Vulnerability-Lookup

RHSA-2026:23361

Vulnerability from csaf_redhat - Published: 2026-06-04 14:36 - Updated: 2026-06-05 21:04

Summary

Red Hat Security Advisory: Red Hat Quay 3.9.22

Severity

Important

Notes

Topic: Red Hat Quay 3.9.22 is now available with bug fixes.

Details: Quay 3.9.22

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2025-61726

A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Fixed 3 products

Product	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64	—	Vendor Fix fix Workaround

Known not affected 19 products

Product	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64	—	Workaround

Threats

Impact Important

CVE-2025-61728

A flaw was found in the archive/zip package in the Go standard library. A super-linear file name indexing algorithm is used in the first time a file in an archive is opened. A crafted zip archive containing a specific arrangement of file names can cause an excessive CPU and memory consumption. A Go application processing a malicious archive can become unresponsive or crash, resulting in a denial of service.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Fixed 3 products

Product	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64	—	Vendor Fix fix Workaround

Known not affected 19 products

Product	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64	—	Workaround

Threats

Impact Moderate

CVE-2025-62718

A flaw was found in Axios, a promise-based HTTP client. This vulnerability occurs because Axios does not correctly handle hostname normalization when evaluating NO_PROXY rules. An attacker can exploit this by crafting requests to loopback addresses (e.g., localhost. or [::1]) which bypass the NO_PROXY configuration and are routed through the configured proxy. This can lead to Server-Side Request Forgery (SSRF) vulnerabilities, enabling attackers to access sensitive internal or loopback services that should otherwise be protected.

7.0 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L

CWE-1289 - Improper Validation of Unsafe Equivalence in Input

Affected products

Fixed 3 products

Product	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64	—	Vendor Fix fix Workaround

Known not affected 19 products

Product	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64	—	Workaround

Threats

Impact Important

CVE-2026-2377

A flaw was found in mirror-registry. Authenticated users can exploit the log export feature by providing a specially crafted web address (URL). This allows the application's backend to make arbitrary requests to internal network resources, a vulnerability known as Server-Side Request Forgery (SSRF). This could lead to unauthorized access to sensitive information or other internal systems.

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-918 - Server-Side Request Forgery (SSRF)

Affected products

Fixed 3 products

Product	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le	—	Vendor Fix fix
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x	—	Vendor Fix fix
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64	—	Vendor Fix fix

Known not affected 19 products

Product	Identifier	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64		—

Threats

Impact Important

CVE-2026-4427

No description is available for this CVE.

Affected products

Fixed 3 products

Product	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le	—	Vendor Fix fix
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x	—	Vendor Fix fix
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64	—	Vendor Fix fix

Known not affected 19 products

Product	Identifier	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64		—

CVE-2026-4598

A flaw was found in jsrsasign. A remote attacker could exploit this vulnerability by providing specially crafted zero or negative inputs to the bnModInverse function within the BigInteger.modInverse implementation. This could lead to an infinite loop, causing a permanent denial of service (DoS) by hanging the process.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-1287 - Improper Validation of Specified Type of Input

Affected products

Fixed 3 products

Product	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64	—	Vendor Fix fix Workaround

Known not affected 19 products

Product	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64	—	Workaround

Threats

Impact Important

CVE-2026-32280

A flaw was found in the Go standard library packages `crypto/x509` and `crypto/tls`. During the process of building a certificate chain, an attacker can provide a large number of intermediate certificates. This excessive input is not properly limited, leading to an uncontrolled amount of work being performed. This can result in a denial of service (DoS) condition, making the affected system or application unavailable to legitimate users.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Fixed 3 products

Product	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le	—	Vendor Fix fix
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x	—	Vendor Fix fix
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64	—	Vendor Fix fix

Known not affected 19 products

Product	Identifier	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64		—

Threats

Impact Important

CVE-2026-32281

A flaw was found in Go's `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-1050 - Excessive Platform Resource Consumption within a Loop

Affected products

Fixed 3 products

Product	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64	—	Vendor Fix fix Workaround

Known not affected 19 products

Product	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64	—	Workaround

Threats

Impact Moderate

CVE-2026-32282

A flaw was found in the internal/syscall/unix package in the Go standard library. If the target of the `Root.Chmod` function is replaced with a symbolic link during execution, specifically after `Root.Chmod` checks the target but before acting, the `chmod` operation will be performed on the file the symbolic link points to. This issue can bypass directory restrictions and lead to unauthorized permission changes on the filesystem.

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition

Affected products

Fixed 3 products

Product	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64	—	Vendor Fix fix Workaround

Known not affected 19 products

Product	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64	—	Workaround

Threats

Impact Moderate

CVE-2026-32589

A flaw was found in Red Hat Quay's container image upload process. An authenticated user with push access to any repository on the registry can interfere with image uploads in progress by other users, including those in repositories they do not have access to. This could allow the attacker to read, modify, or cancel another user's in-progress image upload.

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

CWE-639 - Authorization Bypass Through User-Controlled Key

Affected products

Fixed 3 products

Product	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le	—	Vendor Fix fix
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x	—	Vendor Fix fix
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64	—	Vendor Fix fix

Known not affected 19 products

Product	Identifier	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64		—

Threats

Impact Important

CVE-2026-32590

A flaw was found in Red Hat Quay's handling of resumable container image layer uploads. The upload process stores intermediate data in the database using a format that, if tampered with, could allow an attacker to execute arbitrary code on the Quay server.

7.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

Affected products

Fixed 3 products

Product	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le	—	Vendor Fix fix
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x	—	Vendor Fix fix
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64	—	Vendor Fix fix

Known not affected 19 products

Product	Identifier	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64		—

Threats

Impact Moderate

CVE-2026-33894

A flaw was found in Forge (also called `node-forge`), a JavaScript implementation of Transport Layer Security. A remote attacker could exploit weaknesses in the RSASSA PKCS#1 v1.5 signature verification process. By crafting malicious signatures that include extra data within the ASN structure and do not meet padding requirements, an attacker can bypass signature validation. This allows for the creation of forged signatures that appear legitimate, potentially compromising the integrity and authenticity of communications.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-347 - Improper Verification of Cryptographic Signature

Affected products

Fixed 3 products

Product	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64	—	Vendor Fix fix Workaround

Known not affected 19 products

Product	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64	—	Workaround

Threats

Impact Important

CVE-2026-34986

A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-131 - Incorrect Calculation of Buffer Size

Affected products

Fixed 3 products

Product	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64	—	Vendor Fix fix Workaround

Known not affected 19 products

Product	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64	—	Workaround

Threats

Impact Important

CVE-2026-39892

A flaw was found in the cryptography library. This vulnerability occurs when a non-contiguous buffer is passed to certain application programming interfaces (APIs) that accept Python buffers, such as Hash.update(). A remote attacker could exploit this to cause a buffer overflow, potentially leading to a denial of service.

7.3 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE-131 - Incorrect Calculation of Buffer Size

Affected products

Fixed 3 products

Product	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64	—	Vendor Fix fix Workaround

Known not affected 19 products

Product	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64	—	Workaround

Threats

Impact Important

CVE-2026-40192

A flaw was found in Pillow, a Python imaging library. This vulnerability allows a remote attacker to trigger a denial of service (DoS) by providing a specially crafted FITS image file. The library's failure to limit the amount of GZIP-compressed data during decoding can lead to unbounded memory consumption, causing the system to crash or experience severe performance issues.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)

Affected products

Fixed 3 products

Product	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64	—	Vendor Fix fix Workaround

Known not affected 19 products

Product	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64	—	Workaround

Threats

Impact Important

CVE-2026-40895

A flaw was found in follow-redirects. When an HTTP request follows a cross-domain redirect (a redirection to a different domain), custom authentication headers, such as X-API-Key or X-Auth-Token, are not properly stripped. This allows these sensitive headers to be forwarded verbatim to the redirect target, potentially leading to the unintended disclosure of authentication information to an untrusted third party.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-212 - Improper Removal of Sensitive Information Before Storage or Transfer

Affected products

Fixed 3 products

Product	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le	—	Vendor Fix fix
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x	—	Vendor Fix fix
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64	—	Vendor Fix fix

Known not affected 19 products

Product	Identifier	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64		—

Threats

Impact Important

CVE-2026-42033

A flaw was found in Axios, an HTTP client library. This vulnerability allows an attacker to exploit a prototype pollution issue if another part of the application has already polluted the Object.prototype. By doing so, the attacker can intercept and modify JSON responses or take control of the HTTP communication. This could lead to unauthorized access to sensitive information like user credentials and request details.

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

Affected products

Fixed 3 products

Product	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le	—	Vendor Fix fix
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x	—	Vendor Fix fix
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64	—	Vendor Fix fix

Known not affected 19 products

Product	Identifier	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64		—

Threats

Impact Important

CVE-2026-42035

A flaw was found in Axios, a software library for making network requests. A remote attacker can exploit a prototype pollution vulnerability to inject arbitrary HTTP headers into outgoing requests. This occurs when the application's core object definitions are manipulated, causing Axios to misinterpret data and include attacker-controlled headers in network communications. This could lead to unauthorized actions or data manipulation.

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

Affected products

Fixed 3 products

Product	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64	—	Vendor Fix fix Workaround

Known not affected 19 products

Product	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64	—	Workaround

Threats

Impact Moderate

CVE-2026-42039

A flaw was found in Axios, a promise-based HTTP client for browsers and Node.js. This vulnerability occurs because the `toFormData` function recursively processes nested objects without a depth limit. A remote attacker can exploit this by sending deeply nested request data, which causes the Node.js process to crash due to a RangeError, leading to a potential Denial of Service (DoS) if the process crashes.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Fixed 3 products

Product	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le	—	Vendor Fix fix
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x	—	Vendor Fix fix
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64	—	Vendor Fix fix

Known not affected 19 products

Product	Identifier	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64		—

Threats

Impact Important

CVE-2026-42041

A flaw was found in Axios, a promise-based HTTP client. This vulnerability, a Prototype Pollution "Gadget" attack, allows an attacker to manipulate the `Object.prototype.validateStatus` property. By polluting this property, all HTTP error responses (such as 401, 403, or 500) are silently treated as successful responses. This can lead to a complete bypass of application-level authentication and error handling, potentially granting unauthorized access.

8.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

Affected products

Fixed 3 products

Product	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le	—	Vendor Fix fix
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x	—	Vendor Fix fix
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64	—	Vendor Fix fix

Known not affected 19 products

Product	Identifier	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64		—

Threats

Impact Important

CVE-2026-42043

A flaw was found in Axios, a promise-based HTTP client. An attacker who can control the destination address of an Axios request can exploit this vulnerability. By using specific internal network addresses (within the 127.0.0.0/8 range, excluding 127.0.0.1), the attacker can completely bypass the NO_PROXY protection, potentially leading to unauthorized access or information disclosure within the network. This issue is an incomplete fix for a previous vulnerability.

