Vulnerability-Lookup

RHSA-2026:33163

Vulnerability from csaf_redhat - Published: 2026-06-29 16:41 - Updated: 2026-06-30 04:22

Summary

Red Hat Security Advisory: Kiali 2.11.13 for Red Hat OpenShift Service Mesh 3.1

Severity

Important

Notes

Topic: Kiali 2.11.13 for Red Hat OpenShift Service Mesh 3.1 is now available. An update is now available for Red Hat OpenShift Service Mesh 3.1. This advisory contains the RPM packages for the Kiali component. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details: Kiali 2.11.13, for Red Hat OpenShift Service Mesh 3.1, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently. Security Fix(es): * CVE-2026-42338 openshift-service-mesh/kiali-ossmc-rhel9: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (OSSM-14063) * CVE-2026-42338 openshift-service-mesh/kiali-rhel9: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (OSSM-14068) * CVE-2026-39821 openshift-service-mesh/kiali-rhel9: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing (OSSM-14070) * CVE-2026-44495 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Information disclosure due to prototype pollution vulnerability (OSSM-14144) * CVE-2026-44495 openshift-service-mesh/kiali-rhel9: Axios: Information disclosure due to prototype pollution vulnerability (OSSM-14149) * CVE-2026-44488 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Denial of Service due to unenforced request and response size limits (OSSM-14157) * CVE-2026-44488 openshift-service-mesh/kiali-rhel9: Axios: Denial of Service due to unenforced request and response size limits (OSSM-14162) * CVE-2026-44487 openshift-service-mesh/kiali-rhel9: Axios: Information disclosure of proxy credentials via redirect flows (OSSM-14166) * CVE-2026-44487 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Information disclosure of proxy credentials via redirect flows (OSSM-14173) * CVE-2026-44494 openshift-service-mesh/kiali-rhel9: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution (OSSM-14222) * CVE-2026-44494 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution (OSSM-14171) * CVE-2026-44496 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name (OSSM-14213) * CVE-2026-44496 openshift-service-mesh/kiali-rhel9: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name (OSSM-14185) * CVE-2026-44486 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Information disclosure of proxy credentials via HTTP redirects (OSSM-14200) * CVE-2026-44486 openshift-service-mesh/kiali-rhel9: Axios: Information disclosure of proxy credentials via HTTP redirects (OSSM-14188) * CVE-2026-44492 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization (OSSM-14227) * CVE-2026-44492 openshift-service-mesh/kiali-rhel9: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization (OSSM-14230) * CVE-2026-48779 openshift-service-mesh/kiali-rhel9: ws: Denial of Service via memory exhaustion from small WebSocket fragments (OSSM-14311) * CVE-2026-48779 openshift-service-mesh/kiali-ossmc-rhel9: ws: Denial of Service via memory exhaustion from small WebSocket fragments (OSSM-14314) * CVE-2026-12143 openshift-service-mesh/kiali-ossmc-rhel9: form-data: Form field override via CRLF injection (OSSM-14333) * CVE-2026-12143 openshift-service-mesh/kiali-rhel9: form-data: Form field override via CRLF injection (OSSM-14330) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2026-12143

A flaw was found in form-data, a library for creating readable multipart/form-data streams. A remote attacker can exploit this vulnerability by injecting carriage return (CR), line feed (LF), or double-quote (") characters into the `field` argument of `FormData#append` or the `filename` option. This allows the attacker to inject additional headers or smuggle entire additional multipart parts into requests, potentially enabling them to add or override form fields and compromise data integrity.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

Affected products

Fixed 8 products

Product	Version	Remediation
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2026-39821

A flaw was found in the `idna` package, specifically within the `golang.org/x/net/idna` component. This vulnerability allows for privilege escalation due to incorrect processing of Punycode-encoded labels. An attacker could craft a malicious Punycode label that, when initially checked, appears safe but then decodes to a restricted ASCII hostname, bypassing security controls and gaining unauthorized access.

8.2 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

CWE-1289 - Improper Validation of Unsafe Equivalence in Input

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64	—	Vendor Fix fix

Known not affected 4 products

Product	Identifier	Version	Remediation
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x		—
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64		—
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le		—
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64		—

Threats

Impact Important

CVE-2026-42338

A flaw was found in ip-address, a JavaScript library for parsing and manipulating IPv4 and IPv6 addresses. This vulnerability allows a remote attacker to perform cross-site scripting (XSS) by providing untrusted input to the Address6 constructor. When an application renders the output of Address6.group(), Address6.link(), or the AddressError.parseMessage as HTML without proper escaping, the attacker-controlled content can be executed in the user's browser.

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected products

Fixed 8 products

Product	Version	Remediation
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2026-44486

A flaw was found in Axios, a promise-based HTTP client, specifically in its Node.js HTTP adapter. When Axios is configured to use an authenticated proxy and follows a redirect, it may inadvertently send the Proxy-Authorization header, containing proxy credentials, to the redirect target. This can lead to the disclosure of sensitive proxy credentials to an unintended remote server.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-201 - Insertion of Sensitive Information Into Sent Data

Affected products

Fixed 8 products

Product	Version	Remediation
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2026-44487

A flaw was found in Axios. During specific proxy-to-direct redirect flows in the Node.js HTTP adapter, a remote attacker could exploit this vulnerability. The Proxy-Authorization header, which contains proxy credentials and is intended only for the outbound proxy, may be forwarded to the final redirected origin. This can lead to the disclosure of sensitive proxy credentials to an unintended third party.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-201 - Insertion of Sensitive Information Into Sent Data

Affected products

Fixed 8 products

Product	Version	Remediation
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2026-44488

A flaw was found in Axios, a promise-based HTTP client. When using the fetch adapter, Axios did not properly enforce configured request and response size limits. This vulnerability allows a remote attacker, through a malicious or compromised server, or by supplying a large data URL, to send or receive oversized data bodies. This can lead to resource exhaustion in server-side applications, resulting in a Denial of Service (DoS).

