnerability from csaf_redhat - Published: 2026-06-29 16:41 - Updated: 2026-07-06 12:13A flaw was found in form-data, a library for creating readable multipart/form-data streams. A remote attacker can exploit this vulnerability by injecting carriage return (CR), line feed (LF), or double-quote (") characters into the `field` argument of `FormData#append` or the `filename` option. This allows the attacker to inject additional headers or smuggle entire additional multipart parts into requests, potentially enabling them to add or override form fields and compromise data integrity.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in golang.org/x/net/idna. ToASCII and ToUnicode incorrectly accept Punycode-encoded labels that decode to an ASCII-only hostname (for example, xn--example-.com returns example.com instead of an error). Applications that validate the ASCII form then convert to Unicode may grant access to a restricted hostname the ASCII check would have rejected.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64 | — |
Workaround
|
A flaw was found in ip-address, a JavaScript library for parsing and manipulating IPv4 and IPv6 addresses. This vulnerability allows a remote attacker to perform cross-site scripting (XSS) by providing untrusted input to the Address6 constructor. When an application renders the output of Address6.group(), Address6.link(), or the AddressError.parseMessage as HTML without proper escaping, the attacker-controlled content can be executed in the user's browser.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Axios, a promise-based HTTP client, specifically in its Node.js HTTP adapter. When Axios is configured to use an authenticated proxy and follows a redirect, it may inadvertently send the Proxy-Authorization header, containing proxy credentials, to the redirect target. This can lead to the disclosure of sensitive proxy credentials to an unintended remote server.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Axios. During specific proxy-to-direct redirect flows in the Node.js HTTP adapter, a remote attacker could exploit this vulnerability. The Proxy-Authorization header, which contains proxy credentials and is intended only for the outbound proxy, may be forwarded to the final redirected origin. This can lead to the disclosure of sensitive proxy credentials to an unintended third party.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Axios, a promise-based HTTP client. When using the fetch adapter, Axios did not properly enforce configured request and response size limits. This vulnerability allows a remote attacker, through a malicious or compromised server, or by supplying a large data URL, to send or receive oversized data bodies. This can lead to resource exhaustion in server-side applications, resulting in a Denial of Service (DoS).
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Axios, a promise-based HTTP client. This vulnerability occurs because Axios does not properly normalize IPv4-mapped IPv6 addresses. When a NO_PROXY setting is configured to block direct access to specific IPv4 addresses, an attacker can bypass this restriction by using the IPv4-mapped IPv6 form of the address in a request URL. This allows the request to be routed through the proxy, potentially exposing internal services or sensitive information that should otherwise be inaccessible.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Axios. This vulnerability, a Prototype Pollution "Gadget" attack, allows an attacker to escalate any existing Object.prototype pollution in an application's dependency tree into a full Man-in-the-Middle (MITM) attack. This enables the attacker to intercept, read, and modify all HTTP traffic, including sensitive authentication credentials. The flaw occurs because the `config.proxy` setting is susceptible to prototype pollution, allowing an attacker to inject a malicious proxy server.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Axios, a promise-based HTTP client. This vulnerability involves prototype pollution gadgets in the request configuration processing. If another vulnerability has already polluted the Object.prototype.transformResponse, affected Axios versions may incorrectly interpret this inherited value as part of the request configuration or as an option validator. Axios does not itself create the prototype pollution. Exploitability requires a separate prototype-pollution vulnerability or equivalent attacker control over Object.prototype before Axios creates a request.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Axios. A remote attacker, by influencing the XSRF cookie name in a browser environment, could cause the application to construct a regular expression that leads to excessive processing. This can result in a client-side Denial of Service (DoS), where the affected browser tab may freeze, impacting the availability of the application for the user.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in ws, an open source WebSocket client and server. A remote attacker can exploit this memory exhaustion vulnerability by sending a high volume of exceptionally small fragments and data chunks. This action forces the affected component to allocate and hold structural wrappers that consume excessive memory. Consequently, this leads to process termination and a denial of service (DoS) for the remote peer.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64 | — |
Vendor Fix
fix
Workaround
|
| URL | Category |
|---|---|
| https://access.redhat.com/errata/RHSA-2026:33163 | self |
| https://access.redhat.com/security/cve/CVE-2026-12143 | external |
| https://access.redhat.com/security/cve/CVE-2026-39821 | external |
| https://access.redhat.com/security/cve/CVE-2026-42338 | external |
| https://access.redhat.com/security/cve/CVE-2026-44486 | external |
| https://access.redhat.com/security/cve/CVE-2026-44487 | external |
| https://access.redhat.com/security/cve/CVE-2026-44488 | external |
| https://access.redhat.com/security/cve/CVE-2026-44492 | external |
| https://access.redhat.com/security/cve/CVE-2026-44494 | external |
| https://access.redhat.com/security/cve/CVE-2026-44495 | external |
| https://access.redhat.com/security/cve/CVE-2026-44496 | external |
| https://access.redhat.com/security/cve/CVE-2026-48779 | external |
| https://access.redhat.com/security/updates/classi… | external |
| https://access.redhat.com/security/updates/classi… | external |
| https://security.access.redhat.com/data/csaf/v2/a… | self |
| https://access.redhat.com/security/cve/CVE-2026-12143 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2488480 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-12143 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-12143 | external |
| https://cwe.mitre.org/data/definitions/93.html | external |
| https://github.com/form-data/form-data/commit/641… | external |
| https://github.com/form-data/form-data/commit/be3… | external |
| https://github.com/form-data/form-data/commit/c71… | external |
| https://github.com/form-data/form-data/security/a… | external |
| https://html.spec.whatwg.org/multipage/form-contr… | external |
| https://www.npmjs.com/package/form-data | external |
| https://access.redhat.com/security/cve/CVE-2026-39821 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2480756 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-39821 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-39821 | external |
| https://go.dev/cl/767220 | external |
| https://go.dev/issue/78760 | external |
| https://groups.google.com/g/golang-announce/c/iI-… | external |
| https://pkg.go.dev/vuln/GO-2026-5026 | external |
| https://access.redhat.com/security/cve/CVE-2026-42338 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2476810 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-42338 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-42338 | external |
| https://github.com/beaugunderson/ip-address/secur… | external |
| https://access.redhat.com/security/cve/CVE-2026-44486 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2487947 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-44486 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-44486 | external |
| https://github.com/axios/axios/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-44487 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2487948 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-44487 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-44487 | external |
| https://github.com/axios/axios/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-44488 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2487949 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-44488 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-44488 | external |
| https://github.com/axios/axios/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-44492 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2487938 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-44492 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-44492 | external |
| https://github.com/axios/axios/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-44494 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2487942 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-44494 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-44494 | external |
| https://github.com/axios/axios/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-44495 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2487937 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-44495 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-44495 | external |
| https://github.com/axios/axios/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-44496 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2487943 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-44496 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-44496 | external |
| https://github.com/axios/axios/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-48779 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2489661 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-48779 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-48779 | external |
| https://github.com/websockets/ws/commit/86d3e8a5f… | external |
| https://github.com/websockets/ws/commit/b5372ac67… | external |
| https://github.com/websockets/ws/commit/bca91adf1… | external |
| https://github.com/websockets/ws/commit/fd36cd864… | external |