7.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE-918 - Server-Side Request Forgery (SSRF)

Affected products

Fixed 3 products

Product	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le	—	Vendor Fix fix
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x	—	Vendor Fix fix
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64	—	Vendor Fix fix

Known not affected 19 products

Product	Identifier	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x		—
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64		—

Threats

Impact Important

CVE-2026-42044

A flaw was found in Axios, a widely used HTTP client. This vulnerability, known as a Prototype Pollution "Gadget" attack, allows a remote attacker to subtly alter JSON API responses. By manipulating a specific function, an attacker can selectively modify data within these responses. This could lead to significant security breaches, including unauthorized privilege escalation, fraudulent balance manipulation, or bypassing critical authorization checks.

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

Affected products

Fixed 3 products

Product	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64	—	Vendor Fix fix Workaround

Known not affected 19 products

Product	Version	Remediation
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x	—	Workaround
Unresolved product id: Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64	—	Workaround

Threats

Impact Important

References

158 references

URL	Category
https://access.redhat.com/errata/RHSA-2026:23361	self
https://access.redhat.com/security/cve/CVE-2025-61726	external
https://access.redhat.com/security/cve/CVE-2025-61728	external
https://access.redhat.com/security/cve/CVE-2025-62718	external
https://access.redhat.com/security/cve/CVE-2026-2377	external
https://access.redhat.com/security/cve/CVE-2026-32280	external
https://access.redhat.com/security/cve/CVE-2026-32281	external
https://access.redhat.com/security/cve/CVE-2026-32282	external
https://access.redhat.com/security/cve/CVE-2026-32589	external
https://access.redhat.com/security/cve/CVE-2026-32590	external
https://access.redhat.com/security/cve/CVE-2026-33894	external
https://access.redhat.com/security/cve/CVE-2026-34986	external
https://access.redhat.com/security/cve/CVE-2026-39892	external
https://access.redhat.com/security/cve/CVE-2026-40192	external
https://access.redhat.com/security/cve/CVE-2026-40895	external
https://access.redhat.com/security/cve/CVE-2026-42033	external
https://access.redhat.com/security/cve/CVE-2026-42035	external
https://access.redhat.com/security/cve/CVE-2026-42039	external
https://access.redhat.com/security/cve/CVE-2026-42041	external
https://access.redhat.com/security/cve/CVE-2026-42043	external
https://access.redhat.com/security/cve/CVE-2026-42044	external
https://access.redhat.com/security/cve/CVE-2026-4427	external
https://access.redhat.com/security/cve/CVE-2026-4598	external
https://access.redhat.com/security/updates/classi…	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2025-61726	self
https://bugzilla.redhat.com/show_bug.cgi?id=2434432	external
https://www.cve.org/CVERecord?id=CVE-2025-61726	external
https://nvd.nist.gov/vuln/detail/CVE-2025-61726	external
https://go.dev/cl/736712	external
https://go.dev/issue/77101	external
https://groups.google.com/g/golang-announce/c/Vd2…	external
https://pkg.go.dev/vuln/GO-2026-4341	external
https://access.redhat.com/security/cve/CVE-2025-61728	self
https://bugzilla.redhat.com/show_bug.cgi?id=2434431	external
https://www.cve.org/CVERecord?id=CVE-2025-61728	external
https://nvd.nist.gov/vuln/detail/CVE-2025-61728	external
https://go.dev/cl/736713	external
https://go.dev/issue/77102	external
https://pkg.go.dev/vuln/GO-2026-4342	external
https://access.redhat.com/security/cve/CVE-2025-62718	self
https://bugzilla.redhat.com/show_bug.cgi?id=2456913	external
https://www.cve.org/CVERecord?id=CVE-2025-62718	external
https://nvd.nist.gov/vuln/detail/CVE-2025-62718	external
https://datatracker.ietf.org/doc/html/rfc1034#sec…	external
https://datatracker.ietf.org/doc/html/rfc3986#sec…	external
https://github.com/axios/axios/commit/fb3befb6daa…	external
https://github.com/axios/axios/pull/10661	external
https://github.com/axios/axios/releases/tag/v1.15.0	external
https://github.com/axios/axios/security/advisorie…	external
https://access.redhat.com/security/cve/CVE-2026-2377	self
https://bugzilla.redhat.com/show_bug.cgi?id=2439201	external
https://www.cve.org/CVERecord?id=CVE-2026-2377	external
https://nvd.nist.gov/vuln/detail/CVE-2026-2377	external
https://access.redhat.com/security/cve/CVE-2026-4427	self
https://www.cve.org/CVERecord?id=CVE-2026-4427	external
https://access.redhat.com/security/cve/CVE-2026-4598	self
https://bugzilla.redhat.com/show_bug.cgi?id=2450210	external
https://www.cve.org/CVERecord?id=CVE-2026-4598	external
https://nvd.nist.gov/vuln/detail/CVE-2026-4598	external
https://gist.github.com/Kr0emer/a1bf5cd4547cc630d…	external
https://github.com/kjur/jsrsasign/commit/ca5b0272…	external
https://github.com/kjur/jsrsasign/pull/648	external
https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-1…	external
https://access.redhat.com/security/cve/CVE-2026-32280	self
https://bugzilla.redhat.com/show_bug.cgi?id=2456339	external
https://www.cve.org/CVERecord?id=CVE-2026-32280	external
https://nvd.nist.gov/vuln/detail/CVE-2026-32280	external
https://go.dev/cl/758320	external
https://go.dev/issue/78282	external
https://groups.google.com/g/golang-announce/c/0uY…	external
https://pkg.go.dev/vuln/GO-2026-4947	external
https://access.redhat.com/security/cve/CVE-2026-32281	self
https://bugzilla.redhat.com/show_bug.cgi?id=2456333	external
https://www.cve.org/CVERecord?id=CVE-2026-32281	external
https://nvd.nist.gov/vuln/detail/CVE-2026-32281	external
https://go.dev/cl/758061	external
https://go.dev/issue/78281	external
https://pkg.go.dev/vuln/GO-2026-4946	external
https://access.redhat.com/security/cve/CVE-2026-32282	self
https://bugzilla.redhat.com/show_bug.cgi?id=2456336	external
https://www.cve.org/CVERecord?id=CVE-2026-32282	external
https://nvd.nist.gov/vuln/detail/CVE-2026-32282	external
https://go.dev/cl/763761	external
https://go.dev/issue/78293	external
https://pkg.go.dev/vuln/GO-2026-4864	external
https://access.redhat.com/security/cve/CVE-2026-32589	self
https://bugzilla.redhat.com/show_bug.cgi?id=2446963	external
https://www.cve.org/CVERecord?id=CVE-2026-32589	external
https://nvd.nist.gov/vuln/detail/CVE-2026-32589	external
https://access.redhat.com/security/cve/CVE-2026-32590	self
https://bugzilla.redhat.com/show_bug.cgi?id=2446964	external
https://www.cve.org/CVERecord?id=CVE-2026-32590	external
https://nvd.nist.gov/vuln/detail/CVE-2026-32590	external
https://access.redhat.com/security/cve/CVE-2026-33894	self
https://bugzilla.redhat.com/show_bug.cgi?id=2452464	external
https://www.cve.org/CVERecord?id=CVE-2026-33894	external
https://nvd.nist.gov/vuln/detail/CVE-2026-33894	external
https://datatracker.ietf.org/doc/html/rfc2313#section-8	external
https://github.com/digitalbazaar/forge/security/a…	external
https://mailarchive.ietf.org/arch/msg/openpgp/5rn…	external
https://www.rfc-editor.org/rfc/rfc8017.html	external
https://access.redhat.com/security/cve/CVE-2026-34986	self
https://bugzilla.redhat.com/show_bug.cgi?id=2455470	external
https://www.cve.org/CVERecord?id=CVE-2026-34986	external
https://nvd.nist.gov/vuln/detail/CVE-2026-34986	external
https://github.com/go-jose/go-jose/security/advis…	external
https://pkg.go.dev/github.com/go-jose/go-jose/v4#…	external
https://access.redhat.com/security/cve/CVE-2026-39892	self
https://bugzilla.redhat.com/show_bug.cgi?id=2456735	external
https://www.cve.org/CVERecord?id=CVE-2026-39892	external
https://nvd.nist.gov/vuln/detail/CVE-2026-39892	external
http://www.openwall.com/lists/oss-security/2026/0…	external
https://github.com/pyca/cryptography/commit/622d6…	external
https://github.com/pyca/cryptography/security/adv…	external
https://access.redhat.com/security/cve/CVE-2026-40192	self
https://bugzilla.redhat.com/show_bug.cgi?id=2458856	external
https://www.cve.org/CVERecord?id=CVE-2026-40192	external
https://nvd.nist.gov/vuln/detail/CVE-2026-40192	external
https://github.com/python-pillow/Pillow/commit/3c…	external
https://github.com/python-pillow/Pillow/pull/9521	external
https://github.com/python-pillow/Pillow/security/…	external
https://pillow.readthedocs.io/en/stable/releaseno…	external
https://access.redhat.com/security/cve/CVE-2026-40895	self
https://bugzilla.redhat.com/show_bug.cgi?id=2460297	external
https://www.cve.org/CVERecord?id=CVE-2026-40895	external
https://nvd.nist.gov/vuln/detail/CVE-2026-40895	external
https://github.com/follow-redirects/follow-redire…	external
https://access.redhat.com/security/cve/CVE-2026-42033	self
https://bugzilla.redhat.com/show_bug.cgi?id=2461607	external
https://www.cve.org/CVERecord?id=CVE-2026-42033	external
https://nvd.nist.gov/vuln/detail/CVE-2026-42033	external
https://github.com/axios/axios/security/advisorie…	external
https://access.redhat.com/security/cve/CVE-2026-42035	self
https://bugzilla.redhat.com/show_bug.cgi?id=2461606	external
https://www.cve.org/CVERecord?id=CVE-2026-42035	external
https://nvd.nist.gov/vuln/detail/CVE-2026-42035	external
https://github.com/axios/axios/security/advisorie…	external
https://access.redhat.com/security/cve/CVE-2026-42039	self
https://bugzilla.redhat.com/show_bug.cgi?id=2461630	external
https://www.cve.org/CVERecord?id=CVE-2026-42039	external
https://nvd.nist.gov/vuln/detail/CVE-2026-42039	external
https://github.com/axios/axios/security/advisorie…	external
https://access.redhat.com/security/cve/CVE-2026-42041	self
https://bugzilla.redhat.com/show_bug.cgi?id=2461629	external
https://www.cve.org/CVERecord?id=CVE-2026-42041	external
https://nvd.nist.gov/vuln/detail/CVE-2026-42041	external
https://github.com/axios/axios/security/advisorie…	external
https://access.redhat.com/security/cve/CVE-2026-42043	self
https://bugzilla.redhat.com/show_bug.cgi?id=2461626	external
https://www.cve.org/CVERecord?id=CVE-2026-42043	external
https://nvd.nist.gov/vuln/detail/CVE-2026-42043	external
https://github.com/axios/axios/security/advisorie…	external
https://access.redhat.com/security/cve/CVE-2026-42044	self
https://bugzilla.redhat.com/show_bug.cgi?id=2461624	external
https://www.cve.org/CVERecord?id=CVE-2026-42044	external
https://nvd.nist.gov/vuln/detail/CVE-2026-42044	external
https://github.com/axios/axios/security/advisorie…	external