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Fixed 8 products

Product	Version	Remediation
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2026-44492

A flaw was found in Axios, a promise-based HTTP client. This vulnerability occurs because Axios does not properly normalize IPv4-mapped IPv6 addresses. When a NO_PROXY setting is configured to block direct access to specific IPv4 addresses, an attacker can bypass this restriction by using the IPv4-mapped IPv6 form of the address in a request URL. This allows the request to be routed through the proxy, potentially exposing internal services or sensitive information that should otherwise be inaccessible.

8.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CWE-289 - Authentication Bypass by Alternate Name

Affected products

Fixed 8 products

Product	Version	Remediation
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2026-44494

A flaw was found in Axios. This vulnerability, a Prototype Pollution "Gadget" attack, allows an attacker to escalate any existing Object.prototype pollution in an application's dependency tree into a full Man-in-the-Middle (MITM) attack. This enables the attacker to intercept, read, and modify all HTTP traffic, including sensitive authentication credentials. The flaw occurs because the `config.proxy` setting is susceptible to prototype pollution, allowing an attacker to inject a malicious proxy server.

8.7 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

Affected products

Fixed 8 products

Product	Version	Remediation
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2026-44495

A flaw was found in Axios, a promise-based HTTP client. This vulnerability involves prototype pollution gadgets in the request configuration processing. If another vulnerability has already polluted the Object.prototype.transformResponse, affected Axios versions may incorrectly interpret this inherited value as part of the request configuration or as an option validator. Axios does not itself create the prototype pollution. Exploitability requires a separate prototype-pollution vulnerability or equivalent attacker control over Object.prototype before Axios creates a request.

7.0 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L

CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

Affected products

Fixed 8 products

Product	Version	Remediation
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2026-44496

A flaw was found in Axios. A remote attacker, by influencing the XSRF cookie name in a browser environment, could cause the application to construct a regular expression that leads to excessive processing. This can result in a client-side Denial of Service (DoS), where the affected browser tab may freeze, impacting the availability of the application for the user.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-1333 - Inefficient Regular Expression Complexity

Affected products

Fixed 8 products

Product	Version	Remediation
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2026-48779

A flaw was found in ws, an open source WebSocket client and server. A remote attacker can exploit this memory exhaustion vulnerability by sending a high volume of exceptionally small fragments and data chunks. This action forces the affected component to allocate and hold structural wrappers that consume excessive memory. Consequently, this leads to process termination and a denial of service (DoS) for the remote peer.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-1050 - Excessive Platform Resource Consumption within a Loop

Affected products

Fixed 8 products

Product	Version	Remediation
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64	—	Vendor Fix fix Workaround