| https://github.com/websockets/ws/security/advisor… | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Kiali 2.11.13 for Red Hat OpenShift Service Mesh 3.1 is now available.\nAn update is now available for Red Hat OpenShift Service Mesh 3.1. This advisory contains the RPM packages for the Kiali component.\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Kiali 2.11.13, for Red Hat OpenShift Service Mesh 3.1, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently.\n\nSecurity Fix(es):\n\n* CVE-2026-42338 openshift-service-mesh/kiali-ossmc-rhel9: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (OSSM-14063)\n* CVE-2026-42338 openshift-service-mesh/kiali-rhel9: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (OSSM-14068)\n* CVE-2026-39821 openshift-service-mesh/kiali-rhel9: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing (OSSM-14070)\n* CVE-2026-44495 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Information disclosure due to prototype pollution vulnerability (OSSM-14144)\n* CVE-2026-44495 openshift-service-mesh/kiali-rhel9: Axios: Information disclosure due to prototype pollution vulnerability (OSSM-14149)\n* CVE-2026-44488 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Denial of Service due to unenforced request and response size limits (OSSM-14157)\n* CVE-2026-44488 openshift-service-mesh/kiali-rhel9: Axios: Denial of Service due to unenforced request and response size limits (OSSM-14162)\n* CVE-2026-44487 openshift-service-mesh/kiali-rhel9: Axios: Information disclosure of proxy credentials via redirect flows (OSSM-14166)\n* CVE-2026-44487 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Information disclosure of proxy credentials via redirect flows (OSSM-14173)\n* CVE-2026-44494 openshift-service-mesh/kiali-rhel9: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution (OSSM-14222)\n* CVE-2026-44494 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution (OSSM-14171)\n* CVE-2026-44496 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name (OSSM-14213)\n* CVE-2026-44496 openshift-service-mesh/kiali-rhel9: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name (OSSM-14185)\n* CVE-2026-44486 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Information disclosure of proxy credentials via HTTP redirects (OSSM-14200)\n* CVE-2026-44486 openshift-service-mesh/kiali-rhel9: Axios: Information disclosure of proxy credentials via HTTP redirects (OSSM-14188)\n* CVE-2026-44492 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization (OSSM-14227)\n* CVE-2026-44492 openshift-service-mesh/kiali-rhel9: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization (OSSM-14230)\n* CVE-2026-48779 openshift-service-mesh/kiali-rhel9: ws: Denial of Service via memory exhaustion from small WebSocket fragments (OSSM-14311)\n* CVE-2026-48779 openshift-service-mesh/kiali-ossmc-rhel9: ws: Denial of Service via memory exhaustion from small WebSocket fragments (OSSM-14314)\n* CVE-2026-12143 openshift-service-mesh/kiali-ossmc-rhel9: form-data: Form field override via CRLF injection (OSSM-14333)\n* CVE-2026-12143 openshift-service-mesh/kiali-rhel9: form-data: Form field override via CRLF injection (OSSM-14330)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:33163",
"url": "https://access.redhat.com/errata/RHSA-2026:33163"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-12143",
"url": "https://access.redhat.com/security/cve/CVE-2026-12143"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-39821",
"url": "https://access.redhat.com/security/cve/CVE-2026-39821"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-42338",
"url": "https://access.redhat.com/security/cve/CVE-2026-42338"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44486",
"url": "https://access.redhat.com/security/cve/CVE-2026-44486"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44487",
"url": "https://access.redhat.com/security/cve/CVE-2026-44487"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44488",
"url": "https://access.redhat.com/security/cve/CVE-2026-44488"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44492",
"url": "https://access.redhat.com/security/cve/CVE-2026-44492"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44494",
"url": "https://access.redhat.com/security/cve/CVE-2026-44494"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44495",
"url": "https://access.redhat.com/security/cve/CVE-2026-44495"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44496",
"url": "https://access.redhat.com/security/cve/CVE-2026-44496"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-48779",
"url": "https://access.redhat.com/security/cve/CVE-2026-48779"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification",
"url": "https://access.redhat.com/security/updates/classification"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_33163.json"
}
],
"title": "Red Hat Security Advisory: Kiali 2.11.13 for Red Hat OpenShift Service Mesh 3.1",
"tracking": {
"current_release_date": "2026-07-06T12:13:31+00:00",
"generator": {
"date": "2026-07-06T12:13:31+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:33163",
"initial_release_date": "2026-06-29T16:41:59+00:00",
"revision_history": [
{
"date": "2026-06-29T16:41:59+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-06-29T16:42:08+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-06T12:13:31+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Service Mesh 3.1",
"product": {
"name": "Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:service_mesh:3.1::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Service Mesh"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3Ac5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel9\u0026tag=1782201537"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9\u0026tag=1782201696"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3Aca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel9\u0026tag=1782201537"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3Acf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9\u0026tag=1782201696"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3A99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel9\u0026tag=1782201537"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3Acd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9\u0026tag=1782201696"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3A9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel9\u0026tag=1782201537"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9\u0026tag=1782201696"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64 as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64 as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64 as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64 as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-12143",
"cwe": {
"id": "CWE-93",
"name": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)"
},
"discovery_date": "2026-06-12T19:00:57.360953+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2488480"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in form-data, a library for creating readable multipart/form-data streams. A remote attacker can exploit this vulnerability by injecting carriage return (CR), line feed (LF), or double-quote (\") characters into the `field` argument of `FormData#append` or the `filename` option. This allows the attacker to inject additional headers or smuggle entire additional multipart parts into requests, potentially enabling them to add or override form fields and compromise data integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "form-data: form-data: Form field override via CRLF injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important impact flaw in the form-data library: a remote attacker can inject arbitrary headers or additional multipart parts via CRLF injection in field names or filenames, potentially overriding sensitive form fields and affecting data integrity.\n\nFor RHOAI and RHEL AI, severity is Moderate because affected versions appear only as a transitive npm dependency in RHOAI (dashboard, mod-arch plugins, MLflow UI) and RHEL AI 3.4 bootc images, and those products use fixed field names for uploads rather than passing untrusted user input as multipart field names or filenames. The documented exploit path is therefore not reachable in default deployments. Practical impact is limited to non-default or custom integrations that forward multipart requests using attacker-controlled field names.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-12143"
},
{
"category": "external",
"summary": "RHBZ#2488480",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488480"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-12143",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-12143"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-12143",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12143"
},
{
"category": "external",
"summary": "https://cwe.mitre.org/data/definitions/93.html",
"url": "https://cwe.mitre.org/data/definitions/93.html"
},
{
"category": "external",
"summary": "https://github.com/form-data/form-data/commit/64190db548c0179e37206858e39f27cf513e9435",
"url": "https://github.com/form-data/form-data/commit/64190db548c0179e37206858e39f27cf513e9435"
},
{
"category": "external",
"summary": "https://github.com/form-data/form-data/commit/be3f3cf553978bac15a5182f1f3c3d2d38ccf229",
"url": "https://github.com/form-data/form-data/commit/be3f3cf553978bac15a5182f1f3c3d2d38ccf229"
},
{
"category": "external",
"summary": "https://github.com/form-data/form-data/commit/c7133499c2ee1b80c678e411244f4442bf902045",
"url": "https://github.com/form-data/form-data/commit/c7133499c2ee1b80c678e411244f4442bf902045"
},
{
"category": "external",
"summary": "https://github.com/form-data/form-data/security/advisories/GHSA-hmw2-7cc7-3qxx",
"url": "https://github.com/form-data/form-data/security/advisories/GHSA-hmw2-7cc7-3qxx"
},
{
"category": "external",
"summary": "https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#multipart-form-data",
"url": "https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#multipart-form-data"
},
{
"category": "external",
"summary": "https://www.npmjs.com/package/form-data",
"url": "https://www.npmjs.com/package/form-data"
}
],
"release_date": "2026-06-12T18:01:30.362000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T16:41:59+00:00",
"details": "See Kiali 2.11.13 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.1/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33163"
},
{
"category": "workaround",
"details": "Applications using the `form-data` library should implement strict input validation and sanitization for all field names and filenames derived from untrusted sources. This prevents the injection of control characters (CR, LF, \") that could lead to header injection or form field overrides. Deployments that exclusively use fixed or trusted field names are not impacted.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "form-data: form-data: Form field override via CRLF injection"
},
{
"cve": "CVE-2026-39821",
"cwe": {
"id": "CWE-1289",
"name": "Improper Validation of Unsafe Equivalence in Input"
},
"discovery_date": "2026-05-22T16:00:52.844126+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480756"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang.org/x/net/idna. ToASCII and ToUnicode incorrectly accept Punycode-encoded labels that decode to an ASCII-only hostname (for example, xn--example-.com returns example.com instead of an error). Applications that validate the ASCII form then convert to Unicode may grant access to a restricted hostname the ASCII check would have rejected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "golang.org/x/net/idna is vulnerable to privilege escalation through incorrect Punycode label handling in ToASCII and ToUnicode. An attacker who can supply a Punycode hostname that passes an ASCII-only authorization check may have it normalized to a restricted ASCII name the application intended to block. Red Hat exposure is broad across products shipping the Go toolchain or bundling golang.org/x/net, including RHEL and RHEL-AI golang RPMs, hummingbird Go runtimes, OpenShift and ODF container builds, and Ceph/OpenShift components compiled against affected x/net versions.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
],
"known_not_affected": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-39821"
},
{
"category": "external",
"summary": "RHBZ#2480756",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480756"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-39821",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39821"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-39821",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39821"
},
{
"category": "external",
"summary": "https://go.dev/cl/767220",
"url": "https://go.dev/cl/767220"
},
{
"category": "external",
"summary": "https://go.dev/issue/78760",
"url": "https://go.dev/issue/78760"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8",
"url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-5026",
"url": "https://pkg.go.dev/vuln/GO-2026-5026"
}
],
"release_date": "2026-05-22T15:01:21.462000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T16:41:59+00:00",
"details": "See Kiali 2.11.13 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.1/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33163"