Acknowledgments

Antony Di Scala Michael Whale

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat Quay 3.9.22 is now available with bug fixes.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Quay 3.9.22",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:23361",
        "url": "https://access.redhat.com/errata/RHSA-2026:23361"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-61726",
        "url": "https://access.redhat.com/security/cve/CVE-2025-61726"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-61728",
        "url": "https://access.redhat.com/security/cve/CVE-2025-61728"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-62718",
        "url": "https://access.redhat.com/security/cve/CVE-2025-62718"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-2377",
        "url": "https://access.redhat.com/security/cve/CVE-2026-2377"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-32280",
        "url": "https://access.redhat.com/security/cve/CVE-2026-32280"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-32281",
        "url": "https://access.redhat.com/security/cve/CVE-2026-32281"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-32282",
        "url": "https://access.redhat.com/security/cve/CVE-2026-32282"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-32589",
        "url": "https://access.redhat.com/security/cve/CVE-2026-32589"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-32590",
        "url": "https://access.redhat.com/security/cve/CVE-2026-32590"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-33894",
        "url": "https://access.redhat.com/security/cve/CVE-2026-33894"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-34986",
        "url": "https://access.redhat.com/security/cve/CVE-2026-34986"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-39892",
        "url": "https://access.redhat.com/security/cve/CVE-2026-39892"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-40192",
        "url": "https://access.redhat.com/security/cve/CVE-2026-40192"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-40895",
        "url": "https://access.redhat.com/security/cve/CVE-2026-40895"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-42033",
        "url": "https://access.redhat.com/security/cve/CVE-2026-42033"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-42035",
        "url": "https://access.redhat.com/security/cve/CVE-2026-42035"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-42039",
        "url": "https://access.redhat.com/security/cve/CVE-2026-42039"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-42041",
        "url": "https://access.redhat.com/security/cve/CVE-2026-42041"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-42043",
        "url": "https://access.redhat.com/security/cve/CVE-2026-42043"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-42044",
        "url": "https://access.redhat.com/security/cve/CVE-2026-42044"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-4427",
        "url": "https://access.redhat.com/security/cve/CVE-2026-4427"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-4598",
        "url": "https://access.redhat.com/security/cve/CVE-2026-4598"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_23361.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Quay 3.9.22",
    "tracking": {
      "current_release_date": "2026-06-05T21:04:11+00:00",
      "generator": {
        "date": "2026-06-05T21:04:11+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.8.2"
        }
      },
      "id": "RHSA-2026:23361",
      "initial_release_date": "2026-06-04T14:36:50+00:00",
      "revision_history": [
        {
          "date": "2026-06-04T14:36:50+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-06-04T14:36:57+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-06-05T21:04:11+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Quay 3.9",
                "product": {
                  "name": "Red Hat Quay 3.9",
                  "product_id": "Red Hat Quay 3.9",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:quay:3.9::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Quay"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
                "product": {
                  "name": "registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
                  "product_id": "registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/quay-container-security-operator-bundle@sha256%3A8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-container-security-operator-bundle\u0026tag=1779233745"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
                "product": {
                  "name": "registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
                  "product_id": "registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/quay-container-security-operator-rhel8@sha256%3A9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-container-security-operator-rhel8\u0026tag=1779233264"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
                "product": {
                  "name": "registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
                  "product_id": "registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/quay-bridge-operator-bundle@sha256%3A086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-bridge-operator-bundle\u0026tag=1779233747"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
                "product": {
                  "name": "registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
                  "product_id": "registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/quay-bridge-operator-rhel8@sha256%3A5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-bridge-operator-rhel8\u0026tag=1779233279"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
                "product": {
                  "name": "registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
                  "product_id": "registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/quay-builder-qemu-rhcos-rhel8@sha256%3A499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8\u0026tag=1779233697"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
                "product": {
                  "name": "registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
                  "product_id": "registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/quay-builder-rhel8@sha256%3Add303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-builder-rhel8\u0026tag=1779233301"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
                "product": {
                  "name": "registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
                  "product_id": "registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/clair-rhel8@sha256%3Aff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe?arch=amd64\u0026repository_url=registry.redhat.io/quay/clair-rhel8\u0026tag=1779233282"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
                "product": {
                  "name": "registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
                  "product_id": "registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/quay-operator-bundle@sha256%3A8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-operator-bundle\u0026tag=1779815781"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
                "product": {
                  "name": "registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
                  "product_id": "registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/quay-operator-rhel8@sha256%3Ae89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-operator-rhel8\u0026tag=1779233286"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64",
                "product": {
                  "name": "registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64",
                  "product_id": "registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/quay-rhel8@sha256%3Ae43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-rhel8\u0026tag=1779811473"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
                "product": {
                  "name": "registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
                  "product_id": "registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/quay-container-security-operator-rhel8@sha256%3Ab20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5?arch=ppc64le\u0026repository_url=registry.redhat.io/quay/quay-container-security-operator-rhel8\u0026tag=1779233264"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
                "product": {
                  "name": "registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
                  "product_id": "registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/quay-bridge-operator-rhel8@sha256%3A54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537?arch=ppc64le\u0026repository_url=registry.redhat.io/quay/quay-bridge-operator-rhel8\u0026tag=1779233279"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
                "product": {
                  "name": "registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
                  "product_id": "registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/quay-builder-rhel8@sha256%3A39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c?arch=ppc64le\u0026repository_url=registry.redhat.io/quay/quay-builder-rhel8\u0026tag=1779233301"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
                "product": {
                  "name": "registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
                  "product_id": "registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/clair-rhel8@sha256%3A0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2?arch=ppc64le\u0026repository_url=registry.redhat.io/quay/clair-rhel8\u0026tag=1779233282"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
                "product": {
                  "name": "registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
                  "product_id": "registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/quay-operator-rhel8@sha256%3A5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b?arch=ppc64le\u0026repository_url=registry.redhat.io/quay/quay-operator-rhel8\u0026tag=1779233286"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
                "product": {
                  "name": "registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
                  "product_id": "registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/quay-rhel8@sha256%3A213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682?arch=ppc64le\u0026repository_url=registry.redhat.io/quay/quay-rhel8\u0026tag=1779811473"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
                "product": {
                  "name": "registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
                  "product_id": "registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/quay-container-security-operator-rhel8@sha256%3A9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0?arch=s390x\u0026repository_url=registry.redhat.io/quay/quay-container-security-operator-rhel8\u0026tag=1779233264"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
                "product": {
                  "name": "registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
                  "product_id": "registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/quay-bridge-operator-rhel8@sha256%3A56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424?arch=s390x\u0026repository_url=registry.redhat.io/quay/quay-bridge-operator-rhel8\u0026tag=1779233279"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
                "product": {
                  "name": "registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
                  "product_id": "registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/quay-builder-rhel8@sha256%3A3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e?arch=s390x\u0026repository_url=registry.redhat.io/quay/quay-builder-rhel8\u0026tag=1779233301"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
                "product": {
                  "name": "registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
                  "product_id": "registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/clair-rhel8@sha256%3A1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390?arch=s390x\u0026repository_url=registry.redhat.io/quay/clair-rhel8\u0026tag=1779233282"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
                "product": {
                  "name": "registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
                  "product_id": "registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/quay-operator-rhel8@sha256%3Ae7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e?arch=s390x\u0026repository_url=registry.redhat.io/quay/quay-operator-rhel8\u0026tag=1779233286"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
                "product": {
                  "name": "registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
                  "product_id": "registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/quay-rhel8@sha256%3Acc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb?arch=s390x\u0026repository_url=registry.redhat.io/quay/quay-rhel8\u0026tag=1779811473"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le as a component of Red Hat Quay 3.9",
          "product_id": "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le"
        },
        "product_reference": "registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
        "relates_to_product_reference": "Red Hat Quay 3.9"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x as a component of Red Hat Quay 3.9",
          "product_id": "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x"
        },
        "product_reference": "registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
        "relates_to_product_reference": "Red Hat Quay 3.9"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64 as a component of Red Hat Quay 3.9",
          "product_id": "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64"
        },
        "product_reference": "registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
        "relates_to_product_reference": "Red Hat Quay 3.9"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64 as a component of Red Hat Quay 3.9",
          "product_id": "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64"
        },
        "product_reference": "registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
        "relates_to_product_reference": "Red Hat Quay 3.9"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le as a component of Red Hat Quay 3.9",
          "product_id": "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le"
        },
        "product_reference": "registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
        "relates_to_product_reference": "Red Hat Quay 3.9"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x as a component of Red Hat Quay 3.9",
          "product_id": "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x"
        },
        "product_reference": "registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
        "relates_to_product_reference": "Red Hat Quay 3.9"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64 as a component of Red Hat Quay 3.9",
          "product_id": "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64"
        },
        "product_reference": "registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
        "relates_to_product_reference": "Red Hat Quay 3.9"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64 as a component of Red Hat Quay 3.9",
          "product_id": "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64"
        },
        "product_reference": "registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
        "relates_to_product_reference": "Red Hat Quay 3.9"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le as a component of Red Hat Quay 3.9",
          "product_id": "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le"
        },
        "product_reference": "registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
        "relates_to_product_reference": "Red Hat Quay 3.9"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x as a component of Red Hat Quay 3.9",
          "product_id": "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x"
        },
        "product_reference": "registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
        "relates_to_product_reference": "Red Hat Quay 3.9"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64 as a component of Red Hat Quay 3.9",
          "product_id": "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64"
        },
        "product_reference": "registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
        "relates_to_product_reference": "Red Hat Quay 3.9"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64 as a component of Red Hat Quay 3.9",
          "product_id": "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64"
        },
        "product_reference": "registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
        "relates_to_product_reference": "Red Hat Quay 3.9"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x as a component of Red Hat Quay 3.9",
          "product_id": "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x"
        },
        "product_reference": "registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
        "relates_to_product_reference": "Red Hat Quay 3.9"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64 as a component of Red Hat Quay 3.9",
          "product_id": "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64"
        },
        "product_reference": "registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
        "relates_to_product_reference": "Red Hat Quay 3.9"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le as a component of Red Hat Quay 3.9",
          "product_id": "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le"
        },
        "product_reference": "registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
        "relates_to_product_reference": "Red Hat Quay 3.9"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64 as a component of Red Hat Quay 3.9",
          "product_id": "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64"
        },
        "product_reference": "registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
        "relates_to_product_reference": "Red Hat Quay 3.9"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le as a component of Red Hat Quay 3.9",
          "product_id": "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le"
        },
        "product_reference": "registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
        "relates_to_product_reference": "Red Hat Quay 3.9"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x as a component of Red Hat Quay 3.9",
          "product_id": "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x"
        },
        "product_reference": "registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
        "relates_to_product_reference": "Red Hat Quay 3.9"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64 as a component of Red Hat Quay 3.9",
          "product_id": "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
        },
        "product_reference": "registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
        "relates_to_product_reference": "Red Hat Quay 3.9"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le as a component of Red Hat Quay 3.9",
          "product_id": "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le"
        },
        "product_reference": "registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
        "relates_to_product_reference": "Red Hat Quay 3.9"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x as a component of Red Hat Quay 3.9",
          "product_id": "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x"
        },
        "product_reference": "registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
        "relates_to_product_reference": "Red Hat Quay 3.9"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64 as a component of Red Hat Quay 3.9",
          "product_id": "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
        },
        "product_reference": "registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64",
        "relates_to_product_reference": "Red Hat Quay 3.9"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-61726",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2026-01-28T20:01:42.791305+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2434432"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang: net/url: Memory exhaustion in query parameter parsing in net/url",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "To exploit this flaw, an attacker must be able to send a specially crafted HTTP request to an application parsing URL-encoded forms with net/url, specifically a request containing a large number of unique query parameters. The request will cause the application to consume an excessive amount of memory and eventually result in a denial of service, with no impact to confidentiality or integrity. Due to this reason, this vulnerability has been rated with an important severity.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
        ],
        "known_not_affected": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-61726"
        },
        {
          "category": "external",
          "summary": "RHBZ#2434432",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2434432"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-61726",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-61726"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/736712",
          "url": "https://go.dev/cl/736712"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/77101",
          "url": "https://go.dev/issue/77101"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc",
          "url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2026-4341",
          "url": "https://pkg.go.dev/vuln/GO-2026-4341"
        }
      ],
      "release_date": "2026-01-28T19:30:31.215000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-04T14:36:50+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:23361"
        },
        {
          "category": "workaround",
          "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "golang: net/url: Memory exhaustion in query parameter parsing in net/url"
    },
    {