Threats

Impact Important

References

83 references

URL	Category
https://access.redhat.com/errata/RHSA-2026:33163	self
https://access.redhat.com/security/cve/CVE-2026-12143	external
https://access.redhat.com/security/cve/CVE-2026-39821	external
https://access.redhat.com/security/cve/CVE-2026-42338	external
https://access.redhat.com/security/cve/CVE-2026-44486	external
https://access.redhat.com/security/cve/CVE-2026-44487	external
https://access.redhat.com/security/cve/CVE-2026-44488	external
https://access.redhat.com/security/cve/CVE-2026-44492	external
https://access.redhat.com/security/cve/CVE-2026-44494	external
https://access.redhat.com/security/cve/CVE-2026-44495	external
https://access.redhat.com/security/cve/CVE-2026-44496	external
https://access.redhat.com/security/cve/CVE-2026-48779	external
https://access.redhat.com/security/updates/classi…	external
https://access.redhat.com/security/updates/classi…	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2026-12143	self
https://bugzilla.redhat.com/show_bug.cgi?id=2488480	external
https://www.cve.org/CVERecord?id=CVE-2026-12143	external
https://nvd.nist.gov/vuln/detail/CVE-2026-12143	external
https://cwe.mitre.org/data/definitions/93.html	external
https://github.com/form-data/form-data/commit/641…	external
https://github.com/form-data/form-data/commit/be3…	external
https://github.com/form-data/form-data/commit/c71…	external
https://github.com/form-data/form-data/security/a…	external
https://html.spec.whatwg.org/multipage/form-contr…	external
https://www.npmjs.com/package/form-data	external
https://access.redhat.com/security/cve/CVE-2026-39821	self
https://bugzilla.redhat.com/show_bug.cgi?id=2480756	external
https://www.cve.org/CVERecord?id=CVE-2026-39821	external
https://nvd.nist.gov/vuln/detail/CVE-2026-39821	external
https://go.dev/cl/767220	external
https://go.dev/issue/78760	external
https://groups.google.com/g/golang-announce/c/iI-…	external
https://pkg.go.dev/vuln/GO-2026-5026	external
https://access.redhat.com/security/cve/CVE-2026-42338	self
https://bugzilla.redhat.com/show_bug.cgi?id=2476810	external
https://www.cve.org/CVERecord?id=CVE-2026-42338	external
https://nvd.nist.gov/vuln/detail/CVE-2026-42338	external
https://github.com/beaugunderson/ip-address/secur…	external
https://access.redhat.com/security/cve/CVE-2026-44486	self
https://bugzilla.redhat.com/show_bug.cgi?id=2487947	external
https://www.cve.org/CVERecord?id=CVE-2026-44486	external
https://nvd.nist.gov/vuln/detail/CVE-2026-44486	external
https://github.com/axios/axios/security/advisorie…	external
https://access.redhat.com/security/cve/CVE-2026-44487	self
https://bugzilla.redhat.com/show_bug.cgi?id=2487948	external
https://www.cve.org/CVERecord?id=CVE-2026-44487	external
https://nvd.nist.gov/vuln/detail/CVE-2026-44487	external
https://github.com/axios/axios/security/advisorie…	external
https://access.redhat.com/security/cve/CVE-2026-44488	self
https://bugzilla.redhat.com/show_bug.cgi?id=2487949	external
https://www.cve.org/CVERecord?id=CVE-2026-44488	external
https://nvd.nist.gov/vuln/detail/CVE-2026-44488	external
https://github.com/axios/axios/security/advisorie…	external
https://access.redhat.com/security/cve/CVE-2026-44492	self
https://bugzilla.redhat.com/show_bug.cgi?id=2487938	external
https://www.cve.org/CVERecord?id=CVE-2026-44492	external
https://nvd.nist.gov/vuln/detail/CVE-2026-44492	external
https://github.com/axios/axios/security/advisorie…	external
https://access.redhat.com/security/cve/CVE-2026-44494	self
https://bugzilla.redhat.com/show_bug.cgi?id=2487942	external
https://www.cve.org/CVERecord?id=CVE-2026-44494	external
https://nvd.nist.gov/vuln/detail/CVE-2026-44494	external
https://github.com/axios/axios/security/advisorie…	external
https://access.redhat.com/security/cve/CVE-2026-44495	self
https://bugzilla.redhat.com/show_bug.cgi?id=2487937	external
https://www.cve.org/CVERecord?id=CVE-2026-44495	external
https://nvd.nist.gov/vuln/detail/CVE-2026-44495	external
https://github.com/axios/axios/security/advisorie…	external
https://access.redhat.com/security/cve/CVE-2026-44496	self
https://bugzilla.redhat.com/show_bug.cgi?id=2487943	external
https://www.cve.org/CVERecord?id=CVE-2026-44496	external
https://nvd.nist.gov/vuln/detail/CVE-2026-44496	external
https://github.com/axios/axios/security/advisorie…	external
https://access.redhat.com/security/cve/CVE-2026-48779	self
https://bugzilla.redhat.com/show_bug.cgi?id=2489661	external
https://www.cve.org/CVERecord?id=CVE-2026-48779	external
https://nvd.nist.gov/vuln/detail/CVE-2026-48779	external
https://github.com/websockets/ws/commit/86d3e8a5f…	external
https://github.com/websockets/ws/commit/b5372ac67…	external
https://github.com/websockets/ws/commit/bca91adf1…	external
https://github.com/websockets/ws/commit/fd36cd864…	external
https://github.com/websockets/ws/security/advisor…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Kiali 2.11.13 for Red Hat OpenShift Service Mesh 3.1 is now available.\nAn update is now available for Red Hat OpenShift Service Mesh 3.1. This advisory contains the RPM packages for the Kiali component.\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Kiali 2.11.13, for Red Hat OpenShift Service Mesh 3.1, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently.\n\nSecurity Fix(es):\n\n* CVE-2026-42338 openshift-service-mesh/kiali-ossmc-rhel9: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (OSSM-14063)\n* CVE-2026-42338 openshift-service-mesh/kiali-rhel9: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (OSSM-14068)\n* CVE-2026-39821 openshift-service-mesh/kiali-rhel9: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing (OSSM-14070)\n* CVE-2026-44495 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Information disclosure due to prototype pollution vulnerability (OSSM-14144)\n* CVE-2026-44495 openshift-service-mesh/kiali-rhel9: Axios: Information disclosure due to prototype pollution vulnerability (OSSM-14149)\n* CVE-2026-44488 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Denial of Service due to unenforced request and response size limits (OSSM-14157)\n* CVE-2026-44488 openshift-service-mesh/kiali-rhel9: Axios: Denial of Service due to unenforced request and response size limits (OSSM-14162)\n* CVE-2026-44487 openshift-service-mesh/kiali-rhel9: Axios: Information disclosure of proxy credentials via redirect flows (OSSM-14166)\n* CVE-2026-44487 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Information disclosure of proxy credentials via redirect flows (OSSM-14173)\n* CVE-2026-44494 openshift-service-mesh/kiali-rhel9: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution (OSSM-14222)\n* CVE-2026-44494 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution (OSSM-14171)\n* CVE-2026-44496 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name (OSSM-14213)\n* CVE-2026-44496 openshift-service-mesh/kiali-rhel9: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name (OSSM-14185)\n* CVE-2026-44486 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Information disclosure of proxy credentials via HTTP redirects (OSSM-14200)\n* CVE-2026-44486 openshift-service-mesh/kiali-rhel9: Axios: Information disclosure of proxy credentials via HTTP redirects (OSSM-14188)\n* CVE-2026-44492 openshift-service-mesh/kiali-ossmc-rhel9: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization (OSSM-14227)\n* CVE-2026-44492 openshift-service-mesh/kiali-rhel9: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization (OSSM-14230)\n* CVE-2026-48779 openshift-service-mesh/kiali-rhel9: ws: Denial of Service via memory exhaustion from small WebSocket fragments (OSSM-14311)\n* CVE-2026-48779 openshift-service-mesh/kiali-ossmc-rhel9: ws: Denial of Service via memory exhaustion from small WebSocket fragments (OSSM-14314)\n* CVE-2026-12143 openshift-service-mesh/kiali-ossmc-rhel9: form-data: Form field override via CRLF injection (OSSM-14333)\n* CVE-2026-12143 openshift-service-mesh/kiali-rhel9: form-data: Form field override via CRLF injection (OSSM-14330)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:33163",
        "url": "https://access.redhat.com/errata/RHSA-2026:33163"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-12143",
        "url": "https://access.redhat.com/security/cve/CVE-2026-12143"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-39821",
        "url": "https://access.redhat.com/security/cve/CVE-2026-39821"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-42338",
        "url": "https://access.redhat.com/security/cve/CVE-2026-42338"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-44486",
        "url": "https://access.redhat.com/security/cve/CVE-2026-44486"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-44487",
        "url": "https://access.redhat.com/security/cve/CVE-2026-44487"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-44488",
        "url": "https://access.redhat.com/security/cve/CVE-2026-44488"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-44492",
        "url": "https://access.redhat.com/security/cve/CVE-2026-44492"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-44494",
        "url": "https://access.redhat.com/security/cve/CVE-2026-44494"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-44495",
        "url": "https://access.redhat.com/security/cve/CVE-2026-44495"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-44496",
        "url": "https://access.redhat.com/security/cve/CVE-2026-44496"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-48779",
        "url": "https://access.redhat.com/security/cve/CVE-2026-48779"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification",
        "url": "https://access.redhat.com/security/updates/classification"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_33163.json"
      }
    ],
    "title": "Red Hat Security Advisory: Kiali 2.11.13 for Red Hat OpenShift Service Mesh 3.1",
    "tracking": {
      "current_release_date": "2026-06-30T04:22:54+00:00",
      "generator": {
        "date": "2026-06-30T04:22:54+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "5.3.0"
        }
      },
      "id": "RHSA-2026:33163",
      "initial_release_date": "2026-06-29T16:41:59+00:00",
      "revision_history": [
        {
          "date": "2026-06-29T16:41:59+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-06-29T16:42:08+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-06-30T04:22:54+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat OpenShift Service Mesh 3.1",