},
{
"category": "workaround",
"details": "Upgrade to a fixed golang.org/x/net release that includes the idna correction, via updated golang or dependent package rebuilds.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing"
},
{
"cve": "CVE-2026-42338",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-05-12T21:01:14.436876+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2476810"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in ip-address, a JavaScript library for parsing and manipulating IPv4 and IPv6 addresses. This vulnerability allows a remote attacker to perform cross-site scripting (XSS) by providing untrusted input to the Address6 constructor. When an application renders the output of Address6.group(), Address6.link(), or the AddressError.parseMessage as HTML without proper escaping, the attacker-controlled content can be executed in the user\u0027s browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in the `ip-address` JavaScript library is rated as Important. It allows for cross-site scripting (XSS) when an application processes untrusted input through the `Address6` constructor and subsequently renders the unescaped output of methods like `Address6.group()`, `Address6.link()`, or `AddressError.parseMessage` directly as HTML. While the library itself is affected, exploitation is contingent on specific application-level rendering practices that may not be common in Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42338"
},
{
"category": "external",
"summary": "RHBZ#2476810",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2476810"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42338",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42338"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42338",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42338"
},
{
"category": "external",
"summary": "https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g",
"url": "https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g"
}
],
"release_date": "2026-05-12T19:43:16.470000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T16:41:59+00:00",
"details": "See Kiali 2.11.13 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.1/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33163"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input"
},
{
"cve": "CVE-2026-44486",
"cwe": {
"id": "CWE-201",
"name": "Insertion of Sensitive Information Into Sent Data"
},
"discovery_date": "2026-06-11T17:01:30.944384+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487947"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client, specifically in its Node.js HTTP adapter. When Axios is configured to use an authenticated proxy and follows a redirect, it may inadvertently send the Proxy-Authorization header, containing proxy credentials, to the redirect target. This can lead to the disclosure of sensitive proxy credentials to an unintended remote server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Information disclosure of proxy credentials via HTTP redirects",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important information disclosure flaw in the Axios Node.js HTTP adapter. Red Hat products utilizing Axios in a Node.js environment with an authenticated proxy and automatic redirects enabled are susceptible. The vulnerability arises when a request, initially sent through an authenticated proxy, is redirected to a target that no longer uses the proxy, potentially leaking `Proxy-Authorization` headers containing sensitive credentials to an untrusted remote server. This risk is heightened in deployments where applications interact with untrusted HTTP origins.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44486"
},
{
"category": "external",
"summary": "RHBZ#2487947",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487947"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44486",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44486"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44486",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44486"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-j5f8-grm9-p9fc",
"url": "https://github.com/axios/axios/security/advisories/GHSA-j5f8-grm9-p9fc"
}
],
"release_date": "2026-06-11T15:39:07.714000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T16:41:59+00:00",
"details": "See Kiali 2.11.13 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.1/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33163"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Information disclosure of proxy credentials via HTTP redirects"
},
{
"cve": "CVE-2026-44487",
"cwe": {
"id": "CWE-201",
"name": "Insertion of Sensitive Information Into Sent Data"
},
"discovery_date": "2026-06-11T17:01:34.091476+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487948"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios. During specific proxy-to-direct redirect flows in the Node.js HTTP adapter, a remote attacker could exploit this vulnerability. The Proxy-Authorization header, which contains proxy credentials and is intended only for the outbound proxy, may be forwarded to the final redirected origin. This can lead to the disclosure of sensitive proxy credentials to an unintended third party.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Information disclosure of proxy credentials via redirect flows",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important information disclosure flaw in Axios affecting Node.js environments. When an application uses Axios with an authenticated HTTP proxy and follows redirects from an HTTP to a non-proxied HTTPS destination, the Proxy-Authorization header may be inadvertently sent to the final origin server. This could lead to the exposure of sensitive proxy credentials to an unintended third party.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44487"
},
{
"category": "external",
"summary": "RHBZ#2487948",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487948"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44487",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44487"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44487",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44487"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-p92q-9vqr-4j8v",
"url": "https://github.com/axios/axios/security/advisories/GHSA-p92q-9vqr-4j8v"
}
],
"release_date": "2026-06-11T15:38:25.150000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T16:41:59+00:00",
"details": "See Kiali 2.11.13 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.1/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33163"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Information disclosure of proxy credentials via redirect flows"
},
{
"cve": "CVE-2026-44488",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-06-11T17:01:36.836488+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487949"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client. When using the fetch adapter, Axios did not properly enforce configured request and response size limits. This vulnerability allows a remote attacker, through a malicious or compromised server, or by supplying a large data URL, to send or receive oversized data bodies. This can lead to resource exhaustion in server-side applications, resulting in a Denial of Service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Denial of Service due to unenforced request and response size limits",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Important: A denial of service flaw was found in Axios, a JavaScript HTTP client library. This issue arises when applications utilize the `fetch` adapter, as configured request and response size limits are not properly enforced. A remote attacker could exploit this by sending or receiving excessively large data bodies, leading to resource exhaustion and potential denial of service in affected server-side applications.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44488"
},
{
"category": "external",
"summary": "RHBZ#2487949",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487949"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44488",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44488"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44488",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44488"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf",
"url": "https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf"
}
],
"release_date": "2026-06-11T15:37:38.013000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T16:41:59+00:00",
"details": "See Kiali 2.11.13 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.1/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33163"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Denial of Service due to unenforced request and response size limits"
},
{
"cve": "CVE-2026-44492",
"cwe": {
"id": "CWE-289",
"name": "Authentication Bypass by Alternate Name"
},
"discovery_date": "2026-06-11T17:00:56.761751+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487938"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client. This vulnerability occurs because Axios does not properly normalize IPv4-mapped IPv6 addresses. When a NO_PROXY setting is configured to block direct access to specific IPv4 addresses, an attacker can bypass this restriction by using the IPv4-mapped IPv6 form of the address in a request URL. This allows the request to be routed through the proxy, potentially exposing internal services or sensitive information that should otherwise be inaccessible.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important flaw in Axios, a JavaScript HTTP client library, that allows for a proxy bypass. When a `NO_PROXY` environment variable is configured to prevent direct connections to specific IPv4 addresses, an attacker can craft a request URL using the IPv4-mapped IPv6 address format. This bypasses the intended `NO_PROXY` exclusion, routing the request through the configured proxy and potentially exposing internal services or sensitive information, such as cloud instance metadata credentials.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44492"
},
{
"category": "external",
"summary": "RHBZ#2487938",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487938"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44492",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44492"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44492",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44492"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-pjwm-pj3p-43mv",
"url": "https://github.com/axios/axios/security/advisories/GHSA-pjwm-pj3p-43mv"
}
],
"release_date": "2026-06-11T15:29:13.890000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T16:41:59+00:00",
"details": "See Kiali 2.11.13 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.1/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33163"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization"
},
{
"cve": "CVE-2026-44494",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-06-11T17:01:12.945664+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487942"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios. This vulnerability, a Prototype Pollution \"Gadget\" attack, allows an attacker to escalate any existing Object.prototype pollution in an application\u0027s dependency tree into a full Man-in-the-Middle (MITM) attack. This enables the attacker to intercept, read, and modify all HTTP traffic, including sensitive authentication credentials. The flaw occurs because the `config.proxy` setting is susceptible to prototype pollution, allowing an attacker to inject a malicious proxy server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important flaw in the Axios library allows an attacker to escalate existing prototype pollution vulnerabilities within an application\u0027s dependency tree into a full Man-in-the-Middle (MITM) attack. By injecting a malicious proxy configuration into the `Object.prototype`, an attacker can intercept, read, and modify all HTTP traffic, including sensitive authentication credentials, without direct user interaction. This poses a significant risk to data confidentiality and integrity in Red Hat products that utilize the Axios library.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44494"