      "cve": "CVE-2025-61728",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2026-01-28T20:01:39.965024+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2434431"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the archive/zip package in the Go standard library. A super-linear file name indexing algorithm is used in the first time a file in an archive is opened. A crafted zip archive containing a specific arrangement of file names can cause an excessive CPU and memory consumption. A Go application processing a malicious archive can become unresponsive or crash, resulting in a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "To exploit this flaw, an attacker needs to be able to process a malicious zip archive with an application using the archive/zip package. Additionally, this vulnerability can cause a Go application to consume an excessive amount of CPU and memory, eventually resulting in a denial of service with no other security impact. Due to these reasons, this flaw has been rated with a moderate severity.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
        ],
        "known_not_affected": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-61728"
        },
        {
          "category": "external",
          "summary": "RHBZ#2434431",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2434431"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-61728",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-61728"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61728",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61728"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/736713",
          "url": "https://go.dev/cl/736713"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/77102",
          "url": "https://go.dev/issue/77102"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc",
          "url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2026-4342",
          "url": "https://pkg.go.dev/vuln/GO-2026-4342"
        }
      ],
      "release_date": "2026-01-28T19:30:31.354000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-04T14:36:50+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:23361"
        },
        {
          "category": "workaround",
          "details": "To mitigate this vulnerability, implement a timeout in your archive/zip processing logic to abort the operation if it exceeds a few seconds, preventing the application from consuming an excessive amount of resources.",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip"
    },
    {
      "cve": "CVE-2025-62718",
      "cwe": {
        "id": "CWE-1289",
        "name": "Improper Validation of Unsafe Equivalence in Input"
      },
      "discovery_date": "2026-04-09T15:01:48.111177+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2456913"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Axios, a promise-based HTTP client. This vulnerability occurs because Axios does not correctly handle hostname normalization when evaluating NO_PROXY rules. An attacker can exploit this by crafting requests to loopback addresses (e.g., localhost. or [::1]) which bypass the NO_PROXY configuration and are routed through the configured proxy. This can lead to Server-Side Request Forgery (SSRF) vulnerabilities, enabling attackers to access sensitive internal or loopback services that should otherwise be protected.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This flaw has limited impact due to combination of non-default conditions to exploit: the attacker must be able to control or influence URLs passed to axios in a server-side context, the application must have both `HTTP_PROXY` and `NO_PROXY` configured, and the proxy itself must be positioned to act on the misdirected traffic or have been compromised by the attacker to intercept the rerouted traffic.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
        ],
        "known_not_affected": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-62718"
        },
        {
          "category": "external",
          "summary": "RHBZ#2456913",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456913"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-62718",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-62718"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-62718",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62718"
        },
        {
          "category": "external",
          "summary": "https://datatracker.ietf.org/doc/html/rfc1034#section-3.1",
          "url": "https://datatracker.ietf.org/doc/html/rfc1034#section-3.1"
        },
        {
          "category": "external",
          "summary": "https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2",
          "url": "https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df",
          "url": "https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/pull/10661",
          "url": "https://github.com/axios/axios/pull/10661"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/releases/tag/v1.15.0",
          "url": "https://github.com/axios/axios/releases/tag/v1.15.0"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5"
        }
      ],
      "release_date": "2026-04-09T14:31:46.067000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-04T14:36:50+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:23361"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.0,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "axios: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Antony Di Scala",
            "Michael Whale"
          ]
        }
      ],
      "cve": "CVE-2026-2377",
      "cwe": {
        "id": "CWE-918",
        "name": "Server-Side Request Forgery (SSRF)"
      },
      "discovery_date": "2026-02-11T21:02:44.495000+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2439201"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in mirror-registry. Authenticated users can exploit the log export feature by providing a specially crafted web address (URL). This allows the application\u0027s backend to make arbitrary requests to internal network resources, a vulnerability known as Server-Side Request Forgery (SSRF). This could lead to unauthorized access to sensitive information or other internal systems.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "mirror-registry: quay: quay: Server-Side Request Forgery via log export functionality",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Due to the intended and supported use case of Openshift Mirror Registry, deployment in an offline or network-isolated environment, the impact for this product has been downgraded to `Moderate`.\n\nEven in case of compromise, the blast radius is restricted to mirror-registry. It can not be escalated outside the core product. This vulnerability has been scored based on the lack of change of scope.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
        ],
        "known_not_affected": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-2377"
        },
        {
          "category": "external",
          "summary": "RHBZ#2439201",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439201"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-2377",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-2377"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-2377",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2377"
        }
      ],
      "release_date": "2026-04-08T16:18:10.324000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-04T14:36:50+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:23361"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "mirror-registry: quay: quay: Server-Side Request Forgery via log export functionality"
    },
    {
      "cve": "CVE-2026-4427",
      "discovery_date": "2026-03-18T14:02:19.414820+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
          ]
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "No description is available for this CVE.",
          "title": "Vulnerability description"
        },
        {
          "category": "other",
          "text": "This CVE has been marked as Rejected by the assigning CNA.",
          "title": "Statement"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
        ],
        "known_not_affected": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-4427"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-4427",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-4427"
        }
      ],
      "release_date": "2026-03-18T13:00:31+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-04T14:36:50+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:23361"
        }
      ],
      "title": "github.com/jackc/pgproto3: pgproto3: Denial of Service via negative field length in DataRow message"
    },
    {
      "cve": "CVE-2026-4598",
      "cwe": {
        "id": "CWE-1287",
        "name": "Improper Validation of Specified Type of Input"
      },
      "discovery_date": "2026-03-23T06:01:47.891452+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2450210"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jsrsasign. A remote attacker could exploit this vulnerability by providing specially crafted zero or negative inputs to the bnModInverse function within the BigInteger.modInverse implementation. This could lead to an infinite loop, causing a permanent denial of service (DoS) by hanging the process.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jsrsasign: jsrsasign: Denial of Service via infinite loop in bnModInverse function with crafted inputs",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "IMPORTANT: A denial of service flaw was found in jsrsasign. This vulnerability allows a remote attacker to cause a permanent denial of service by providing specially crafted zero or negative inputs to the bnModInverse function, leading to an infinite loop. This affects Red Hat Migration Toolkit for Virtualization and Red Hat Quay, which utilize the vulnerable jsrsasign component.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
        ],
        "known_not_affected": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-4598"
        },
        {
          "category": "external",
          "summary": "RHBZ#2450210",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450210"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-4598",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-4598"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-4598",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4598"
        },
        {
          "category": "external",
          "summary": "https://gist.github.com/Kr0emer/a1bf5cd4547cc630d2dcc5e761de8264",
          "url": "https://gist.github.com/Kr0emer/a1bf5cd4547cc630d2dcc5e761de8264"
        },
        {
          "category": "external",
          "summary": "https://github.com/kjur/jsrsasign/commit/ca5b027240287a1e71fe63019fc4400332594323",
          "url": "https://github.com/kjur/jsrsasign/commit/ca5b027240287a1e71fe63019fc4400332594323"
        },
        {
          "category": "external",
          "summary": "https://github.com/kjur/jsrsasign/pull/648",
          "url": "https://github.com/kjur/jsrsasign/pull/648"
        },
        {
          "category": "external",
          "summary": "https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15370938",
          "url": "https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15370938"
        }
      ],
      "release_date": "2026-03-23T05:00:11.571000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-04T14:36:50+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:23361"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "jsrsasign: jsrsasign: Denial of Service via infinite loop in bnModInverse function with crafted inputs"
    },
    {
      "cve": "CVE-2026-32280",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2026-04-08T02:01:19.572351+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2456339"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the Go standard library packages `crypto/x509` and `crypto/tls`. During the process of building a certificate chain, an attacker can provide a large number of intermediate certificates. This excessive input is not properly limited, leading to an uncontrolled amount of work being performed. This can result in a denial of service (DoS) condition, making the affected system or application unavailable to legitimate users.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
        ],
        "known_not_affected": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-32280"
        },
        {
          "category": "external",
          "summary": "RHBZ#2456339",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456339"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-32280",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-32280"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/758320",
          "url": "https://go.dev/cl/758320"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/78282",
          "url": "https://go.dev/issue/78282"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
          "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2026-4947",
          "url": "https://pkg.go.dev/vuln/GO-2026-4947"
        }
      ],
      "release_date": "2026-04-08T01:06:58.595000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-04T14:36:50+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:23361"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building"
    },
    {
      "cve": "CVE-2026-32281",
      "cwe": {
        "id": "CWE-1050",
        "name": "Excessive Platform Resource Consumption within a Loop"
      },
      "discovery_date": "2026-04-08T02:01:00.930989+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2456333"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Go\u0027s `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This flaw occurs during the validation of otherwise trusted certificate chains that contain a large number of policy mappings, leading to excessive resource consumption. Exploitation requires an attacker to present a specially crafted, yet trusted, certificate chain which would require the attacker has already compromised a trusted certificate root. Red Hat continuously monitors certificate authorities and curates the set which is trusted by default for Red Hat products.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
        ],
        "known_not_affected": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-32281"
        },
        {
          "category": "external",
          "summary": "RHBZ#2456333",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456333"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-32281",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-32281"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/758061",
          "url": "https://go.dev/cl/758061"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/78281",
          "url": "https://go.dev/issue/78281"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
          "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2026-4946",
          "url": "https://pkg.go.dev/vuln/GO-2026-4946"
        }
      ],
      "release_date": "2026-04-08T01:06:58.354000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-04T14:36:50+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:23361"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation"
    },
    {
      "cve": "CVE-2026-32282",
      "cwe": {
        "id": "CWE-367",
        "name": "Time-of-check Time-of-use (TOCTOU) Race Condition"
      },
      "discovery_date": "2026-04-08T02:01:12.683211+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2456336"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the internal/syscall/unix package in the Go standard library. If the target of the `Root.Chmod` function is replaced with a symbolic link during execution, specifically after `Root.Chmod` checks the target but before acting, the `chmod` operation will be performed on the file the symbolic link points to. This issue can bypass directory restrictions and lead to unauthorized permission changes on the filesystem.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "To exploit this issue, an attacker needs access to the system and the required permissions to create a symbolic link. Additionally, the attacker must swap the target file with a symbolic link in the exact window after the `Root.Chmod` function checks its target but before acting. Due to these conditions, this flaw has been rated with a moderate severity.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
        ],
        "known_not_affected": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-32282"
        },
        {
          "category": "external",
          "summary": "RHBZ#2456336",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456336"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-32282",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-32282"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/763761",
          "url": "https://go.dev/cl/763761"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/78293",
          "url": "https://go.dev/issue/78293"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
          "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2026-4864",
          "url": "https://pkg.go.dev/vuln/GO-2026-4864"
        }
      ],
      "release_date": "2026-04-08T01:06:55.953000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-04T14:36:50+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:23361"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Antony Di Scala",
            "Michael Whale"
          ]
        }
      ],
      "cve": "CVE-2026-32589",
      "cwe": {
        "id": "CWE-639",
        "name": "Authorization Bypass Through User-Controlled Key"
      },
      "discovery_date": "2026-03-12T14:43:07.878000+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2446963"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Red Hat Quay\u0027s container image upload process. An authenticated user with push access to any repository on the registry can interfere with image uploads in progress by other users, including those in repositories they do not have access to. This could allow the attacker to read, modify, or cancel another user\u0027s in-progress image upload.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "mirror-registry: quay: insecure direct object reference in BlobUpload",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Exploitation requires valid login credentials to the Quay registry. Unauthenticated users cannot exploit this flaw.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
        ],
        "known_not_affected": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-32589"
        },
        {
          "category": "external",
          "summary": "RHBZ#2446963",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446963"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-32589",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-32589"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32589",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32589"
        }
      ],
      "release_date": "2026-04-08T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-04T14:36:50+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:23361"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "mirror-registry: quay: insecure direct object reference in BlobUpload"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Antony Di Scala",
            "Michael Whale"
          ]
        }
      ],
      "cve": "CVE-2026-32590",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2026-03-12T14:43:11.443000+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2446964"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Red Hat Quay\u0027s handling of resumable container image layer uploads. The upload process stores intermediate data in the database using a format that, if tampered with, could allow an attacker to execute arbitrary code on the Quay server.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "mirror-registry: remote code execution using pickle deserialization",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Exploitation requires valid login credentials. The attacker must be authenticated to the registry, either through the web interface or through a container tool such as Podman.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
        ],
        "known_not_affected": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-32590"
        },
        {
          "category": "external",
          "summary": "RHBZ#2446964",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446964"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-32590",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-32590"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32590",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32590"
        }
      ],
      "release_date": "2026-04-08T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-04T14:36:50+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:23361"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "mirror-registry: remote code execution using pickle deserialization"
    },
    {
      "cve": "CVE-2026-33894",
      "cwe": {
        "id": "CWE-347",
        "name": "Improper Verification of Cryptographic Signature"
      },
      "discovery_date": "2026-03-27T21:02:52.462999+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2452464"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Forge (also called `node-forge`), a JavaScript implementation of Transport Layer Security. A remote attacker could exploit weaknesses in the RSASSA PKCS#1 v1.5 signature verification process. By crafting malicious signatures that include extra data within the ASN structure and do not meet padding requirements, an attacker can bypass signature validation. This allows for the creation of forged signatures that appear legitimate, potentially compromising the integrity and authenticity of communications.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "node-forge: Forge: Signature Forgery via Weak RSASSA PKCS#1 v1.5 Verification",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
        ],
        "known_not_affected": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-33894"
        },
        {
          "category": "external",
          "summary": "RHBZ#2452464",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452464"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-33894",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-33894"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33894",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33894"
        },
        {
          "category": "external",
          "summary": "https://datatracker.ietf.org/doc/html/rfc2313#section-8",
          "url": "https://datatracker.ietf.org/doc/html/rfc2313#section-8"
        },
        {
          "category": "external",
          "summary": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-ppp5-5v6c-4jwp",