                "product": {
                  "name": "Red Hat OpenShift Service Mesh 3.1",
                  "product_id": "Red Hat OpenShift Service Mesh 3.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:service_mesh:3.1::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenShift Service Mesh"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
                "product": {
                  "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
                  "product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kiali-rhel9@sha256%3Ac5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel9\u0026tag=1782201537"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
                "product": {
                  "name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
                  "product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9\u0026tag=1782201696"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64",
                "product": {
                  "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64",
                  "product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kiali-rhel9@sha256%3Aca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel9\u0026tag=1782201537"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
                "product": {
                  "name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
                  "product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3Acf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9\u0026tag=1782201696"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "arm64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
                "product": {
                  "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
                  "product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kiali-rhel9@sha256%3A99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel9\u0026tag=1782201537"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
                "product": {
                  "name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
                  "product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3Acd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9\u0026tag=1782201696"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
                "product": {
                  "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
                  "product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kiali-rhel9@sha256%3A9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel9\u0026tag=1782201537"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
                "product": {
                  "name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
                  "product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9\u0026tag=1782201696"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x as a component of Red Hat OpenShift Service Mesh 3.1",
          "product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x"
        },
        "product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
        "relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64 as a component of Red Hat OpenShift Service Mesh 3.1",
          "product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64"
        },
        "product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
        "relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le as a component of Red Hat OpenShift Service Mesh 3.1",
          "product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le"
        },
        "product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
        "relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64 as a component of Red Hat OpenShift Service Mesh 3.1",
          "product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64"
        },
        "product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
        "relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le as a component of Red Hat OpenShift Service Mesh 3.1",
          "product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le"
        },
        "product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
        "relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x as a component of Red Hat OpenShift Service Mesh 3.1",
          "product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x"
        },
        "product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
        "relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64 as a component of Red Hat OpenShift Service Mesh 3.1",
          "product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64"
        },
        "product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
        "relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64 as a component of Red Hat OpenShift Service Mesh 3.1",
          "product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
        },
        "product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64",
        "relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-12143",
      "cwe": {
        "id": "CWE-93",
        "name": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)"
      },
      "discovery_date": "2026-06-12T19:00:57.360953+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2488480"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in form-data, a library for creating readable multipart/form-data streams. A remote attacker can exploit this vulnerability by injecting carriage return (CR), line feed (LF), or double-quote (\") characters into the `field` argument of `FormData#append` or the `filename` option. This allows the attacker to inject additional headers or smuggle entire additional multipart parts into requests, potentially enabling them to add or override form fields and compromise data integrity.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "form-data: form-data: Form field override via CRLF injection",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This is an Important impact flaw in the form-data library: a remote attacker can inject arbitrary headers or additional multipart parts via CRLF injection in field names or filenames, potentially overriding sensitive form fields and affecting data integrity.\n\nFor RHOAI and RHEL AI, severity is Moderate because affected versions appear only as a transitive npm dependency in RHOAI (dashboard, mod-arch plugins, MLflow UI) and RHEL AI 3.4 bootc images, and those products use fixed field names for uploads rather than passing untrusted user input as multipart field names or filenames. The documented exploit path is therefore not reachable in default deployments. Practical impact is limited to non-default or custom integrations that forward multipart requests using attacker-controlled field names.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-12143"
        },
        {
          "category": "external",
          "summary": "RHBZ#2488480",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488480"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-12143",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-12143"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-12143",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12143"
        },
        {
          "category": "external",
          "summary": "https://cwe.mitre.org/data/definitions/93.html",
          "url": "https://cwe.mitre.org/data/definitions/93.html"
        },
        {
          "category": "external",
          "summary": "https://github.com/form-data/form-data/commit/64190db548c0179e37206858e39f27cf513e9435",
          "url": "https://github.com/form-data/form-data/commit/64190db548c0179e37206858e39f27cf513e9435"
        },
        {
          "category": "external",
          "summary": "https://github.com/form-data/form-data/commit/be3f3cf553978bac15a5182f1f3c3d2d38ccf229",
          "url": "https://github.com/form-data/form-data/commit/be3f3cf553978bac15a5182f1f3c3d2d38ccf229"
        },
        {
          "category": "external",
          "summary": "https://github.com/form-data/form-data/commit/c7133499c2ee1b80c678e411244f4442bf902045",
          "url": "https://github.com/form-data/form-data/commit/c7133499c2ee1b80c678e411244f4442bf902045"
        },
        {
          "category": "external",
          "summary": "https://github.com/form-data/form-data/security/advisories/GHSA-hmw2-7cc7-3qxx",
          "url": "https://github.com/form-data/form-data/security/advisories/GHSA-hmw2-7cc7-3qxx"
        },
        {
          "category": "external",
          "summary": "https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#multipart-form-data",
          "url": "https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#multipart-form-data"
        },
        {
          "category": "external",
          "summary": "https://www.npmjs.com/package/form-data",
          "url": "https://www.npmjs.com/package/form-data"
        }
      ],
      "release_date": "2026-06-12T18:01:30.362000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-29T16:41:59+00:00",
          "details": "See Kiali 2.11.13 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.1/html/observability/kiali-operator-provided-by-red-hat",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33163"
        },
        {
          "category": "workaround",
          "details": "Applications using the `form-data` library should implement strict input validation and sanitization for all field names and filenames derived from untrusted sources. This prevents the injection of control characters (CR, LF, \") that could lead to header injection or form field overrides. Deployments that exclusively use fixed or trusted field names are not impacted.",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "form-data: form-data: Form field override via CRLF injection"
    },
    {
      "cve": "CVE-2026-39821",
      "cwe": {
        "id": "CWE-1289",
        "name": "Improper Validation of Unsafe Equivalence in Input"
      },