},
{
"category": "external",
"summary": "RHBZ#2487942",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487942"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44494",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44494"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44494",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44494"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-35jp-ww65-95wh",
"url": "https://github.com/axios/axios/security/advisories/GHSA-35jp-ww65-95wh"
}
],
"release_date": "2026-06-11T15:32:03.155000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T16:41:59+00:00",
"details": "See Kiali 2.11.13 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.1/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33163"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution"
},
{
"cve": "CVE-2026-44495",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-06-11T17:00:53.999811+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487937"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client. This vulnerability involves prototype pollution gadgets in the request configuration processing. If another vulnerability has already polluted the Object.prototype.transformResponse, affected Axios versions may incorrectly interpret this inherited value as part of the request configuration or as an option validator. Axios does not itself create the prototype pollution. Exploitability requires a separate prototype-pollution vulnerability or equivalent attacker control over Object.prototype before Axios creates a request.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Information disclosure due to prototype pollution vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important vulnerability in Axios, a promise-based HTTP client, can lead to information disclosure, including credential theft and response hijacking, or denial of service. Exploitation requires a separate prototype pollution vulnerability in the same JavaScript process, allowing an attacker to control `Object.prototype.transformResponse`. Red Hat products using affected Axios versions are at risk if another component introduces such pollution.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44495"
},
{
"category": "external",
"summary": "RHBZ#2487937",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487937"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44495",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44495"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44495",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44495"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-3g43-6gmg-66jw",
"url": "https://github.com/axios/axios/security/advisories/GHSA-3g43-6gmg-66jw"
}
],
"release_date": "2026-06-11T15:33:12.433000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T16:41:59+00:00",
"details": "See Kiali 2.11.13 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.1/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33163"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Information disclosure due to prototype pollution vulnerability"
},
{
"cve": "CVE-2026-44496",
"cwe": {
"id": "CWE-1333",
"name": "Inefficient Regular Expression Complexity"
},
"discovery_date": "2026-06-11T17:01:15.856386+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487943"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios. A remote attacker, by influencing the XSRF cookie name in a browser environment, could cause the application to construct a regular expression that leads to excessive processing. This can result in a client-side Denial of Service (DoS), where the affected browser tab may freeze, impacting the availability of the application for the user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important flaw in Axios can lead to a client-side Denial of Service. An attacker capable of influencing the XSRF cookie name within a browser environment could trigger excessive regular expression processing, causing the affected browser tab to freeze and degrade user availability. This issue specifically impacts browser-based applications and does not affect Node.js HTTP adapter usage, React Native, or web workers.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44496"
},
{
"category": "external",
"summary": "RHBZ#2487943",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487943"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44496",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44496"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44496",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44496"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-hfxv-24rg-xrqf",
"url": "https://github.com/axios/axios/security/advisories/GHSA-hfxv-24rg-xrqf"
}
],
"release_date": "2026-06-11T15:34:28.492000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T16:41:59+00:00",
"details": "See Kiali 2.11.13 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.1/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33163"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name"
},
{
"cve": "CVE-2026-48779",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2026-06-16T22:01:24.571224+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2489661"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in ws, an open source WebSocket client and server. A remote attacker can exploit this memory exhaustion vulnerability by sending a high volume of exceptionally small fragments and data chunks. This action forces the affected component to allocate and hold structural wrappers that consume excessive memory. Consequently, this leads to process termination and a denial of service (DoS) for the remote peer.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ws: ws: Denial of Service via memory exhaustion from small WebSocket fragments",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important denial of service vulnerability in the `ws` WebSocket library. A remote attacker can exploit this flaw by sending a high volume of small, fragmented data, leading to excessive memory consumption and subsequent process termination. This can result in service disruption for Red Hat products that utilize `ws` for WebSocket communication.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48779"
},
{
"category": "external",
"summary": "RHBZ#2489661",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489661"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48779",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48779"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48779",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48779"
},
{
"category": "external",
"summary": "https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7",
"url": "https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7"
},
{
"category": "external",
"summary": "https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53",
"url": "https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53"
},
{
"category": "external",
"summary": "https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94",
"url": "https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94"
},
{
"category": "external",
"summary": "https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8",
"url": "https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8"
},
{
"category": "external",
"summary": "https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p",
"url": "https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p"
}
],
"release_date": "2026-06-16T21:26:22.537000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T16:41:59+00:00",
"details": "See Kiali 2.11.13 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.1/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33163"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ws: ws: Denial of Service via memory exhaustion from small WebSocket fragments"
}
]
}
RHSA-2026:33173
Vulnerability from csaf_redhat - Published: 2026-06-29 17:10 - Updated: 2026-07-06 12:13A flaw was found in form-data, a library for creating readable multipart/form-data streams. A remote attacker can exploit this vulnerability by injecting carriage return (CR), line feed (LF), or double-quote (") characters into the `field` argument of `FormData#append` or the `filename` option. This allows the attacker to inject additional headers or smuggle entire additional multipart parts into requests, potentially enabling them to add or override form fields and compromise data integrity.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in golang.org/x/net/idna. ToASCII and ToUnicode incorrectly accept Punycode-encoded labels that decode to an ASCII-only hostname (for example, xn--example-.com returns example.com instead of an error). Applications that validate the ASCII form then convert to Unicode may grant access to a restricted hostname the ASCII check would have rejected.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64 | — |
Vendor Fix
fix
Workaround
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le | — |
Workaround
|
A flaw was found in Axios, a widely used HTTP client. This vulnerability, known as prototype pollution, allows an attacker to inject malicious properties into core JavaScript objects. When another component in the same application environment is compromised and pollutes the system's object prototype, Axios can unknowingly use these manipulated values in its outbound network requests. This could lead to the disclosure of sensitive information or the alteration of network communications, compromising data confidentiality and integrity.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in ip-address, a JavaScript library for parsing and manipulating IPv4 and IPv6 addresses. This vulnerability allows a remote attacker to perform cross-site scripting (XSS) by providing untrusted input to the Address6 constructor. When an application renders the output of Address6.group(), Address6.link(), or the AddressError.parseMessage as HTML without proper escaping, the attacker-controlled content can be executed in the user's browser.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Axios, a promise-based HTTP client, specifically in its Node.js HTTP adapter. When Axios is configured to use an authenticated proxy and follows a redirect, it may inadvertently send the Proxy-Authorization header, containing proxy credentials, to the redirect target. This can lead to the disclosure of sensitive proxy credentials to an unintended remote server.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Axios. During specific proxy-to-direct redirect flows in the Node.js HTTP adapter, a remote attacker could exploit this vulnerability. The Proxy-Authorization header, which contains proxy credentials and is intended only for the outbound proxy, may be forwarded to the final redirected origin. This can lead to the disclosure of sensitive proxy credentials to an unintended third party.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Axios, a promise-based HTTP client. When using the fetch adapter, Axios did not properly enforce configured request and response size limits. This vulnerability allows a remote attacker, through a malicious or compromised server, or by supplying a large data URL, to send or receive oversized data bodies. This can lead to resource exhaustion in server-side applications, resulting in a Denial of Service (DoS).
