Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-1312

Summary
Assigner-DSF
Assigner Org ID-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
Published At-03 Feb, 2026 | 14:36
Updated At-30 Jun, 2026 | 12:07
Rejected At-
Credits

Potential SQL injection via QuerySet.order_by and FilteredRelation

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:DSF
Assigner Org ID:6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
Published At:03 Feb, 2026 | 14:36
Updated At:30 Jun, 2026 | 12:07
Rejected At:
▼CVE Numbering Authority (CNA)
Potential SQL injection via QuerySet.order_by and FilteredRelation

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.

Affected Products
Vendor
Djangodjangoproject
Product
Django
Collection URL
https://pypi.org/project/Django/
Package Name
django
Repo
https://github.com/django/django/
Default Status
unaffected
Versions
Affected
  • From 6.0 before 6.0.2 (semver)
  • From 5.2 before 5.2.11 (semver)
  • From 4.2 before 4.2.28 (semver)
Unaffected
  • 6.0.2 (semver)
  • 5.2.11 (semver)
  • 4.2.28 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-89CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Type: CWE
CWE ID: CWE-89
Description: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Django severity rating
value:
high
namespace:
https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels
Impacts
CAPEC IDDescription
CAPEC-66CAPEC-66: SQL Injection
CAPEC ID: CAPEC-66
Description: CAPEC-66: SQL Injection
Solutions

Configurations

Workarounds

Exploits

Credits

reporter
Solomon Kebede
remediation developer
Jacob Walls
coordinator
Jacob Walls
Timeline
EventDate
Initial report received.2026-01-12 18:00:00
Vulnerability confirmed.2026-01-26 18:00:00
Security release issued.2026-02-03 08:00:00
Event: Initial report received.
Date: 2026-01-12 18:00:00
Event: Vulnerability confirmed.
Date: 2026-01-26 18:00:00
Event: Security release issued.
Date: 2026-02-03 08:00:00
Replaced By

Rejected Reason

References
HyperlinkResource
https://docs.djangoproject.com/en/dev/releases/security/
vendor-advisory
https://groups.google.com/g/django-announce
mailing-list
https://www.djangoproject.com/weblog/2026/feb/03/security-releases/
vendor-advisory
Hyperlink: https://docs.djangoproject.com/en/dev/releases/security/
Resource:
vendor-advisory
Hyperlink: https://groups.google.com/g/django-announce
Resource:
mailing-list
Hyperlink: https://www.djangoproject.com/weblog/2026/feb/03/security-releases/
Resource:
vendor-advisory
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
2. Django: Django: SQL injection via crafted column aliases in QuerySet.order_by()

A flaw was found in Django. A remote attacker could exploit a SQL injection vulnerability in the `.QuerySet.order_by()` method. This occurs when column aliases containing periods are used, and the same alias is also present in `FilteredRelation` via a specially crafted dictionary. Successful exploitation could lead to unauthorized information disclosure or arbitrary code execution within the database.