      "discovery_date": "2026-05-22T16:00:52.844126+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2480756"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the `idna` package, specifically within the `golang.org/x/net/idna` component. This vulnerability allows for privilege escalation due to incorrect processing of Punycode-encoded labels. An attacker could craft a malicious Punycode label that, when initially checked, appears safe but then decodes to a restricted ASCII hostname, bypassing security controls and gaining unauthorized access.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This is an Important privilege escalation flaw in the `golang.org/x/net/idna` package. Applications utilizing this package for hostname validation in Red Hat products may incorrectly process specially crafted Punycode labels. This can lead to a bypass of security controls, as a seemingly benign Punycode domain could resolve to a restricted ASCII hostname, granting unauthorized access.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
        ],
        "known_not_affected": [
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-39821"
        },
        {
          "category": "external",
          "summary": "RHBZ#2480756",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480756"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-39821",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-39821"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-39821",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39821"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/767220",
          "url": "https://go.dev/cl/767220"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/78760",
          "url": "https://go.dev/issue/78760"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8",
          "url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2026-5026",
          "url": "https://pkg.go.dev/vuln/GO-2026-5026"
        }
      ],
      "release_date": "2026-05-22T15:01:21.462000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-29T16:41:59+00:00",
          "details": "See Kiali 2.11.13 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.1/html/observability/kiali-operator-provided-by-red-hat",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33163"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing"
    },
    {
      "cve": "CVE-2026-42338",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "discovery_date": "2026-05-12T21:01:14.436876+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2476810"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in ip-address, a JavaScript library for parsing and manipulating IPv4 and IPv6 addresses. This vulnerability allows a remote attacker to perform cross-site scripting (XSS) by providing untrusted input to the Address6 constructor. When an application renders the output of Address6.group(), Address6.link(), or the AddressError.parseMessage as HTML without proper escaping, the attacker-controlled content can be executed in the user\u0027s browser.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-42338"
        },
        {
          "category": "external",
          "summary": "RHBZ#2476810",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2476810"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-42338",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42338"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42338",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42338"
        },
        {
          "category": "external",
          "summary": "https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g",
          "url": "https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g"
        }
      ],
      "release_date": "2026-05-12T19:43:16.470000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-29T16:41:59+00:00",
          "details": "See Kiali 2.11.13 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.1/html/observability/kiali-operator-provided-by-red-hat",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33163"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input"
    },
    {
      "cve": "CVE-2026-44486",
      "cwe": {
        "id": "CWE-201",
        "name": "Insertion of Sensitive Information Into Sent Data"
      },
      "discovery_date": "2026-06-11T17:01:30.944384+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2487947"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Axios, a promise-based HTTP client, specifically in its Node.js HTTP adapter. When Axios is configured to use an authenticated proxy and follows a redirect, it may inadvertently send the Proxy-Authorization header, containing proxy credentials, to the redirect target. This can lead to the disclosure of sensitive proxy credentials to an unintended remote server.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Axios: Information disclosure of proxy credentials via HTTP redirects",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-44486"
        },
        {
          "category": "external",
          "summary": "RHBZ#2487947",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487947"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-44486",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44486"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44486",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44486"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-j5f8-grm9-p9fc",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-j5f8-grm9-p9fc"
        }
      ],
      "release_date": "2026-06-11T15:39:07.714000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-29T16:41:59+00:00",
          "details": "See Kiali 2.11.13 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.1/html/observability/kiali-operator-provided-by-red-hat",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33163"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "axios: Axios: Information disclosure of proxy credentials via HTTP redirects"
    },
    {
      "cve": "CVE-2026-44487",
      "cwe": {
        "id": "CWE-201",
        "name": "Insertion of Sensitive Information Into Sent Data"
      },
      "discovery_date": "2026-06-11T17:01:34.091476+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2487948"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Axios. During specific proxy-to-direct redirect flows in the Node.js HTTP adapter, a remote attacker could exploit this vulnerability. The Proxy-Authorization header, which contains proxy credentials and is intended only for the outbound proxy, may be forwarded to the final redirected origin. This can lead to the disclosure of sensitive proxy credentials to an unintended third party.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Axios: Information disclosure of proxy credentials via redirect flows",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-44487"
        },
        {
          "category": "external",
          "summary": "RHBZ#2487948",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487948"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-44487",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44487"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44487",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44487"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-p92q-9vqr-4j8v",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-p92q-9vqr-4j8v"
        }
      ],
      "release_date": "2026-06-11T15:38:25.150000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-29T16:41:59+00:00",
          "details": "See Kiali 2.11.13 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.1/html/observability/kiali-operator-provided-by-red-hat",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33163"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "axios: Axios: Information disclosure of proxy credentials via redirect flows"
    },
    {
      "cve": "CVE-2026-44488",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2026-06-11T17:01:36.836488+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2487949"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Axios, a promise-based HTTP client. When using the fetch adapter, Axios did not properly enforce configured request and response size limits. This vulnerability allows a remote attacker, through a malicious or compromised server, or by supplying a large data URL, to send or receive oversized data bodies. This can lead to resource exhaustion in server-side applications, resulting in a Denial of Service (DoS).",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Axios: Denial of Service due to unenforced request and response size limits",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-44488"
        },
        {
          "category": "external",
          "summary": "RHBZ#2487949",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487949"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-44488",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44488"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44488",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44488"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf"
        }
      ],
      "release_date": "2026-06-11T15:37:38.013000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-29T16:41:59+00:00",
          "details": "See Kiali 2.11.13 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.1/html/observability/kiali-operator-provided-by-red-hat",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33163"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "axios: Axios: Denial of Service due to unenforced request and response size limits"
    },
    {
      "cve": "CVE-2026-44492",
      "cwe": {
        "id": "CWE-289",
        "name": "Authentication Bypass by Alternate Name"
      },
      "discovery_date": "2026-06-11T17:00:56.761751+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2487938"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Axios, a promise-based HTTP client. This vulnerability occurs because Axios does not properly normalize IPv4-mapped IPv6 addresses. When a NO_PROXY setting is configured to block direct access to specific IPv4 addresses, an attacker can bypass this restriction by using the IPv4-mapped IPv6 form of the address in a request URL. This allows the request to be routed through the proxy, potentially exposing internal services or sensitive information that should otherwise be inaccessible.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-44492"
        },
        {
          "category": "external",