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Axios, a promise-based HTTP client. This vulnerability occurs because Axios does not properly normalize IPv4-mapped IPv6 addresses. When a NO_PROXY setting is configured to block direct access to specific IPv4 addresses, an attacker can bypass this restriction by using the IPv4-mapped IPv6 form of the address in a request URL. This allows the request to be routed through the proxy, potentially exposing internal services or sensitive information that should otherwise be inaccessible.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Axios. This vulnerability, a Prototype Pollution "Gadget" attack, allows an attacker to escalate any existing Object.prototype pollution in an application's dependency tree into a full Man-in-the-Middle (MITM) attack. This enables the attacker to intercept, read, and modify all HTTP traffic, including sensitive authentication credentials. The flaw occurs because the `config.proxy` setting is susceptible to prototype pollution, allowing an attacker to inject a malicious proxy server.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Axios, a promise-based HTTP client. This vulnerability involves prototype pollution gadgets in the request configuration processing. If another vulnerability has already polluted the Object.prototype.transformResponse, affected Axios versions may incorrectly interpret this inherited value as part of the request configuration or as an option validator. Axios does not itself create the prototype pollution. Exploitability requires a separate prototype-pollution vulnerability or equivalent attacker control over Object.prototype before Axios creates a request.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Axios. A remote attacker, by influencing the XSRF cookie name in a browser environment, could cause the application to construct a regular expression that leads to excessive processing. This can result in a client-side Denial of Service (DoS), where the affected browser tab may freeze, impacting the availability of the application for the user.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in ws, an open source WebSocket client and server. A remote attacker can exploit this memory exhaustion vulnerability by sending a high volume of exceptionally small fragments and data chunks. This action forces the affected component to allocate and hold structural wrappers that consume excessive memory. Consequently, this leads to process termination and a denial of service (DoS) for the remote peer.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64 | — |
Vendor Fix
fix
Workaround
|
| URL | Category |
|---|---|
| https://access.redhat.com/errata/RHSA-2026:33173 | self |
| https://access.redhat.com/security/cve/CVE-2026-12143 | external |
| https://access.redhat.com/security/cve/CVE-2026-39821 | external |
| https://access.redhat.com/security/cve/CVE-2026-42264 | external |
| https://access.redhat.com/security/cve/CVE-2026-42338 | external |
| https://access.redhat.com/security/cve/CVE-2026-44486 | external |
| https://access.redhat.com/security/cve/CVE-2026-44487 | external |
| https://access.redhat.com/security/cve/CVE-2026-44488 | external |
| https://access.redhat.com/security/cve/CVE-2026-44492 | external |
| https://access.redhat.com/security/cve/CVE-2026-44494 | external |
| https://access.redhat.com/security/cve/CVE-2026-44495 | external |
| https://access.redhat.com/security/cve/CVE-2026-44496 | external |
| https://access.redhat.com/security/cve/CVE-2026-48779 | external |
| https://access.redhat.com/security/updates/classi… | external |
| https://access.redhat.com/security/updates/classi… | external |
| https://security.access.redhat.com/data/csaf/v2/a… | self |
| https://access.redhat.com/security/cve/CVE-2026-12143 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2488480 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-12143 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-12143 | external |
| https://cwe.mitre.org/data/definitions/93.html | external |
| https://github.com/form-data/form-data/commit/641… | external |
| https://github.com/form-data/form-data/commit/be3… | external |
| https://github.com/form-data/form-data/commit/c71… | external |
| https://github.com/form-data/form-data/security/a… | external |
| https://html.spec.whatwg.org/multipage/form-contr… | external |
| https://www.npmjs.com/package/form-data | external |
| https://access.redhat.com/security/cve/CVE-2026-39821 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2480756 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-39821 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-39821 | external |
| https://go.dev/cl/767220 | external |
| https://go.dev/issue/78760 | external |
| https://groups.google.com/g/golang-announce/c/iI-… | external |
| https://pkg.go.dev/vuln/GO-2026-5026 | external |
| https://access.redhat.com/security/cve/CVE-2026-42264 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2467927 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-42264 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-42264 | external |
| https://github.com/axios/axios/commit/47915144662… | external |
| https://github.com/axios/axios/pull/10779 | external |
| https://github.com/axios/axios/releases/tag/v1.15.2 | external |
| https://github.com/axios/axios/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-42338 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2476810 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-42338 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-42338 | external |
| https://github.com/beaugunderson/ip-address/secur… | external |
| https://access.redhat.com/security/cve/CVE-2026-44486 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2487947 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-44486 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-44486 | external |
| https://github.com/axios/axios/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-44487 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2487948 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-44487 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-44487 | external |
| https://github.com/axios/axios/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-44488 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2487949 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-44488 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-44488 | external |
| https://github.com/axios/axios/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-44492 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2487938 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-44492 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-44492 | external |
| https://github.com/axios/axios/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-44494 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2487942 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-44494 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-44494 | external |
| https://github.com/axios/axios/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-44495 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2487937 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-44495 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-44495 | external |
| https://github.com/axios/axios/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-44496 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2487943 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-44496 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-44496 | external |
| https://github.com/axios/axios/security/advisorie… | external |
| https://access.redhat.com/security/cve/CVE-2026-48779 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2489661 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-48779 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-48779 | external |
| https://github.com/websockets/ws/commit/86d3e8a5f… | external |
| https://github.com/websockets/ws/commit/b5372ac67… | external |
| https://github.com/websockets/ws/commit/bca91adf1… | external |
| https://github.com/websockets/ws/commit/fd36cd864… | external |
| https://github.com/websockets/ws/security/advisor… | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Kiali 2.17.10 for Red Hat OpenShift Service Mesh 3.2 is now available.\nAn update is now available for Red Hat OpenShift Service Mesh 3.2. This advisory contains the RPM packages for the Kiali component.\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Kiali 2.17.10, for Red Hat OpenShift Service Mesh 3.2, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently.\n\nSecurity Fix(es):\n\n* CVE-2026-42338 openshift-service-mesh/kiali-rhel9: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (OSSM-14062)\n* CVE-2026-42338 openshift-service-mesh/kiali-ossmc-rhel9: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (OSSM-14064)\n* CVE-2026-39821 openshift-service-mesh/kiali-rhel9: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing (OSSM-14074)\n* CVE-2026-44495 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Information disclosure due to prototype pollution vulnerability (OSSM-14143)\n* CVE-2026-44495 openshift-service-mesh/kiali-rhel9: Axios: Information disclosure due to prototype pollution vulnerability (OSSM-14146)\n* CVE-2026-44488 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Denial of Service due to unenforced request and response size limits (OSSM-14158)\n* CVE-2026-44488 openshift-service-mesh/kiali-rhel9: Axios: Denial of Service due to unenforced request and response size limits (OSSM-14159)\n* CVE-2026-44487 openshift-service-mesh/kiali-rhel9: Axios: Information disclosure of proxy credentials via redirect flows (OSSM-14164)\n* CVE-2026-44487 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Information disclosure of proxy credentials via redirect flows (OSSM-14165)\n* CVE-2026-44494 openshift-service-mesh/kiali-rhel9: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution (OSSM-14181)\n* CVE-2026-44494 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution (OSSM-14212)\n* CVE-2026-44496 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name (OSSM-14204)\n* CVE-2026-44496 openshift-service-mesh/kiali-rhel9: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name (OSSM-14209)\n* CVE-2026-44486 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Information disclosure of proxy credentials via HTTP redirects (OSSM-14193)\n* CVE-2026-44486 openshift-service-mesh/kiali-rhel9: Axios: Information disclosure of proxy credentials via HTTP redirects (OSSM-14197)\n* CVE-2026-44492 openshift-service-mesh/kiali-rhel9: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization (OSSM-14229)\n* CVE-2026-44492 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization (OSSM-14231)\n* CVE-2026-48779 openshift-service-mesh/kiali-ossmc-rhel9: ws: Denial of Service via memory exhaustion from small WebSocket fragments (OSSM-14310)\n* CVE-2026-48779 openshift-service-mesh/kiali-rhel9: ws: Denial of Service via memory exhaustion from small WebSocket fragments (OSSM-14312)\n* CVE-2026-12143 openshift-service-mesh/kiali-rhel9: form-data: Form field override via CRLF injection (OSSM-14329)\n* CVE-2026-12143 openshift-service-mesh/kiali-ossmc-rhel9: form-data: Form field override via CRLF injection (OSSM-14332)\n* CVE-2026-42264 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Prototype pollution allows information disclosure and request manipulation (OSSM-14594)\n* CVE-2026-42264 openshift-service-mesh/kiali-rhel9: Axios: Prototype pollution allows information disclosure and request manipulation (OSSM-14598)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:33173",