Affected Products
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Ansible Automation Platform 2.5 for RHEL 8
CPEs
  • cpe:/a:redhat:ansible_automation_platform:2.5::el8
  • cpe:/a:redhat:ansible_automation_platform_developer:2.5::el8
  • cpe:/a:redhat:ansible_automation_platform_inside:2.5::el8
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Satellite 6.16 for RHEL 8
CPEs
  • cpe:/a:redhat:satellite:6.16::el8
  • cpe:/a:redhat:satellite_capsule:6.16::el8
  • cpe:/a:redhat:satellite_utils:6.16::el8
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Ansible Automation Platform 2.5 for RHEL 9
CPEs
  • cpe:/a:redhat:ansible_automation_platform:2.5::el9
  • cpe:/a:redhat:ansible_automation_platform_developer:2.5::el9
  • cpe:/a:redhat:ansible_automation_platform_inside:2.5::el9
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Ansible Automation Platform 2.6 for RHEL 9
CPEs
  • cpe:/a:redhat:ansible_automation_platform:2.6::el9
  • cpe:/a:redhat:ansible_automation_platform_developer:2.6::el9
  • cpe:/a:redhat:ansible_automation_platform_inside:2.6::el9
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Satellite 6.16 for RHEL 9
CPEs
  • cpe:/a:redhat:satellite:6.16::el9
  • cpe:/a:redhat:satellite_capsule:6.16::el9
  • cpe:/a:redhat:satellite_maintenance:6.16::el9
  • cpe:/a:redhat:satellite_utils:6.16::el9
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Satellite 6.17 for RHEL 9
CPEs
  • cpe:/a:redhat:satellite:6.17::el9
  • cpe:/a:redhat:satellite_capsule:6.17::el9
  • cpe:/a:redhat:satellite_maintenance:6.17::el9
  • cpe:/a:redhat:satellite_utils:6.17::el9
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Satellite 6.18 for RHEL 9
CPEs
  • cpe:/a:redhat:satellite:6.18::el9
  • cpe:/a:redhat:satellite_capsule:6.18::el9
  • cpe:/a:redhat:satellite_maintenance:6.18::el9
  • cpe:/a:redhat:satellite_utils:6.18::el9
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Ansible Automation Platform 2.5
CPEs
  • cpe:/a:redhat:ansible_automation_platform:2.5::el8
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Ansible Automation Platform 2.6
CPEs
  • cpe:/a:redhat:ansible_automation_platform:2.6::el9
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Discovery 2
CPEs
  • cpe:/a:redhat:discovery:2::el9
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Satellite 6.18
CPEs
  • cpe:/a:redhat:satellite:6.18::el9
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Ansible Automation Platform 2
CPEs
  • cpe:/a:redhat:ansible_automation_platform:2
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Satellite 6
CPEs
  • cpe:/a:redhat:satellite:6
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Update Infrastructure 4 for Cloud Providers
CPEs
  • cpe:/a:redhat:rhui:4::el8
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Ansible Automation Platform 2.6 for RHEL 10
CPEs
  • cpe:/a:redhat:ansible_automation_platform:2.6::el10
  • cpe:/a:redhat:ansible_automation_platform_developer:2.6::el10
Default Status
unaffected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat OpenStack Platform 16.2
CPEs
  • cpe:/a:redhat:openstack:16.2
Default Status
unaffected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat OpenStack Platform 17.1
CPEs
  • cpe:/a:redhat:openstack:17.1
Default Status
unaffected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat OpenStack Platform 18.0
CPEs
  • cpe:/a:redhat:openstack:18.0
Default Status
unaffected
Problem Types
TypeCWE IDDescription
CWECWE-89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Type: CWE
CWE ID: CWE-89
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Metrics
VersionBase scoreBase severityVector
3.18.5HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Version: 3.1
Base score: 8.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Metrics Other Info
Red Hat severity rating
value:
Important
namespace:
https://access.redhat.com/security/updates/classification/
Impacts
CAPEC IDDescription
Solutions

RHSA-2026:3959: Red Hat Ansible Automation Platform 2.5 for RHEL 8, Red Hat Ansible Automation Platform 2.5 for RHEL 9

RHSA-2026:5971: Red Hat Satellite 6.16 for RHEL 8, Red Hat Satellite 6.16 for RHEL 9

RHSA-2026:3958: Red Hat Ansible Automation Platform 2.6 for RHEL 9

RHSA-2026:5970: Red Hat Satellite 6.17 for RHEL 9

RHSA-2026:14835: Red Hat Satellite 6.18 for RHEL 9

RHSA-2026:3962: Red Hat Ansible Automation Platform 2.5

RHSA-2026:3960: Red Hat Ansible Automation Platform 2.6

RHSA-2026:2694: Red Hat Discovery 2

RHSA-2026:6291: Red Hat Satellite 6.18

Configurations

Workarounds

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

Exploits

Credits

Timeline
EventDate
Reported to Red Hat.2026-02-03 15:01:18
Made public.2026-02-03 14:36:23
Event: Reported to Red Hat.
Date: 2026-02-03 15:01:18
Event: Made public.
Date: 2026-02-03 14:36:23
Replaced By

Rejected Reason

References
HyperlinkResource
https://access.redhat.com/security/cve/CVE-2026-1312
vdb-entry
x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2436342
issue-tracking
x_refsource_REDHAT
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-1312.json
x_sadp-csaf-vex
https://access.redhat.com/errata/RHSA-2026:3959
vendor-advisory
x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:5971
vendor-advisory
x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:3958
vendor-advisory
x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:5970
vendor-advisory
x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:14835
vendor-advisory
x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:3962
vendor-advisory
x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:3960
vendor-advisory
x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:2694
vendor-advisory
x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:6291
vendor-advisory
x_refsource_REDHAT
Hyperlink: https://access.redhat.com/security/cve/CVE-2026-1312
Resource:
vdb-entry
x_refsource_REDHAT
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=2436342
Resource:
issue-tracking
x_refsource_REDHAT
Hyperlink: https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-1312.json
Resource:
x_sadp-csaf-vex
Hyperlink: https://access.redhat.com/errata/RHSA-2026:3959
Resource:
vendor-advisory
x_refsource_REDHAT
Hyperlink: https://access.redhat.com/errata/RHSA-2026:5971
Resource:
vendor-advisory
x_refsource_REDHAT
Hyperlink: https://access.redhat.com/errata/RHSA-2026:3958
Resource:
vendor-advisory
x_refsource_REDHAT
Hyperlink: https://access.redhat.com/errata/RHSA-2026:5970
Resource:
vendor-advisory
x_refsource_REDHAT
Hyperlink: https://access.redhat.com/errata/RHSA-2026:14835
Resource:
vendor-advisory
x_refsource_REDHAT
Hyperlink: https://access.redhat.com/errata/RHSA-2026:3962
Resource:
vendor-advisory
x_refsource_REDHAT
Hyperlink: https://access.redhat.com/errata/RHSA-2026:3960
Resource:
vendor-advisory
x_refsource_REDHAT
Hyperlink: https://access.redhat.com/errata/RHSA-2026:2694
Resource:
vendor-advisory
x_refsource_REDHAT
Hyperlink: https://access.redhat.com/errata/RHSA-2026:6291
Resource:
vendor-advisory
x_refsource_REDHAT
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
Published At:03 Feb, 2026 | 15:16
Updated At:30 Jun, 2026 | 03:17