          "summary": "RHBZ#2487938",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487938"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-44492",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44492"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44492",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44492"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-pjwm-pj3p-43mv",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-pjwm-pj3p-43mv"
        }
      ],
      "release_date": "2026-06-11T15:29:13.890000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-29T16:41:59+00:00",
          "details": "See Kiali 2.11.13 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.1/html/observability/kiali-operator-provided-by-red-hat",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33163"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "axios: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization"
    },
    {
      "cve": "CVE-2026-44494",
      "cwe": {
        "id": "CWE-915",
        "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
      },
      "discovery_date": "2026-06-11T17:01:12.945664+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2487942"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Axios. This vulnerability, a Prototype Pollution \"Gadget\" attack, allows an attacker to escalate any existing Object.prototype pollution in an application\u0027s dependency tree into a full Man-in-the-Middle (MITM) attack. This enables the attacker to intercept, read, and modify all HTTP traffic, including sensitive authentication credentials. The flaw occurs because the `config.proxy` setting is susceptible to prototype pollution, allowing an attacker to inject a malicious proxy server.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-44494"
        },
        {
          "category": "external",
          "summary": "RHBZ#2487942",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487942"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-44494",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44494"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44494",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44494"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-35jp-ww65-95wh",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-35jp-ww65-95wh"
        }
      ],
      "release_date": "2026-06-11T15:32:03.155000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-29T16:41:59+00:00",
          "details": "See Kiali 2.11.13 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.1/html/observability/kiali-operator-provided-by-red-hat",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33163"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "axios: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution"
    },
    {
      "cve": "CVE-2026-44495",
      "cwe": {
        "id": "CWE-915",
        "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
      },
      "discovery_date": "2026-06-11T17:00:53.999811+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2487937"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Axios, a promise-based HTTP client. This vulnerability involves prototype pollution gadgets in the request configuration processing. If another vulnerability has already polluted the Object.prototype.transformResponse, affected Axios versions may incorrectly interpret this inherited value as part of the request configuration or as an option validator. Axios does not itself create the prototype pollution. Exploitability requires a separate prototype-pollution vulnerability or equivalent attacker control over Object.prototype before Axios creates a request.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Axios: Information disclosure due to prototype pollution vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-44495"
        },
        {
          "category": "external",
          "summary": "RHBZ#2487937",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487937"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-44495",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44495"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44495",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44495"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-3g43-6gmg-66jw",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-3g43-6gmg-66jw"
        }
      ],
      "release_date": "2026-06-11T15:33:12.433000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-29T16:41:59+00:00",
          "details": "See Kiali 2.11.13 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.1/html/observability/kiali-operator-provided-by-red-hat",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33163"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.0,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "axios: Axios: Information disclosure due to prototype pollution vulnerability"
    },
    {
      "cve": "CVE-2026-44496",
      "cwe": {
        "id": "CWE-1333",
        "name": "Inefficient Regular Expression Complexity"
      },
      "discovery_date": "2026-06-11T17:01:15.856386+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2487943"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Axios. A remote attacker, by influencing the XSRF cookie name in a browser environment, could cause the application to construct a regular expression that leads to excessive processing. This can result in a client-side Denial of Service (DoS), where the affected browser tab may freeze, impacting the availability of the application for the user.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-44496"
        },
        {
          "category": "external",
          "summary": "RHBZ#2487943",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487943"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-44496",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44496"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44496",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44496"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-hfxv-24rg-xrqf",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-hfxv-24rg-xrqf"
        }
      ],
      "release_date": "2026-06-11T15:34:28.492000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-29T16:41:59+00:00",
          "details": "See Kiali 2.11.13 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.1/html/observability/kiali-operator-provided-by-red-hat",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33163"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "axios: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name"
    },
    {
      "cve": "CVE-2026-48779",
      "cwe": {
        "id": "CWE-1050",
        "name": "Excessive Platform Resource Consumption within a Loop"
      },
      "discovery_date": "2026-06-16T22:01:24.571224+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2489661"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in ws, an open source WebSocket client and server. A remote attacker can exploit this memory exhaustion vulnerability by sending a high volume of exceptionally small fragments and data chunks. This action forces the affected component to allocate and hold structural wrappers that consume excessive memory. Consequently, this leads to process termination and a denial of service (DoS) for the remote peer.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "ws: ws: Denial of Service via memory exhaustion from small WebSocket fragments",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
          "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-48779"
        },
        {
          "category": "external",
          "summary": "RHBZ#2489661",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489661"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-48779",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-48779"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48779",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48779"
        },
        {
          "category": "external",
          "summary": "https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7",
          "url": "https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7"
        },
        {
          "category": "external",
          "summary": "https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53",
          "url": "https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53"
        },
        {
          "category": "external",
          "summary": "https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94",
          "url": "https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94"
        },
        {
          "category": "external",
          "summary": "https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8",
          "url": "https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8"
        },
        {
          "category": "external",
          "summary": "https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p",
          "url": "https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p"
        }
      ],
      "release_date": "2026-06-16T21:26:22.537000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-29T16:41:59+00:00",
          "details": "See Kiali 2.11.13 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.1/html/observability/kiali-operator-provided-by-red-hat",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33163"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:1c422bbe4c19201f0a63dd8175ae962208cbffccf096912858e6274b214994af_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:853f2430db6aceeb634f4c2059947d22547e39978c1185dc48ba3be4f7d337b6_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cd49f834dca7cc30e12add0fb3247d82981f722d353fc15523ad247df8e6d25c_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cf353c0b22a951c13996d5227406ed75923bf6dbaed9ea50892f32d664003c8d_arm64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:99e5e5ef3be5b42ef54d1fbcceac268c670c05a47c3e982c1088d010499c9ae8_ppc64le",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:9ac5ee0b1ffc79c320478d77a24d62789eb7162a564dc0e2be3c0a2ae2ffb272_s390x",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:c5926bbd0cb2414e4fd0117e11ccec6d33924c2ea255ca7f500419c7886807cf_amd64",
            "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:ca9d114cccf1e213f392c73a4f36af7efef15bc016636d27fc5c736a933cda14_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "ws: ws: Denial of Service via memory exhaustion from small WebSocket fragments"
    }
  ]
}