"url": "https://access.redhat.com/errata/RHSA-2026:33173"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-12143",
"url": "https://access.redhat.com/security/cve/CVE-2026-12143"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-39821",
"url": "https://access.redhat.com/security/cve/CVE-2026-39821"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-42264",
"url": "https://access.redhat.com/security/cve/CVE-2026-42264"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-42338",
"url": "https://access.redhat.com/security/cve/CVE-2026-42338"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44486",
"url": "https://access.redhat.com/security/cve/CVE-2026-44486"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44487",
"url": "https://access.redhat.com/security/cve/CVE-2026-44487"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44488",
"url": "https://access.redhat.com/security/cve/CVE-2026-44488"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44492",
"url": "https://access.redhat.com/security/cve/CVE-2026-44492"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44494",
"url": "https://access.redhat.com/security/cve/CVE-2026-44494"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44495",
"url": "https://access.redhat.com/security/cve/CVE-2026-44495"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44496",
"url": "https://access.redhat.com/security/cve/CVE-2026-44496"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-48779",
"url": "https://access.redhat.com/security/cve/CVE-2026-48779"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification",
"url": "https://access.redhat.com/security/updates/classification"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_33173.json"
}
],
"title": "Red Hat Security Advisory: Kiali 2.17.10 for Red Hat OpenShift Service Mesh 3.2",
"tracking": {
"current_release_date": "2026-07-06T12:13:33+00:00",
"generator": {
"date": "2026-07-06T12:13:33+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:33173",
"initial_release_date": "2026-06-29T17:10:36+00:00",
"revision_history": [
{
"date": "2026-06-29T17:10:36+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-06-29T17:10:45+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-06T12:13:33+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Service Mesh 3.2",
"product": {
"name": "Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:service_mesh:3.2::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Service Mesh"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3A6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel9\u0026tag=1782201812"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9\u0026tag=1782201851"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3A790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel9\u0026tag=1782201812"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3Acf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9\u0026tag=1782201851"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3A2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel9\u0026tag=1782201812"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3Af08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9\u0026tag=1782201851"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3A28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel9\u0026tag=1782201812"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9\u0026tag=1782201851"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64 as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64 as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64 as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64 as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-12143",
"cwe": {
"id": "CWE-93",
"name": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)"
},
"discovery_date": "2026-06-12T19:00:57.360953+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2488480"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in form-data, a library for creating readable multipart/form-data streams. A remote attacker can exploit this vulnerability by injecting carriage return (CR), line feed (LF), or double-quote (\") characters into the `field` argument of `FormData#append` or the `filename` option. This allows the attacker to inject additional headers or smuggle entire additional multipart parts into requests, potentially enabling them to add or override form fields and compromise data integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "form-data: form-data: Form field override via CRLF injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important impact flaw in the form-data library: a remote attacker can inject arbitrary headers or additional multipart parts via CRLF injection in field names or filenames, potentially overriding sensitive form fields and affecting data integrity.\n\nFor RHOAI and RHEL AI, severity is Moderate because affected versions appear only as a transitive npm dependency in RHOAI (dashboard, mod-arch plugins, MLflow UI) and RHEL AI 3.4 bootc images, and those products use fixed field names for uploads rather than passing untrusted user input as multipart field names or filenames. The documented exploit path is therefore not reachable in default deployments. Practical impact is limited to non-default or custom integrations that forward multipart requests using attacker-controlled field names.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-12143"
},
{
"category": "external",
"summary": "RHBZ#2488480",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488480"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-12143",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-12143"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-12143",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12143"
},
{
"category": "external",
"summary": "https://cwe.mitre.org/data/definitions/93.html",
"url": "https://cwe.mitre.org/data/definitions/93.html"
},
{
"category": "external",
"summary": "https://github.com/form-data/form-data/commit/64190db548c0179e37206858e39f27cf513e9435",
"url": "https://github.com/form-data/form-data/commit/64190db548c0179e37206858e39f27cf513e9435"
},
{
"category": "external",
"summary": "https://github.com/form-data/form-data/commit/be3f3cf553978bac15a5182f1f3c3d2d38ccf229",
"url": "https://github.com/form-data/form-data/commit/be3f3cf553978bac15a5182f1f3c3d2d38ccf229"
},
{
"category": "external",
"summary": "https://github.com/form-data/form-data/commit/c7133499c2ee1b80c678e411244f4442bf902045",
"url": "https://github.com/form-data/form-data/commit/c7133499c2ee1b80c678e411244f4442bf902045"
},
{
"category": "external",
"summary": "https://github.com/form-data/form-data/security/advisories/GHSA-hmw2-7cc7-3qxx",
"url": "https://github.com/form-data/form-data/security/advisories/GHSA-hmw2-7cc7-3qxx"
},
{
"category": "external",
"summary": "https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#multipart-form-data",
"url": "https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#multipart-form-data"
},
{
"category": "external",
"summary": "https://www.npmjs.com/package/form-data",
"url": "https://www.npmjs.com/package/form-data"
}
],
"release_date": "2026-06-12T18:01:30.362000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T17:10:36+00:00",
"details": "See Kiali 2.17.10 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.2/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33173"
},
{
"category": "workaround",
"details": "Applications using the `form-data` library should implement strict input validation and sanitization for all field names and filenames derived from untrusted sources. This prevents the injection of control characters (CR, LF, \") that could lead to header injection or form field overrides. Deployments that exclusively use fixed or trusted field names are not impacted.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "form-data: form-data: Form field override via CRLF injection"
},
{
"cve": "CVE-2026-39821",
"cwe": {
"id": "CWE-1289",
"name": "Improper Validation of Unsafe Equivalence in Input"
},
"discovery_date": "2026-05-22T16:00:52.844126+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480756"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang.org/x/net/idna. ToASCII and ToUnicode incorrectly accept Punycode-encoded labels that decode to an ASCII-only hostname (for example, xn--example-.com returns example.com instead of an error). Applications that validate the ASCII form then convert to Unicode may grant access to a restricted hostname the ASCII check would have rejected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "golang.org/x/net/idna is vulnerable to privilege escalation through incorrect Punycode label handling in ToASCII and ToUnicode. An attacker who can supply a Punycode hostname that passes an ASCII-only authorization check may have it normalized to a restricted ASCII name the application intended to block. Red Hat exposure is broad across products shipping the Go toolchain or bundling golang.org/x/net, including RHEL and RHEL-AI golang RPMs, hummingbird Go runtimes, OpenShift and ODF container builds, and Ceph/OpenShift components compiled against affected x/net versions.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
],
"known_not_affected": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-39821"
},
{
"category": "external",
"summary": "RHBZ#2480756",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480756"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-39821",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39821"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-39821",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39821"
},
{
"category": "external",
"summary": "https://go.dev/cl/767220",
"url": "https://go.dev/cl/767220"
},
{
"category": "external",
"summary": "https://go.dev/issue/78760",
"url": "https://go.dev/issue/78760"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8",
"url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-5026",
"url": "https://pkg.go.dev/vuln/GO-2026-5026"
}
],
"release_date": "2026-05-22T15:01:21.462000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T17:10:36+00:00",
"details": "See Kiali 2.17.10 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.2/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33173"
},
{
"category": "workaround",
"details": "Upgrade to a fixed golang.org/x/net release that includes the idna correction, via updated golang or dependent package rebuilds.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing"
},
{
"cve": "CVE-2026-42264",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-05-08T04:02:21.039378+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2467927"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a widely used HTTP client. This vulnerability, known as prototype pollution, allows an attacker to inject malicious properties into core JavaScript objects. When another component in the same application environment is compromised and pollutes the system\u0027s object prototype, Axios can unknowingly use these manipulated values in its outbound network requests. This could lead to the disclosure of sensitive information or the alteration of network communications, compromising data confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Prototype pollution allows information disclosure and request manipulation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important prototype pollution flaw in Axios could result in information disclosure and network request manipulation. The vulnerability occurs when a co-located dependency in the application environment successfully pollutes the JavaScript `Object.prototype`. Under these conditions, Axios may unknowingly incorporate the manipulated properties into its outbound HTTP requests, potentially compromising data confidentiality and integrity. Exploitation is contingent on a prior successful prototype pollution attack from another component.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42264"