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Secondary3.18.5HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
N/A
Type: Secondary
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 8.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

Django
djangoproject
>>django>>Versions from 4.2(inclusive) to 4.2.28(exclusive)
cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
Django
djangoproject
>>django>>Versions from 5.2(inclusive) to 5.2.11(exclusive)
cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
Django
djangoproject
>>django>>Versions from 6.0(inclusive) to 6.0.2(exclusive)
cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-89Secondary6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CWE-89Secondary0b0ca135-0b70-47e7-9f44-1890c2a1c46c
CWE ID: CWE-89
Type: Secondary
Source: 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CWE ID: CWE-89
Type: Secondary
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://docs.djangoproject.com/en/dev/releases/security/6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
Patch
Vendor Advisory
https://groups.google.com/g/django-announce6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
Release Notes
https://www.djangoproject.com/weblog/2026/feb/03/security-releases/6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
Patch
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:148350b0ca135-0b70-47e7-9f44-1890c2a1c46c
N/A
https://access.redhat.com/errata/RHSA-2026:26940b0ca135-0b70-47e7-9f44-1890c2a1c46c
N/A
https://access.redhat.com/errata/RHSA-2026:39580b0ca135-0b70-47e7-9f44-1890c2a1c46c
N/A
https://access.redhat.com/errata/RHSA-2026:39590b0ca135-0b70-47e7-9f44-1890c2a1c46c
N/A
https://access.redhat.com/errata/RHSA-2026:39600b0ca135-0b70-47e7-9f44-1890c2a1c46c
N/A
https://access.redhat.com/errata/RHSA-2026:39620b0ca135-0b70-47e7-9f44-1890c2a1c46c
N/A
https://access.redhat.com/errata/RHSA-2026:59700b0ca135-0b70-47e7-9f44-1890c2a1c46c
N/A
https://access.redhat.com/errata/RHSA-2026:59710b0ca135-0b70-47e7-9f44-1890c2a1c46c
N/A
https://access.redhat.com/errata/RHSA-2026:62910b0ca135-0b70-47e7-9f44-1890c2a1c46c
N/A
https://access.redhat.com/security/cve/CVE-2026-13120b0ca135-0b70-47e7-9f44-1890c2a1c46c
N/A
https://bugzilla.redhat.com/show_bug.cgi?id=24363420b0ca135-0b70-47e7-9f44-1890c2a1c46c
N/A
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-1312.json0b0ca135-0b70-47e7-9f44-1890c2a1c46c
N/A
Hyperlink: https://docs.djangoproject.com/en/dev/releases/security/
Source: 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
Resource:
Patch
Vendor Advisory
Hyperlink: https://groups.google.com/g/django-announce
Source: 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
Resource:
Release Notes
Hyperlink: https://www.djangoproject.com/weblog/2026/feb/03/security-releases/
Source: 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
Resource:
Patch
Vendor Advisory
Hyperlink: https://access.redhat.com/errata/RHSA-2026:14835
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Resource: N/A
Hyperlink: https://access.redhat.com/errata/RHSA-2026:2694
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Resource: N/A
Hyperlink: https://access.redhat.com/errata/RHSA-2026:3958
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Resource: N/A
Hyperlink: https://access.redhat.com/errata/RHSA-2026:3959
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Resource: N/A
Hyperlink: https://access.redhat.com/errata/RHSA-2026:3960
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Resource: N/A
Hyperlink: https://access.redhat.com/errata/RHSA-2026:3962
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Resource: N/A
Hyperlink: https://access.redhat.com/errata/RHSA-2026:5970
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Resource: N/A
Hyperlink: https://access.redhat.com/errata/RHSA-2026:5971
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Resource: N/A
Hyperlink: https://access.redhat.com/errata/RHSA-2026:6291
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Resource: N/A
Hyperlink: https://access.redhat.com/security/cve/CVE-2026-1312
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Resource: N/A
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=2436342
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Resource: N/A
Hyperlink: https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-1312.json
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