CVE-2026-48779 (GCVE-0-2026-48779)

Vulnerability from cvelistv5 – Published: 2026-06-16 21:26 – Updated: 2026-06-30 03:15

Title

ws: Memory exhaustion DoS from tiny fragments and data chunks

Summary

ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are affected by a memory exhaustion DoS vulnerability. A peer can send a high volume of exceptionally small fragments and data chunks, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM. This issue has been fixed in versions 5.2.5, 6.2.4, 7.5.11, and 8.21.0.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: poc Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-400 - Uncontrolled Resource Consumption
CWE-770 - Allocation of Resources Without Limits or Throttling
CWE-1050 - Excessive Platform Resource Consumption within a Loop

Assigner

GitHub_M

References

14 references

URL	Tags
https://github.com/websockets/ws/security/advisor…	x_refsource_CONFIRM
https://github.com/websockets/ws/commit/86d3e8a5f…	x_refsource_MISC
https://github.com/websockets/ws/commit/b5372ac67…	x_refsource_MISC
https://github.com/websockets/ws/commit/bca91adf1…	x_refsource_MISC
https://github.com/websockets/ws/commit/fd36cd864…	x_refsource_MISC
https://access.redhat.com/security/cve/CVE-2026-48779	vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2489661	issue-trackingx_refsource_REDHAT
https://security.access.redhat.com/data/csaf/v2/v…	x_sadp-csaf-vex
https://access.redhat.com/errata/RHSA-2026:29197	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:33155	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:33160	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:33163	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:33173	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:33183	vendor-advisoryx_refsource_REDHAT

Impacted products

41 products

Vendor	Product	Version
websockets	ws	Affected: >= 1.1.0, < 5.2.5 Affected: >= 6.0.0, < 6.2.4 Affected: >= 7.0.0, < 7.5.11 Affected: >= 8.0.0, < 8.21.0
Red Hat	Red Hat Discovery 2	cpe:/a:redhat:discovery:2::el9
Red Hat	Red Hat OpenShift Service Mesh 2.6	cpe:/a:redhat:service_mesh:2.6::el8
Red Hat	Red Hat OpenShift Service Mesh 3.0	cpe:/a:redhat:service_mesh:3.0::el9
Red Hat	Red Hat OpenShift Service Mesh 3.1	cpe:/a:redhat:service_mesh:3.1::el9
Red Hat	Red Hat OpenShift Service Mesh 3.2	cpe:/a:redhat:service_mesh:3.2::el9
Red Hat	Red Hat OpenShift Service Mesh 3.3	cpe:/a:redhat:service_mesh:3.3::el9
Red Hat	Cryostat 4	cpe:/a:redhat:cryostat:4
Red Hat	Gatekeeper 3	cpe:/a:redhat:gatekeeper:3
Red Hat	Migration Toolkit for Containers	cpe:/a:redhat:rhmt:1
Red Hat	Node HealthCheck Operator	cpe:/a:redhat:workload_availability_nhc:0
Red Hat	OpenShift Lightspeed	cpe:/a:redhat:openshift_lightspeed
Red Hat	OpenShift Pipelines	cpe:/a:redhat:openshift_pipelines:1
Red Hat	Red Hat AMQ Broker 7	cpe:/a:redhat:amq_broker:7
Red Hat	Red Hat Ansible Automation Platform 2	cpe:/a:redhat:ansible_automation_platform:2
Red Hat	Red Hat build of Apache Camel - HawtIO 4	cpe:/a:redhat:apache_camel_hawtio:4
Red Hat	Red Hat Build of Podman Desktop	cpe:/a:redhat:podman_desktop:1
Red Hat	Red Hat Build of Podman Desktop - Tech Preview	cpe:/a:redhat:podman_desktop:0
Red Hat	Red Hat Connectivity Link 1	cpe:/a:redhat:connectivity_link:1
Red Hat	Red Hat Data Grid 8	cpe:/a:redhat:jboss_data_grid:8
Red Hat	Red Hat Developer Hub	cpe:/a:redhat:rhdh:1
Red Hat	Red Hat Enterprise Linux 10	cpe:/o:redhat:enterprise_linux:10
Red Hat	Red Hat Enterprise Linux 8	cpe:/o:redhat:enterprise_linux:8
Red Hat	Red Hat Enterprise Linux 9	cpe:/o:redhat:enterprise_linux:9
Red Hat	Red Hat Enterprise Linux AI (RHEL AI) 3	cpe:/a:redhat:enterprise_linux_ai:3
Red Hat	Red Hat Fuse 7	cpe:/a:redhat:jboss_fuse:7
Red Hat	Red Hat Hardened Images	cpe:/a:redhat:hummingbird:1
Red Hat	Red Hat OpenShift AI (RHOAI)	cpe:/a:redhat:openshift_ai
Red Hat	Red Hat OpenShift Container Platform 4	cpe:/a:redhat:openshift:4
Red Hat	Red Hat Openshift Data Foundation 4	cpe:/a:redhat:openshift_data_foundation:4
Red Hat	Red Hat OpenShift Dev Spaces	cpe:/a:redhat:openshift_devspaces:3
Red Hat	Red Hat OpenShift Virtualization 4	cpe:/a:redhat:container_native_virtualization:4
Red Hat	Red Hat Quay 3	cpe:/a:redhat:quay:3
Red Hat	Red Hat Satellite 6	cpe:/a:redhat:satellite:6
Red Hat	Red Hat Trusted Artifact Signer	cpe:/a:redhat:trusted_artifact_signer:1
Red Hat	Self-service automation portal 2	cpe:/a:redhat:ansible_portal:2
Red Hat	OpenShift Service Mesh 3	cpe:/a:redhat:service_mesh:3
Red Hat	Red Hat build of Apache Camel for Spring Boot 4	cpe:/a:redhat:camel_spring_boot:4
Red Hat	Red Hat Build of Keycloak	cpe:/a:redhat:build_keycloak:
Red Hat	Red Hat JBoss Enterprise Application Platform 8	cpe:/a:redhat:jboss_enterprise_application_platform:8
Red Hat	Red Hat JBoss Enterprise Application Platform Expansion Pack	cpe:/a:redhat:jbosseapxp