},
{
"category": "external",
"summary": "RHBZ#2467927",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467927"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42264",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42264"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42264",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42264"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/commit/47915144662f2733e6c051bdcb895a8c8f0586aa",
"url": "https://github.com/axios/axios/commit/47915144662f2733e6c051bdcb895a8c8f0586aa"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/pull/10779",
"url": "https://github.com/axios/axios/pull/10779"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/releases/tag/v1.15.2",
"url": "https://github.com/axios/axios/releases/tag/v1.15.2"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-q8qp-cvcw-x6jj",
"url": "https://github.com/axios/axios/security/advisories/GHSA-q8qp-cvcw-x6jj"
}
],
"release_date": "2026-05-08T03:20:24.248000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T17:10:36+00:00",
"details": "See Kiali 2.17.10 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.2/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33173"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Prototype pollution allows information disclosure and request manipulation"
},
{
"cve": "CVE-2026-42338",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-05-12T21:01:14.436876+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2476810"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in ip-address, a JavaScript library for parsing and manipulating IPv4 and IPv6 addresses. This vulnerability allows a remote attacker to perform cross-site scripting (XSS) by providing untrusted input to the Address6 constructor. When an application renders the output of Address6.group(), Address6.link(), or the AddressError.parseMessage as HTML without proper escaping, the attacker-controlled content can be executed in the user\u0027s browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in the `ip-address` JavaScript library is rated as Important. It allows for cross-site scripting (XSS) when an application processes untrusted input through the `Address6` constructor and subsequently renders the unescaped output of methods like `Address6.group()`, `Address6.link()`, or `AddressError.parseMessage` directly as HTML. While the library itself is affected, exploitation is contingent on specific application-level rendering practices that may not be common in Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42338"
},
{
"category": "external",
"summary": "RHBZ#2476810",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2476810"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42338",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42338"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42338",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42338"
},
{
"category": "external",
"summary": "https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g",
"url": "https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g"
}
],
"release_date": "2026-05-12T19:43:16.470000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T17:10:36+00:00",
"details": "See Kiali 2.17.10 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.2/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33173"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input"
},
{
"cve": "CVE-2026-44486",
"cwe": {
"id": "CWE-201",
"name": "Insertion of Sensitive Information Into Sent Data"
},
"discovery_date": "2026-06-11T17:01:30.944384+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487947"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client, specifically in its Node.js HTTP adapter. When Axios is configured to use an authenticated proxy and follows a redirect, it may inadvertently send the Proxy-Authorization header, containing proxy credentials, to the redirect target. This can lead to the disclosure of sensitive proxy credentials to an unintended remote server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Information disclosure of proxy credentials via HTTP redirects",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important information disclosure flaw in the Axios Node.js HTTP adapter. Red Hat products utilizing Axios in a Node.js environment with an authenticated proxy and automatic redirects enabled are susceptible. The vulnerability arises when a request, initially sent through an authenticated proxy, is redirected to a target that no longer uses the proxy, potentially leaking `Proxy-Authorization` headers containing sensitive credentials to an untrusted remote server. This risk is heightened in deployments where applications interact with untrusted HTTP origins.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44486"
},
{
"category": "external",
"summary": "RHBZ#2487947",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487947"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44486",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44486"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44486",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44486"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-j5f8-grm9-p9fc",
"url": "https://github.com/axios/axios/security/advisories/GHSA-j5f8-grm9-p9fc"
}
],
"release_date": "2026-06-11T15:39:07.714000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T17:10:36+00:00",
"details": "See Kiali 2.17.10 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.2/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33173"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Information disclosure of proxy credentials via HTTP redirects"
},
{
"cve": "CVE-2026-44487",
"cwe": {
"id": "CWE-201",
"name": "Insertion of Sensitive Information Into Sent Data"
},
"discovery_date": "2026-06-11T17:01:34.091476+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487948"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios. During specific proxy-to-direct redirect flows in the Node.js HTTP adapter, a remote attacker could exploit this vulnerability. The Proxy-Authorization header, which contains proxy credentials and is intended only for the outbound proxy, may be forwarded to the final redirected origin. This can lead to the disclosure of sensitive proxy credentials to an unintended third party.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Information disclosure of proxy credentials via redirect flows",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important information disclosure flaw in Axios affecting Node.js environments. When an application uses Axios with an authenticated HTTP proxy and follows redirects from an HTTP to a non-proxied HTTPS destination, the Proxy-Authorization header may be inadvertently sent to the final origin server. This could lead to the exposure of sensitive proxy credentials to an unintended third party.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44487"
},
{
"category": "external",
"summary": "RHBZ#2487948",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487948"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44487",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44487"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44487",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44487"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-p92q-9vqr-4j8v",
"url": "https://github.com/axios/axios/security/advisories/GHSA-p92q-9vqr-4j8v"
}
],
"release_date": "2026-06-11T15:38:25.150000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T17:10:36+00:00",
"details": "See Kiali 2.17.10 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.2/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33173"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Information disclosure of proxy credentials via redirect flows"
},
{
"cve": "CVE-2026-44488",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-06-11T17:01:36.836488+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487949"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client. When using the fetch adapter, Axios did not properly enforce configured request and response size limits. This vulnerability allows a remote attacker, through a malicious or compromised server, or by supplying a large data URL, to send or receive oversized data bodies. This can lead to resource exhaustion in server-side applications, resulting in a Denial of Service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Denial of Service due to unenforced request and response size limits",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Important: A denial of service flaw was found in Axios, a JavaScript HTTP client library. This issue arises when applications utilize the `fetch` adapter, as configured request and response size limits are not properly enforced. A remote attacker could exploit this by sending or receiving excessively large data bodies, leading to resource exhaustion and potential denial of service in affected server-side applications.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44488"
},
{
"category": "external",
"summary": "RHBZ#2487949",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487949"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44488",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44488"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44488",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44488"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf",
"url": "https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf"
}
],
"release_date": "2026-06-11T15:37:38.013000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T17:10:36+00:00",
"details": "See Kiali 2.17.10 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.2/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33173"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Denial of Service due to unenforced request and response size limits"
},
{
"cve": "CVE-2026-44492",
"cwe": {
"id": "CWE-289",
"name": "Authentication Bypass by Alternate Name"
},
"discovery_date": "2026-06-11T17:00:56.761751+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487938"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client. This vulnerability occurs because Axios does not properly normalize IPv4-mapped IPv6 addresses. When a NO_PROXY setting is configured to block direct access to specific IPv4 addresses, an attacker can bypass this restriction by using the IPv4-mapped IPv6 form of the address in a request URL. This allows the request to be routed through the proxy, potentially exposing internal services or sensitive information that should otherwise be inaccessible.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important flaw in Axios, a JavaScript HTTP client library, that allows for a proxy bypass. When a `NO_PROXY` environment variable is configured to prevent direct connections to specific IPv4 addresses, an attacker can craft a request URL using the IPv4-mapped IPv6 address format. This bypasses the intended `NO_PROXY` exclusion, routing the request through the configured proxy and potentially exposing internal services or sensitive information, such as cloud instance metadata credentials.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44492"