          "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-ppp5-5v6c-4jwp"
        },
        {
          "category": "external",
          "summary": "https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE",
          "url": "https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE"
        },
        {
          "category": "external",
          "summary": "https://www.rfc-editor.org/rfc/rfc8017.html",
          "url": "https://www.rfc-editor.org/rfc/rfc8017.html"
        }
      ],
      "release_date": "2026-03-27T20:45:49.583000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-04T14:36:50+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:23361"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "node-forge: Forge: Signature Forgery via Weak RSASSA PKCS#1 v1.5 Verification"
    },
    {
      "cve": "CVE-2026-34986",
      "cwe": {
        "id": "CWE-131",
        "name": "Incorrect Calculation of Buffer Size"
      },
      "discovery_date": "2026-04-06T17:01:34.639203+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2455470"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
        ],
        "known_not_affected": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-34986"
        },
        {
          "category": "external",
          "summary": "RHBZ#2455470",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455470"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-34986",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-34986"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986"
        },
        {
          "category": "external",
          "summary": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8",
          "url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants",
          "url": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants"
        }
      ],
      "release_date": "2026-04-06T16:22:45.353000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-04T14:36:50+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:23361"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object"
    },
    {
      "cve": "CVE-2026-39892",
      "cwe": {
        "id": "CWE-131",
        "name": "Incorrect Calculation of Buffer Size"
      },
      "discovery_date": "2026-04-08T22:00:59.416053+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2456735"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the cryptography library. This vulnerability occurs when a non-contiguous buffer is passed to certain application programming interfaces (APIs) that accept Python buffers, such as Hash.update(). A remote attacker could exploit this to cause a buffer overflow, potentially leading to a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "cryptography: Cryptography: Buffer overflow via non-contiguous buffer in API",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "In default configurations Red Hat products isolate service processes from total system access. Should an attacker be able to exploit this vulnerability their impact will be limited to that service account and they will not have access to the broader system.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
        ],
        "known_not_affected": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-39892"
        },
        {
          "category": "external",
          "summary": "RHBZ#2456735",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456735"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-39892",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-39892"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-39892",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39892"
        },
        {
          "category": "external",
          "summary": "http://www.openwall.com/lists/oss-security/2026/04/08/12",
          "url": "http://www.openwall.com/lists/oss-security/2026/04/08/12"
        },
        {
          "category": "external",
          "summary": "https://github.com/pyca/cryptography/commit/622d672e429a7cff836a23c5903683dbec1901f5",
          "url": "https://github.com/pyca/cryptography/commit/622d672e429a7cff836a23c5903683dbec1901f5"
        },
        {
          "category": "external",
          "summary": "https://github.com/pyca/cryptography/security/advisories/GHSA-p423-j2cm-9vmq",
          "url": "https://github.com/pyca/cryptography/security/advisories/GHSA-p423-j2cm-9vmq"
        }
      ],
      "release_date": "2026-04-08T20:49:41.967000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-04T14:36:50+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:23361"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "cryptography: Cryptography: Buffer overflow via non-contiguous buffer in API"
    },
    {
      "cve": "CVE-2026-40192",
      "cwe": {
        "id": "CWE-409",
        "name": "Improper Handling of Highly Compressed Data (Data Amplification)"
      },
      "discovery_date": "2026-04-16T00:00:49.590876+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2458856"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Pillow, a Python imaging library. This vulnerability allows a remote attacker to trigger a denial of service (DoS) by providing a specially crafted FITS image file. The library\u0027s failure to limit the amount of GZIP-compressed data during decoding can lead to unbounded memory consumption, causing the system to crash or experience severe performance issues.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Pillow: Pillow: Denial of Service via decompression bomb in FITS image processing",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
        ],
        "known_not_affected": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-40192"
        },
        {
          "category": "external",
          "summary": "RHBZ#2458856",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458856"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-40192",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-40192"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-40192",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40192"
        },
        {
          "category": "external",
          "summary": "https://github.com/python-pillow/Pillow/commit/3cb854e8b2bab43f40e342e665f9340d861aa628",
          "url": "https://github.com/python-pillow/Pillow/commit/3cb854e8b2bab43f40e342e665f9340d861aa628"
        },
        {
          "category": "external",
          "summary": "https://github.com/python-pillow/Pillow/pull/9521",
          "url": "https://github.com/python-pillow/Pillow/pull/9521"
        },
        {
          "category": "external",
          "summary": "https://github.com/python-pillow/Pillow/security/advisories/GHSA-whj4-6x5x-4v2j",
          "url": "https://github.com/python-pillow/Pillow/security/advisories/GHSA-whj4-6x5x-4v2j"
        },
        {
          "category": "external",
          "summary": "https://pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html#prevent-fits-decompression-bomb",
          "url": "https://pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html#prevent-fits-decompression-bomb"
        }
      ],
      "release_date": "2026-04-15T22:53:56.147000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-04T14:36:50+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:23361"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "Pillow: Pillow: Denial of Service via decompression bomb in FITS image processing"
    },
    {
      "cve": "CVE-2026-40895",
      "cwe": {
        "id": "CWE-212",
        "name": "Improper Removal of Sensitive Information Before Storage or Transfer"
      },
      "discovery_date": "2026-04-21T21:02:33.280553+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2460297"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in follow-redirects. When an HTTP request follows a cross-domain redirect (a redirection to a different domain), custom authentication headers, such as X-API-Key or X-Auth-Token, are not properly stripped. This allows these sensitive headers to be forwarded verbatim to the redirect target, potentially leading to the unintended disclosure of authentication information to an untrusted third party.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "follow-redirects: follow-redirects: Information disclosure via cross-domain redirects",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
        ],
        "known_not_affected": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-40895"
        },
        {
          "category": "external",
          "summary": "RHBZ#2460297",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460297"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-40895",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-40895"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-40895",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40895"
        },
        {
          "category": "external",
          "summary": "https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-r4q5-vmmm-2653",
          "url": "https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-r4q5-vmmm-2653"
        }
      ],
      "release_date": "2026-04-21T19:59:59.759000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-04T14:36:50+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:23361"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "follow-redirects: follow-redirects: Information disclosure via cross-domain redirects"
    },
    {
      "cve": "CVE-2026-42033",
      "cwe": {
        "id": "CWE-915",
        "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
      },
      "discovery_date": "2026-04-24T18:01:20.937507+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2461607"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Axios, an HTTP client library. This vulnerability allows an attacker to exploit a prototype pollution issue if another part of the application has already polluted the Object.prototype. By doing so, the attacker can intercept and modify JSON responses or take control of the HTTP communication. This could lead to unauthorized access to sensitive information like user credentials and request details.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Axios: HTTP Transport Hijacking via Prototype Pollution",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
        ],
        "known_not_affected": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-42033"
        },
        {
          "category": "external",
          "summary": "RHBZ#2461607",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461607"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-42033",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42033"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42033",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42033"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-pf86-5x62-jrwf",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-pf86-5x62-jrwf"
        }
      ],
      "release_date": "2026-04-24T17:36:44.132000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-04T14:36:50+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:23361"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "axios: Axios: HTTP Transport Hijacking via Prototype Pollution"
    },
    {
      "cve": "CVE-2026-42035",
      "cwe": {
        "id": "CWE-915",
        "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
      },
      "discovery_date": "2026-04-24T18:01:17.109481+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2461606"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Axios, a software library for making network requests. A remote attacker can exploit a prototype pollution vulnerability to inject arbitrary HTTP headers into outgoing requests. This occurs when the application\u0027s core object definitions are manipulated, causing Axios to misinterpret data and include attacker-controlled headers in network communications. This could lead to unauthorized actions or data manipulation.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Axios: Arbitrary HTTP header injection via prototype pollution",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
        ],
        "known_not_affected": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-42035"
        },
        {
          "category": "external",
          "summary": "RHBZ#2461606",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461606"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-42035",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42035"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42035",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42035"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-6chq-wfr3-2hj9",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-6chq-wfr3-2hj9"
        }
      ],
      "release_date": "2026-04-24T17:38:07.752000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-04T14:36:50+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:23361"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "axios: Axios: Arbitrary HTTP header injection via prototype pollution"
    },
    {
      "cve": "CVE-2026-42039",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2026-04-24T19:01:44.887156+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2461630"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Axios, a promise-based HTTP client for browsers and Node.js. This vulnerability occurs because the `toFormData` function recursively processes nested objects without a depth limit. A remote attacker can exploit this by sending deeply nested request data, which causes the Node.js process to crash due to a RangeError, leading to a potential Denial of Service (DoS) if the process crashes.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Node.js: Axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
        ],
        "known_not_affected": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-42039"
        },
        {
          "category": "external",
          "summary": "RHBZ#2461630",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461630"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-42039",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42039"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42039",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42039"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-62hf-57xw-28j9",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-62hf-57xw-28j9"
        }
      ],
      "release_date": "2026-04-24T18:01:30.775000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-04T14:36:50+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:23361"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "axios: Node.js: Axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data"
    },
    {
      "cve": "CVE-2026-42041",
      "cwe": {
        "id": "CWE-915",
        "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
      },
      "discovery_date": "2026-04-24T19:01:41.034289+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2461629"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Axios, a promise-based HTTP client. This vulnerability, a Prototype Pollution \"Gadget\" attack, allows an attacker to manipulate the `Object.prototype.validateStatus` property. By polluting this property, all HTTP error responses (such as 401, 403, or 500) are silently treated as successful responses. This can lead to a complete bypass of application-level authentication and error handling, potentially granting unauthorized access.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Axios: Authentication bypass due to prototype pollution of HTTP error handling",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
        ],
        "known_not_affected": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-42041"
        },
        {
          "category": "external",
          "summary": "RHBZ#2461629",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461629"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-42041",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42041"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42041",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42041"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-w9j2-pvgh-6h63",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-w9j2-pvgh-6h63"
        }
      ],
      "release_date": "2026-04-24T17:55:30.036000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-04T14:36:50+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:23361"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "axios: Axios: Authentication bypass due to prototype pollution of HTTP error handling"
    },
    {
      "cve": "CVE-2026-42043",
      "cwe": {
        "id": "CWE-918",
        "name": "Server-Side Request Forgery (SSRF)"
      },
      "discovery_date": "2026-04-24T19:01:22.552379+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2461626"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Axios, a promise-based HTTP client. An attacker who can control the destination address of an Axios request can exploit this vulnerability. By using specific internal network addresses (within the 127.0.0.0/8 range, excluding 127.0.0.1), the attacker can completely bypass the NO_PROXY protection, potentially leading to unauthorized access or information disclosure within the network. This issue is an incomplete fix for a previous vulnerability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Axios: NO_PROXY bypass via crafted URL",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
        ],
        "known_not_affected": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-42043"
        },
        {
          "category": "external",
          "summary": "RHBZ#2461626",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461626"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-42043",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42043"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42043",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42043"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7"
        }
      ],
      "release_date": "2026-04-24T17:54:42.668000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-04T14:36:50+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:23361"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "axios: Axios: NO_PROXY bypass via crafted URL"
    },
    {
      "cve": "CVE-2026-42044",
      "cwe": {
        "id": "CWE-915",
        "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
      },
      "discovery_date": "2026-04-24T19:01:13.418725+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2461624"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Axios, a widely used HTTP client. This vulnerability, known as a Prototype Pollution \"Gadget\" attack, allows a remote attacker to subtly alter JSON API responses. By manipulating a specific function, an attacker can selectively modify data within these responses. This could lead to significant security breaches, including unauthorized privilege escalation, fraudulent balance manipulation, or bypassing critical authorization checks.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
        ],
        "known_not_affected": [
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
          "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-42044"
        },
        {
          "category": "external",
          "summary": "RHBZ#2461624",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461624"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-42044",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42044"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42044",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42044"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23"
        }
      ],
      "release_date": "2026-04-24T17:49:49.517000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-04T14:36:50+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:23361"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:0b0ecd3a428dece445d557be19d0996b6ac9d6bb6da31afdb7421bc9939611b2_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:1b7667a1d8270eb378a553a47e2002ea8a1d6273a85774ecd43a7942ea2a9390_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/clair-rhel8@sha256:ff1876083ba67b1ba5b29f8e186a4f8409083c7939607ebb65866e7a1cb39bbe_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-bundle@sha256:086d403e42c9ef583f6a3cd8a5a1169967085ebf764376e53f1a4f013cf14b6d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:54f11bcca5d5ae3f68670136447d2072ac8c0d7bf2711f0f73df7fd50e70f537_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:56b5da889ae2dd8fa359ac965a47d5e54942748de4c1506d18081fe8e5639424_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-bridge-operator-rhel8@sha256:5e980b6d4a08d3aa8851c3402eccfecd9cd71c73bce187a7c8e131d0ff3d480b_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8@sha256:499887bb396966300a42f61f1f70450d9e726d78737e6b8346e8fc64336d5e9f_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:39b151d9d7f16612535c6f49e2618f7adeaac6ba9988b76e2cbc4361ee7cd80c_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:3a2c4cdcfb18d07736c6a7e890fc07c664cd2c343d7eaa566552149b860a471e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-builder-rhel8@sha256:dd303901b2b6ad736407e0fabcf6a70cac9fe9fe1976a89e2e53570fcbacf17d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-bundle@sha256:8c7d45b2b41967720762c47cace1a1467c770e310e840c66de140da510e6f7bc_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9ad3688f341e892ef223c2029edc9502ee4d6b2687871370a442f6951f7bb4f0_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:9f5305c63f44d84776243024a9c73e7939d5e5280bbebd17bec78610fc09b078_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-container-security-operator-rhel8@sha256:b20353ac757b01c006989ac9c109341e95278b5c22b6432fdfe9588583b9c9f5_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-bundle@sha256:8dd0d4412f7db90bd986f2f2c25016494a0027a2a9ea0d72657843429e448793_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:5dbc5ef200e2c26c8fe6e8b82d0223f06987972f19bf94e333f30faded46657b_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e7330d260bb74ead476d4ff45607bc78d87a518d311f6a874bb9e5f38be3b40e_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-operator-rhel8@sha256:e89ae6e88f763af3ebf269c2cf41ef4cdf248e532cc4266f608b943cefbd8b2d_amd64",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:213950327c209a8132eabba4de3dc940cd15f5a5d5ae7efd2b75c3c08c06a682_ppc64le",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:cc7110e65ef4d9ec5d3f19741e973318bd8699059886e4514015a228365256bb_s390x",
            "Red Hat Quay 3.9:registry.redhat.io/quay/quay-rhel8@sha256:e43d2243b0ec9c5875b3bfe44cc2507c0b5e0226afa94662b98cbadcc0d220b6_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "axios: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget"
    }
  ]
}