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48779",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-17T18:07:28.748295Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-17T18:12:48.129Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:/a:redhat:discovery:2::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Discovery 2",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:service_mesh:2.6::el8"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift Service Mesh 2.6",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:service_mesh:3.0::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift Service Mesh 3.0",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:service_mesh:3.1::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift Service Mesh 3.1",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:service_mesh:3.2::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift Service Mesh 3.2",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:service_mesh:3.3::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift Service Mesh 3.3",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:cryostat:4"
            ],
            "defaultStatus": "affected",
            "product": "Cryostat 4",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:gatekeeper:3"
            ],
            "defaultStatus": "affected",
            "product": "Gatekeeper 3",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhmt:1"
            ],
            "defaultStatus": "affected",
            "product": "Migration Toolkit for Containers",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:workload_availability_nhc:0"
            ],
            "defaultStatus": "affected",
            "product": "Node HealthCheck Operator",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_lightspeed"
            ],
            "defaultStatus": "affected",
            "product": "OpenShift Lightspeed",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_pipelines:1"
            ],
            "defaultStatus": "affected",
            "product": "OpenShift Pipelines",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:amq_broker:7"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat AMQ Broker 7",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:ansible_automation_platform:2"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Ansible Automation Platform 2",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:apache_camel_hawtio:4"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat build of Apache Camel - HawtIO 4",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:podman_desktop:1"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Build of Podman Desktop",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:podman_desktop:0"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Build of Podman Desktop - Tech Preview",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:connectivity_link:1"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Connectivity Link 1",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:jboss_data_grid:8"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Data Grid 8",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhdh:1"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Developer Hub",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:10"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 10",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:8"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 8",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 9",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux_ai:3"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:jboss_fuse:7"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Fuse 7",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:hummingbird:1"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Hardened Images",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_ai"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift AI (RHOAI)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift:4"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift Container Platform 4",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_data_foundation:4"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Openshift Data Foundation 4",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_devspaces:3"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift Dev Spaces",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift Virtualization 4",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:quay:3"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Quay 3",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:satellite:6"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Satellite 6",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:trusted_artifact_signer:1"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Trusted Artifact Signer",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:ansible_portal:2"
            ],
            "defaultStatus": "affected",
            "product": "Self-service automation portal 2",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:service_mesh:3"
            ],
            "defaultStatus": "unaffected",
            "product": "OpenShift Service Mesh 3",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:camel_spring_boot:4"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat build of Apache Camel for Spring Boot 4",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:build_keycloak:"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Build of Keycloak",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:jboss_enterprise_application_platform:8"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat JBoss Enterprise Application Platform 8",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:jbosseapxp"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-06-16T21:26:22.537Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in ws, an open source WebSocket client and server. A remote attacker can exploit this memory exhaustion vulnerability by sending a high volume of exceptionally small fragments and data chunks. This action forces the affected component to allocate and hold structural wrappers that consume excessive memory. Consequently, this leads to process termination and a denial of service (DoS) for the remote peer."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-1050",
                "description": "Excessive Platform Resource Consumption within a Loop",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-30T03:15:49.965Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-48779"
          },
          {
            "name": "RHBZ#2489661",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489661"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48779.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:29197"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:33155"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:33160"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:33163"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:33173"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:33183"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:29197: Red Hat Discovery 2"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:33155: Red Hat OpenShift Service Mesh 2.6"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:33160: Red Hat OpenShift Service Mesh 3.0"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:33163: Red Hat OpenShift Service Mesh 3.1"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:33173: Red Hat OpenShift Service Mesh 3.2"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:33183: Red Hat OpenShift Service Mesh 3.3"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-06-16T22:01:24.571Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-06-16T21:26:22.537Z",
            "value": "Made public."
          }
        ],
        "title": "ws: ws: Denial of Service via memory exhaustion from small WebSocket fragments",
        "workarounds": [
          {
            "lang": "en",
            "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
          }
        ],
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ws",
          "vendor": "websockets",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.1.0, \u003c 5.2.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 6.0.0, \u003c 6.2.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 7.0.0, \u003c 7.5.11"
            },
            {
              "status": "affected",
              "version": "\u003e= 8.0.0, \u003c 8.21.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are affected by a memory exhaustion DoS vulnerability. A peer can send a high volume of exceptionally small fragments and data chunks, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM. This issue has been fixed in versions 5.2.5, 6.2.4, 7.5.11, and 8.21.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T21:26:22.537Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p"
        },
        {
          "name": "https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7"
        },
        {
          "name": "https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53"
        },
        {
          "name": "https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94"
        },
        {
          "name": "https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8"
        }
      ],
      "source": {
        "advisory": "GHSA-96hv-2xvq-fx4p",
        "discovery": "UNKNOWN"
      },
      "title": "ws: Memory exhaustion DoS from tiny fragments and data chunks"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-48779",
    "datePublished": "2026-06-16T21:26:22.537Z",
    "dateReserved": "2026-05-22T20:18:20.365Z",
    "dateUpdated": "2026-06-30T03:15:49.965Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:33163

CVE-2026-48779 (GCVE-0-2026-48779)

Tags

Sightings

Nomenclature