},
{
"category": "external",
"summary": "RHBZ#2487938",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487938"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44492",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44492"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44492",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44492"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-pjwm-pj3p-43mv",
"url": "https://github.com/axios/axios/security/advisories/GHSA-pjwm-pj3p-43mv"
}
],
"release_date": "2026-06-11T15:29:13.890000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T17:10:36+00:00",
"details": "See Kiali 2.17.10 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.2/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33173"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization"
},
{
"cve": "CVE-2026-44494",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-06-11T17:01:12.945664+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487942"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios. This vulnerability, a Prototype Pollution \"Gadget\" attack, allows an attacker to escalate any existing Object.prototype pollution in an application\u0027s dependency tree into a full Man-in-the-Middle (MITM) attack. This enables the attacker to intercept, read, and modify all HTTP traffic, including sensitive authentication credentials. The flaw occurs because the `config.proxy` setting is susceptible to prototype pollution, allowing an attacker to inject a malicious proxy server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important flaw in the Axios library allows an attacker to escalate existing prototype pollution vulnerabilities within an application\u0027s dependency tree into a full Man-in-the-Middle (MITM) attack. By injecting a malicious proxy configuration into the `Object.prototype`, an attacker can intercept, read, and modify all HTTP traffic, including sensitive authentication credentials, without direct user interaction. This poses a significant risk to data confidentiality and integrity in Red Hat products that utilize the Axios library.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44494"
},
{
"category": "external",
"summary": "RHBZ#2487942",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487942"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44494",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44494"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44494",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44494"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-35jp-ww65-95wh",
"url": "https://github.com/axios/axios/security/advisories/GHSA-35jp-ww65-95wh"
}
],
"release_date": "2026-06-11T15:32:03.155000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T17:10:36+00:00",
"details": "See Kiali 2.17.10 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.2/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33173"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution"
},
{
"cve": "CVE-2026-44495",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-06-11T17:00:53.999811+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487937"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client. This vulnerability involves prototype pollution gadgets in the request configuration processing. If another vulnerability has already polluted the Object.prototype.transformResponse, affected Axios versions may incorrectly interpret this inherited value as part of the request configuration or as an option validator. Axios does not itself create the prototype pollution. Exploitability requires a separate prototype-pollution vulnerability or equivalent attacker control over Object.prototype before Axios creates a request.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Information disclosure due to prototype pollution vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important vulnerability in Axios, a promise-based HTTP client, can lead to information disclosure, including credential theft and response hijacking, or denial of service. Exploitation requires a separate prototype pollution vulnerability in the same JavaScript process, allowing an attacker to control `Object.prototype.transformResponse`. Red Hat products using affected Axios versions are at risk if another component introduces such pollution.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44495"
},
{
"category": "external",
"summary": "RHBZ#2487937",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487937"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44495",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44495"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44495",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44495"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-3g43-6gmg-66jw",
"url": "https://github.com/axios/axios/security/advisories/GHSA-3g43-6gmg-66jw"
}
],
"release_date": "2026-06-11T15:33:12.433000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T17:10:36+00:00",
"details": "See Kiali 2.17.10 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.2/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33173"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Information disclosure due to prototype pollution vulnerability"
},
{
"cve": "CVE-2026-44496",
"cwe": {
"id": "CWE-1333",
"name": "Inefficient Regular Expression Complexity"
},
"discovery_date": "2026-06-11T17:01:15.856386+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487943"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios. A remote attacker, by influencing the XSRF cookie name in a browser environment, could cause the application to construct a regular expression that leads to excessive processing. This can result in a client-side Denial of Service (DoS), where the affected browser tab may freeze, impacting the availability of the application for the user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important flaw in Axios can lead to a client-side Denial of Service. An attacker capable of influencing the XSRF cookie name within a browser environment could trigger excessive regular expression processing, causing the affected browser tab to freeze and degrade user availability. This issue specifically impacts browser-based applications and does not affect Node.js HTTP adapter usage, React Native, or web workers.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44496"
},
{
"category": "external",
"summary": "RHBZ#2487943",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487943"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44496",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44496"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44496",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44496"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-hfxv-24rg-xrqf",
"url": "https://github.com/axios/axios/security/advisories/GHSA-hfxv-24rg-xrqf"
}
],
"release_date": "2026-06-11T15:34:28.492000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T17:10:36+00:00",
"details": "See Kiali 2.17.10 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.2/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33173"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name"
},
{
"cve": "CVE-2026-48779",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2026-06-16T22:01:24.571224+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2489661"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in ws, an open source WebSocket client and server. A remote attacker can exploit this memory exhaustion vulnerability by sending a high volume of exceptionally small fragments and data chunks. This action forces the affected component to allocate and hold structural wrappers that consume excessive memory. Consequently, this leads to process termination and a denial of service (DoS) for the remote peer.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ws: ws: Denial of Service via memory exhaustion from small WebSocket fragments",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important denial of service vulnerability in the `ws` WebSocket library. A remote attacker can exploit this flaw by sending a high volume of small, fragmented data, leading to excessive memory consumption and subsequent process termination. This can result in service disruption for Red Hat products that utilize `ws` for WebSocket communication.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48779"
},
{
"category": "external",
"summary": "RHBZ#2489661",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489661"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48779",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48779"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48779",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48779"
},
{
"category": "external",
"summary": "https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7",
"url": "https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7"
},
{
"category": "external",
"summary": "https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53",
"url": "https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53"
},
{
"category": "external",
"summary": "https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94",
"url": "https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94"
},
{
"category": "external",
"summary": "https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8",
"url": "https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8"
},
{
"category": "external",
"summary": "https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p",
"url": "https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p"
}
],
"release_date": "2026-06-16T21:26:22.537000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T17:10:36+00:00",
"details": "See Kiali 2.17.10 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.2/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:33173"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:25cea20e2ae09312237993c254bebc58983e3907469758392d7e97e9859b59c8_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26fc99e8a9aa85fee4c07b4d77b4c699a41af995888f017ca1ab650d9777f20a_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf7b68e5a7e3b4ecbab43eba4196a71b7f859fb6f9a4e11fe9dfd2ad530f684a_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:f08bc5caad4465d35f3526bdb1a43c4f56a2a70e6e0f584a291ca8984444bc5f_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:28ff05488ce8333b7b2cf2a68f465d0ba085064ba474ccee2652c7e8d4c8f5ab_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2c2d500314bd8380c4dc06068ac379eadbc8c376bfa232cbf3c7bf1816a0d628_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:6cc59e499071fb3a97ecfcdab32b29ed94b3e725d4c0c47f67b096205296e7e3_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:790215d0593d974c79ae90cd01d71b8a0f7d872c1b0ad78870d9f2ae28eaff5c_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ws: ws: Denial of Service via memory exhaustion from small WebSocket fragments"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.