CVE-2025-61726 (GCVE-0-2025-61726)

Vulnerability from cvelistv5 – Published: 2026-01-28 19:30 – Updated: 2026-01-29 18:31

Title

Memory exhaustion in query parameter parsing in net/url

Summary

The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

References

4 references

URL	Tags
https://go.dev/cl/736712
https://go.dev/issue/77101
https://groups.google.com/g/golang-announce/c/Vd2…
https://pkg.go.dev/vuln/GO-2026-4341

Impacted products

1 product

Vendor	Product	Version
Go standard library	net/url	Affected: 0 , < 1.24.12 (semver) Affected: 1.25.0 , < 1.25.6 (semver)

Credits

jub0bs

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-61726",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-29T18:31:39.150633Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-29T18:31:59.685Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "net/url",
          "product": "net/url",
          "programRoutines": [
            {
              "name": "parseQuery"
            },
            {
              "name": "ParseQuery"
            },
            {
              "name": "URL.Query"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.24.12",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.25.6",
              "status": "affected",
              "version": "1.25.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "jub0bs"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-28T19:30:31.215Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/736712"
        },
        {
          "url": "https://go.dev/issue/77101"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4341"
        }
      ],
      "title": "Memory exhaustion in query parameter parsing in net/url"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-61726",
    "datePublished": "2026-01-28T19:30:31.215Z",
    "dateReserved": "2025-09-30T15:05:03.605Z",
    "dateUpdated": "2026-01-29T18:31:59.685Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-61728 (GCVE-0-2025-61728)

Vulnerability from cvelistv5 – Published: 2026-01-28 19:30 – Updated: 2026-01-29 18:30

Title

Excessive CPU consumption when building archive index in archive/zip

Summary

archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-407 - Inefficient Algorithmic Complexity

Assigner

References

5 references

URL	Tags
https://go.dev/cl/736713
https://go.dev/issue/77102
https://groups.google.com/g/golang-announce/c/Vd2…
https://pkg.go.dev/vuln/GO-2026-4342
http://www.openwall.com/lists/oss-security/2026/01/15/4

Impacted products

1 product

Vendor	Product	Version
Go standard library	archive/zip	Affected: 0 , < 1.24.12 (semver) Affected: 1.25.0 , < 1.25.6 (semver)

Credits

Jakub Ciolek

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-01-28T20:08:22.055Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/01/15/4"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-61728",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-29T18:29:58.068724Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-29T18:30:24.487Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "archive/zip",
          "product": "archive/zip",
          "programRoutines": [
            {
              "name": "Reader.initFileList"
            },
            {
              "name": "Reader.Open"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.24.12",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.25.6",
              "status": "affected",
              "version": "1.25.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Jakub Ciolek"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-407: Inefficient Algorithmic Complexity",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-28T19:30:31.354Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/736713"
        },
        {
          "url": "https://go.dev/issue/77102"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4342"
        }
      ],
      "title": "Excessive CPU consumption when building archive index in archive/zip"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-61728",
    "datePublished": "2026-01-28T19:30:31.354Z",
    "dateReserved": "2025-09-30T15:05:03.605Z",
    "dateUpdated": "2026-01-29T18:30:24.487Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-62718 (GCVE-0-2025-62718)

Vulnerability from cvelistv5 – Published: 2026-04-09 14:31 – Updated: 2026-04-16 18:44

Title

Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF

Summary

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0.

Severity

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

SSVC

Exploitation: poc Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')
CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

GitHub_M

References

9 references

URL	Tags
https://github.com/axios/axios/security/advisorie…	x_refsource_CONFIRM
https://github.com/axios/axios/pull/10661	x_refsource_MISC
https://github.com/axios/axios/pull/10688	x_refsource_MISC
https://github.com/axios/axios/commit/03cdfc99e8d…	x_refsource_MISC
https://github.com/axios/axios/commit/fb3befb6daa…	x_refsource_MISC
https://datatracker.ietf.org/doc/html/rfc1034#sec…	x_refsource_MISC
https://datatracker.ietf.org/doc/html/rfc3986#sec…	x_refsource_MISC
https://github.com/axios/axios/releases/tag/v0.31.0	x_refsource_MISC
https://github.com/axios/axios/releases/tag/v1.15.0	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
axios	axios	Affected: >= 1.0.0, < 1.15.0 Affected: < 0.31.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-62718",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-09T15:02:50.313939Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-09T16:15:31.322Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "axios",
          "vendor": "axios",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c 1.15.0"
            },
            {
              "status": "affected",
              "version": "\u003c 0.31.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-441",
              "description": "CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-16T18:44:20.705Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5"
        },
        {
          "name": "https://github.com/axios/axios/pull/10661",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/pull/10661"
        },
        {
          "name": "https://github.com/axios/axios/pull/10688",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/pull/10688"
        },
        {
          "name": "https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c"
        },
        {
          "name": "https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df"
        },
        {
          "name": "https://datatracker.ietf.org/doc/html/rfc1034#section-3.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://datatracker.ietf.org/doc/html/rfc1034#section-3.1"
        },
        {
          "name": "https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2"
        },
        {
          "name": "https://github.com/axios/axios/releases/tag/v0.31.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/releases/tag/v0.31.0"
        },
        {
          "name": "https://github.com/axios/axios/releases/tag/v1.15.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/releases/tag/v1.15.0"
        }
      ],
      "source": {
        "advisory": "GHSA-3p68-rc4w-qgx5",
        "discovery": "UNKNOWN"
      },
      "title": "Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-62718",
    "datePublished": "2026-04-09T14:31:46.067Z",
    "dateReserved": "2025-10-20T19:41:22.741Z",
    "dateUpdated": "2026-04-16T18:44:20.705Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-2377 (GCVE-0-2026-2377)

Vulnerability from cvelistv5 – Published: 2026-04-08 16:26 – Updated: 2026-06-04 14:45

Title

Mirror-registry: quay: quay: server-side request forgery via log export functionality

Summary

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

redhat

References

7 references

URL	Tags
https://access.redhat.com/errata/RHSA-2026:19375	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:21017	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:22629	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:22840	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:23361	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2026-2377	vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2439201	issue-trackingx_refsource_REDHAT

Impacted products

7 products

Vendor	Product	Version
Red Hat	Red Hat Quay 3.1	Unaffected: 1779822261 , < * (rpm) cpe:/a:redhat:quay:3.10::el8
Red Hat	Red Hat Quay 3.12	Unaffected: 1779811412 , < * (rpm) cpe:/a:redhat:quay:3.12::el8
Red Hat	Red Hat Quay 3.14	Unaffected: 1779689392 , < * (rpm) cpe:/a:redhat:quay:3.14::el8
Red Hat	Red Hat Quay 3.16	Unaffected: 1779204086 , < * (rpm) cpe:/a:redhat:quay:3.16::el9
Red Hat	Red Hat Quay 3.9	Unaffected: 1779811473 , < * (rpm) cpe:/a:redhat:quay:3.9::el8
Red Hat	mirror registry for Red Hat OpenShift	cpe:/a:redhat:mirror_registry:1
Red Hat	mirror registry for Red Hat OpenShift 2	cpe:/a:redhat:mirror_registry:2

Date Public

2026-04-08 16:18

Credits

Red Hat would like to thank Antony Di Scala and Michael Whale for reporting this issue.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-2377",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-08T18:42:52.638708Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-08T18:43:00.505Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:quay:3.10::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "quay/quay-rhel8",
          "product": "Red Hat Quay 3.1",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1779822261",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:quay:3.12::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "quay/quay-rhel8",
          "product": "Red Hat Quay 3.12",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1779811412",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:quay:3.14::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "quay/quay-rhel8",
          "product": "Red Hat Quay 3.14",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1779689392",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:quay:3.16::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "quay/quay-rhel9",
          "product": "Red Hat Quay 3.16",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1779204086",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:quay:3.9::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "quay/quay-rhel8",
          "product": "Red Hat Quay 3.9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1779811473",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:mirror_registry:1"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift/mirror-registry-rhel8",
          "product": "mirror registry for Red Hat OpenShift",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:mirror_registry:2"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift/mirror-registry-rhel8",
          "product": "mirror registry for Red Hat OpenShift 2",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Antony Di Scala and Michael Whale for reporting this issue."
        }
      ],
      "datePublic": "2026-04-08T16:18:10.324Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in mirror-registry. Authenticated users can exploit the log export feature by providing a specially crafted web address (URL). This allows the application\u0027s backend to make arbitrary requests to internal network resources, a vulnerability known as Server-Side Request Forgery (SSRF). This could lead to unauthorized access to sensitive information or other internal systems."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-04T14:45:39.355Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2026:19375",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:19375"
        },
        {
          "name": "RHSA-2026:21017",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:21017"
        },
        {
          "name": "RHSA-2026:22629",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:22629"
        },
        {
          "name": "RHSA-2026:22840",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:22840"
        },
        {
          "name": "RHSA-2026:23361",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:23361"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2026-2377"
        },
        {
          "name": "RHBZ#2439201",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439201"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-02-11T21:02:44.495Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2026-04-08T16:18:10.324Z",
          "value": "Made public."
        }
      ],
      "title": "Mirror-registry: quay: quay: server-side request forgery via log export functionality",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-918: Server-Side Request Forgery (SSRF)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2026-2377",
    "datePublished": "2026-04-08T16:26:07.649Z",
    "dateReserved": "2026-02-11T20:57:59.704Z",
    "dateUpdated": "2026-06-04T14:45:39.355Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-32280 (GCVE-0-2026-32280)

Vulnerability from cvelistv5 – Published: 2026-04-08 01:06 – Updated: 2026-04-08 17:46

Title

Unexpected work during chain building in crypto/x509

Summary

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

References

4 references

URL	Tags
https://go.dev/cl/758320
https://go.dev/issue/78282
https://groups.google.com/g/golang-announce/c/0uY…
https://pkg.go.dev/vuln/GO-2026-4947

Impacted products

1 product

Vendor	Product	Version
Go standard library	crypto/x509	Affected: 0 , < 1.25.9 (semver) Affected: 1.26.0-0 , < 1.26.2 (semver)

Credits

Jakub Ciolek - https://ciolek.dev

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-32280",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-08T17:46:14.569488Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-770",
                "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-08T17:46:47.347Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "crypto/x509",
          "product": "crypto/x509",
          "programRoutines": [
            {
              "name": "Certificate.buildChains"
            },
            {
              "name": "Certificate.Verify"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.9",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.2",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Jakub Ciolek - https://ciolek.dev"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T01:06:58.595Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/758320"
        },
        {
          "url": "https://go.dev/issue/78282"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4947"
        }
      ],
      "title": "Unexpected work during chain building in crypto/x509"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-32280",
    "datePublished": "2026-04-08T01:06:58.595Z",
    "dateReserved": "2026-03-11T16:38:46.555Z",
    "dateUpdated": "2026-04-08T17:46:47.347Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-32281 (GCVE-0-2026-32281)

Vulnerability from cvelistv5 – Published: 2026-04-08 01:06 – Updated: 2026-04-13 18:19

Title

Inefficient policy validation in crypto/x509

Summary

Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-407 - Inefficient Algorithmic Complexity

Assigner

References

4 references

URL	Tags
https://go.dev/cl/758061
https://go.dev/issue/78281
https://groups.google.com/g/golang-announce/c/0uY…
https://pkg.go.dev/vuln/GO-2026-4946

Impacted products

1 product

Vendor	Product	Version
Go standard library	crypto/x509	Affected: 0 , < 1.25.9 (semver) Affected: 1.26.0-0 , < 1.26.2 (semver)

Credits

Jakub Ciolek - https://ciolek.dev

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-32281",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-13T17:52:37.734298Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-13T18:19:44.779Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "crypto/x509",
          "product": "crypto/x509",
          "programRoutines": [
            {
              "name": "policiesValid"
            },
            {
              "name": "Certificate.Verify"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.9",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.2",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Jakub Ciolek - https://ciolek.dev"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-407: Inefficient Algorithmic Complexity",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T01:06:58.354Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/758061"
        },
        {
          "url": "https://go.dev/issue/78281"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4946"
        }
      ],
      "title": "Inefficient policy validation in crypto/x509"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-32281",
    "datePublished": "2026-04-08T01:06:58.354Z",
    "dateReserved": "2026-03-11T16:38:46.556Z",
    "dateUpdated": "2026-04-13T18:19:44.779Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-32282 (GCVE-0-2026-32282)

Vulnerability from cvelistv5 – Published: 2026-04-08 01:06 – Updated: 2026-04-13 18:20

Title

TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix

Summary

On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.

Severity

6.4 (Medium)


                        
                          CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-61 - UNIX Symbolic Link (Symlink) Following

Assigner

References

4 references

URL	Tags
https://go.dev/cl/763761
https://go.dev/issue/78293
https://groups.google.com/g/golang-announce/c/0uY…
https://pkg.go.dev/vuln/GO-2026-4864

Impacted products

1 product

Vendor	Product	Version
Go standard library	internal/syscall/unix	Affected: 0 , < 1.25.9 (semver) Affected: 1.26.0-0 , < 1.26.2 (semver)

Credits

Uuganbayar Lkhamsuren (https://github.com/uug4na)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 6.4,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "HIGH",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-32282",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-13T17:47:42.666766Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-13T18:20:56.456Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "internal/syscall/unix",
          "platforms": [
            "linux"
          ],
          "product": "internal/syscall/unix",
          "programRoutines": [
            {
              "name": "Fchmodat"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.9",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.2",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Uuganbayar Lkhamsuren (https://github.com/uug4na)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T01:06:55.953Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/763761"
        },
        {
          "url": "https://go.dev/issue/78293"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4864"
        }
      ],
      "title": "TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-32282",
    "datePublished": "2026-04-08T01:06:55.953Z",
    "dateReserved": "2026-03-11T16:38:46.556Z",
    "dateUpdated": "2026-04-13T18:20:56.456Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-32589 (GCVE-0-2026-32589)

Vulnerability from cvelistv5 – Published: 2026-04-08 17:04 – Updated: 2026-06-04 14:46

Title

Mirror-registry: quay: insecure direct object reference in blobupload

Summary

Severity

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-639 - Authorization Bypass Through User-Controlled Key

Assigner

redhat

References

8 references

URL	Tags
https://access.redhat.com/errata/RHSA-2026:19375	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:21017	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:22465	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:22629	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:22840	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:23361	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2026-32589	vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2446963	issue-trackingx_refsource_REDHAT

Impacted products

8 products

Vendor	Product	Version
Red Hat	Red Hat Quay 3.1	Unaffected: 1779822261 , < * (rpm) cpe:/a:redhat:quay:3.10::el8
Red Hat	Red Hat Quay 3.12	Unaffected: 1779811412 , < * (rpm) cpe:/a:redhat:quay:3.12::el8
Red Hat	Red Hat Quay 3.14	Unaffected: 1779689392 , < * (rpm) cpe:/a:redhat:quay:3.14::el8
Red Hat	Red Hat Quay 3.16	Unaffected: 1779204086 , < * (rpm) cpe:/a:redhat:quay:3.16::el9
Red Hat	Red Hat Quay 3.17	Unaffected: 1779922205 , < * (rpm) cpe:/a:redhat:quay:3.17::el9
Red Hat	Red Hat Quay 3.9	Unaffected: 1779811473 , < * (rpm) cpe:/a:redhat:quay:3.9::el8
Red Hat	mirror registry for Red Hat OpenShift	cpe:/a:redhat:mirror_registry:1
Red Hat	mirror registry for Red Hat OpenShift 2	cpe:/a:redhat:mirror_registry:2

Date Public

2026-04-08 00:00

Credits

Red Hat would like to thank Antony Di Scala and Michael Whale for reporting this issue.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32589",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-08T18:01:21.450628Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-08T18:01:32.402Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:quay:3.10::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "quay/quay-rhel8",
          "product": "Red Hat Quay 3.1",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1779822261",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:quay:3.12::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "quay/quay-rhel8",
          "product": "Red Hat Quay 3.12",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1779811412",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:quay:3.14::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "quay/quay-rhel8",
          "product": "Red Hat Quay 3.14",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1779689392",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:quay:3.16::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "quay/quay-rhel9",
          "product": "Red Hat Quay 3.16",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1779204086",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:quay:3.17::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "quay/quay-rhel9",
          "product": "Red Hat Quay 3.17",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1779922205",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:quay:3.9::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "quay/quay-rhel8",
          "product": "Red Hat Quay 3.9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1779811473",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:mirror_registry:1"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift/mirror-registry-rhel8",
          "product": "mirror registry for Red Hat OpenShift",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:mirror_registry:2"
          ],
          "defaultStatus": "unaffected",
          "packageName": "openshift/mirror-registry-rhel8",
          "product": "mirror registry for Red Hat OpenShift 2",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Antony Di Scala and Michael Whale for reporting this issue."
        }
      ],
      "datePublic": "2026-04-08T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Red Hat Quay\u0027s container image upload process. An authenticated user with push access to any repository on the registry can interfere with image uploads in progress by other users, including those in repositories they do not have access to. This could allow the attacker to read, modify, or cancel another user\u0027s in-progress image upload."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-04T14:46:13.741Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2026:19375",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:19375"
        },
        {
          "name": "RHSA-2026:21017",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:21017"
        },
        {
          "name": "RHSA-2026:22465",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:22465"
        },
        {
          "name": "RHSA-2026:22629",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:22629"
        },
        {
          "name": "RHSA-2026:22840",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:22840"
        },
        {
          "name": "RHSA-2026:23361",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:23361"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2026-32589"
        },
        {
          "name": "RHBZ#2446963",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446963"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-12T14:43:07.878Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2026-04-08T00:00:00.000Z",
          "value": "Made public."
        }
      ],
      "title": "Mirror-registry: quay: insecure direct object reference in blobupload",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-639: Authorization Bypass Through User-Controlled Key"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2026-32589",
    "datePublished": "2026-04-08T17:04:20.284Z",
    "dateReserved": "2026-03-12T14:39:53.657Z",
    "dateUpdated": "2026-06-04T14:46:13.741Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-32590 (GCVE-0-2026-32590)

Vulnerability from cvelistv5 – Published: 2026-04-08 17:04 – Updated: 2026-06-04 14:48

Title

Mirror-registry: remote code execution using pickle deserialization

Summary

Severity

7.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

redhat

References

8 references

URL	Tags
https://access.redhat.com/errata/RHSA-2026:19375	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:21017	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:22465	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:22629	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:22840	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:23361	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2026-32590	vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2446964	issue-trackingx_refsource_REDHAT

Impacted products

8 products

Vendor	Product	Version
Red Hat	Red Hat Quay 3.1	Unaffected: 1779822261 , < * (rpm) cpe:/a:redhat:quay:3.10::el8
Red Hat	Red Hat Quay 3.12	Unaffected: 1779811412 , < * (rpm) cpe:/a:redhat:quay:3.12::el8
Red Hat	Red Hat Quay 3.14	Unaffected: 1779689392 , < * (rpm) cpe:/a:redhat:quay:3.14::el8
Red Hat	Red Hat Quay 3.16	Unaffected: 1779204086 , < * (rpm) cpe:/a:redhat:quay:3.16::el9
Red Hat	Red Hat Quay 3.17	Unaffected: 1779922205 , < * (rpm) cpe:/a:redhat:quay:3.17::el9
Red Hat	Red Hat Quay 3.9	Unaffected: 1779811473 , < * (rpm) cpe:/a:redhat:quay:3.9::el8
Red Hat	mirror registry for Red Hat OpenShift	cpe:/a:redhat:mirror_registry:1
Red Hat	mirror registry for Red Hat OpenShift 2	cpe:/a:redhat:mirror_registry:2

Date Public

2026-04-08 00:00

Credits

Red Hat would like to thank Antony Di Scala and Michael Whale for reporting this issue.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32590",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-08T19:14:47.764287Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-08T19:14:55.136Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:quay:3.10::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "quay/quay-rhel8",
          "product": "Red Hat Quay 3.1",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1779822261",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:quay:3.12::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "quay/quay-rhel8",
          "product": "Red Hat Quay 3.12",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1779811412",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:quay:3.14::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "quay/quay-rhel8",
          "product": "Red Hat Quay 3.14",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1779689392",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:quay:3.16::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "quay/quay-rhel9",
          "product": "Red Hat Quay 3.16",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1779204086",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:quay:3.17::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "quay/quay-rhel9",
          "product": "Red Hat Quay 3.17",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1779922205",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:quay:3.9::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "quay/quay-rhel8",
          "product": "Red Hat Quay 3.9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1779811473",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:mirror_registry:1"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift/mirror-registry-rhel8",
          "product": "mirror registry for Red Hat OpenShift",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:mirror_registry:2"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift/mirror-registry-rhel8",
          "product": "mirror registry for Red Hat OpenShift 2",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Antony Di Scala and Michael Whale for reporting this issue."
        }
      ],
      "datePublic": "2026-04-08T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Red Hat Quay\u0027s handling of resumable container image layer uploads. The upload process stores intermediate data in the database using a format that, if tampered with, could allow an attacker to execute arbitrary code on the Quay server."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-04T14:48:29.144Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2026:19375",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:19375"
        },
        {
          "name": "RHSA-2026:21017",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:21017"
        },
        {
          "name": "RHSA-2026:22465",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:22465"
        },
        {
          "name": "RHSA-2026:22629",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:22629"
        },
        {
          "name": "RHSA-2026:22840",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:22840"
        },
        {
          "name": "RHSA-2026:23361",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:23361"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2026-32590"
        },
        {
          "name": "RHBZ#2446964",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446964"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-12T14:43:11.443Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2026-04-08T00:00:00.000Z",
          "value": "Made public."
        }
      ],
      "title": "Mirror-registry: remote code execution using pickle deserialization",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-502: Deserialization of Untrusted Data"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2026-32590",
    "datePublished": "2026-04-08T17:04:22.870Z",
    "dateReserved": "2026-03-12T14:39:53.657Z",
    "dateUpdated": "2026-06-04T14:48:29.144Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33894 (GCVE-0-2026-33894)

Vulnerability from cvelistv5 – Published: 2026-03-27 20:45 – Updated: 2026-03-31 14:05

Title

Forge has signature forgery in RSA-PKCS due to ASN.1 extra field

Summary

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing “garbage” bytes within the ASN structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This issue is similar to CVE-2022-24771, but adds bytes in an addition field within the ASN structure, rather than outside of it. Additionally, forge does not validate that signatures include a minimum of 8 bytes of padding as defined by the specification, providing attackers additional space to construct Bleichenbacher forgeries. Version 1.4.0 patches the issue.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

SSVC

Exploitation: poc Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-347 - Improper Verification of Cryptographic Signature
CWE-20 - Improper Input Validation

Assigner

GitHub_M

References

4 references

URL	Tags
https://github.com/digitalbazaar/forge/security/a…	x_refsource_CONFIRM
https://datatracker.ietf.org/doc/html/rfc2313#section-8	x_refsource_MISC
https://mailarchive.ietf.org/arch/msg/openpgp/5rn…	x_refsource_MISC
https://www.rfc-editor.org/rfc/rfc8017.html	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
digitalbazaar	forge	Affected: < 1.4.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33894",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-31T14:04:30.304300Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-31T14:05:14.708Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "forge",
          "vendor": "digitalbazaar",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.4.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing \u201cgarbage\u201d bytes within the ASN structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This issue is similar to CVE-2022-24771, but adds bytes in an addition field within the ASN structure, rather than outside of it.  Additionally, forge does not validate that signatures include a minimum of 8 bytes of padding as defined by the specification, providing attackers additional space to construct Bleichenbacher forgeries. Version 1.4.0 patches the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-347",
              "description": "CWE-347: Improper Verification of Cryptographic Signature",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-27T20:45:49.583Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-ppp5-5v6c-4jwp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-ppp5-5v6c-4jwp"
        },
        {
          "name": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-ppp5-5v6c-4jwp",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-ppp5-5v6c-4jwp"
        },
        {
          "name": "https://datatracker.ietf.org/doc/html/rfc2313#section-8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://datatracker.ietf.org/doc/html/rfc2313#section-8"
        },
        {
          "name": "https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE"
        },
        {
          "name": "https://www.rfc-editor.org/rfc/rfc8017.html",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.rfc-editor.org/rfc/rfc8017.html"
        }
      ],
      "source": {
        "advisory": "GHSA-ppp5-5v6c-4jwp",
        "discovery": "UNKNOWN"
      },
      "title": "Forge has signature forgery in RSA-PKCS due to ASN.1 extra field"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33894",
    "datePublished": "2026-03-27T20:45:49.583Z",
    "dateReserved": "2026-03-24T15:41:47.489Z",
    "dateUpdated": "2026-03-31T14:05:14.708Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:23361

CVE-2025-61726 (GCVE-0-2025-61726)

CVE-2025-61728 (GCVE-0-2025-61728)

CVE-2025-62718 (GCVE-0-2025-62718)

CVE-2026-2377 (GCVE-0-2026-2377)

CVE-2026-32280 (GCVE-0-2026-32280)

CVE-2026-32281 (GCVE-0-2026-32281)

CVE-2026-32282 (GCVE-0-2026-32282)

CVE-2026-32589 (GCVE-0-2026-32589)

CVE-2026-32590 (GCVE-0-2026-32590)

CVE-2026-33894 (GCVE-0-2026-33894)

Tags

Sightings

Nomenclature