132Records found

CVE-2026-1207
Matching Score-10
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
ShareView Details
Matching Score-10
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS Score-5.4||MEDIUM
EPSS-9.44% / 94.82%
||
7 Day CHG+5.66%
Published-03 Feb, 2026 | 14:35
Updated-30 Jun, 2026 | 03:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential SQL injection via raster lookups on PostGIS

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

Action-Not Available
Vendor-Red Hat, Inc.Django
Product-djangoDjangoRed Hat Ansible Automation Platform 2.6Red Hat Ansible Automation Platform 2.5Red Hat Satellite 6.18Red Hat Discovery 2Red Hat Ansible Automation Platform 2.6 for RHEL 9Red Hat Update Infrastructure 4 for Cloud ProvidersRed Hat OpenStack Platform 18.0Red Hat Ansible Automation Platform 2Red Hat Satellite 6.16 for RHEL 9Red Hat Ansible Automation Platform 2.5 for RHEL 9Red Hat Satellite 6.17 for RHEL 9Red Hat OpenStack Platform 16.2Red Hat Ansible Automation Platform 2.6 for RHEL 10Red Hat Satellite 6Red Hat Ansible Automation Platform 2.5 for RHEL 8Red Hat Satellite 6.18 for RHEL 9Red Hat OpenStack Platform 17.1Red Hat Satellite 6.16 for RHEL 8
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-1287
Matching Score-10
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
ShareView Details
Matching Score-10
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS Score-5.4||MEDIUM
EPSS-0.75% / 50.55%
||
7 Day CHG+0.26%
Published-03 Feb, 2026 | 14:36
Updated-01 Jul, 2026 | 12:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential SQL injection in column aliases via control characters

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.

Action-Not Available
Vendor-Red Hat, Inc.Django
Product-djangoDjangoRed Hat OpenStack Platform 16.2Red Hat OpenStack Platform 18.0Red Hat Ansible Automation Platform 2.6 for RHEL 9Red Hat Satellite 6.16 for RHEL 9Red Hat Satellite 6.16 for RHEL 8Red Hat Ansible Automation Platform 2.5 for RHEL 8Red Hat Satellite 6.18Red Hat Ansible Automation Platform 2.5 for RHEL 9Red Hat Satellite 6.18 for RHEL 9Red Hat Ansible Automation Platform 2Red Hat Ansible Automation Platform 2.5Red Hat Update Infrastructure 4 for Cloud ProvidersRed Hat Satellite 6.17 for RHEL 9Red Hat Satellite 6Red Hat Discovery 2Red Hat Ansible Automation Platform 2.6 for RHEL 10Red Hat OpenStack Platform 17.1Red Hat Ansible Automation Platform 2.6
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-8922
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.28% / 19.90%
||
7 Day CHG~0.00%
Published-19 May, 2026 | 06:27
Updated-26 Jun, 2026 | 08:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Org.keycloak/keycloak-services: keycloak: org.keycloak.protocol.oidc: security flaw in org.keycloak/keycloak-services

A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially leading to unauthorized access or continued session validity. This could impact the security of systems utilizing Keycloak for identity and access management.

Action-Not Available
Vendor-Red Hat, Inc.
Product-build_of_keycloakRed Hat build of Keycloak 26.4Red Hat build of Keycloak 26.6.3Red Hat build of Keycloak 26.6Red Hat build of Keycloak 26.4.13
CWE ID-CWE-303
Incorrect Implementation of Authentication Algorithm
CVE-2026-7500
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.23% / 14.01%
||
7 Day CHG~0.00%
Published-30 Apr, 2026 | 14:53
Updated-26 Jun, 2026 | 08:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Org.keycloak.keycloak-services: improper access control on keycloak server when the account account api feature is disabled

When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations — because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.

Action-Not Available
Vendor-Red Hat, Inc.
Product-build_of_keycloakRed Hat build of Keycloak 26.4Red Hat build of Keycloak 26.6.3Red Hat build of Keycloak 26.6Red Hat build of Keycloak 26.4.13
CWE ID-CWE-425
Direct Request ('Forced Browsing')
CVE-2026-6383
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.15% / 4.58%
||
7 Day CHG~0.00%
Published-15 Apr, 2026 | 18:22
Updated-17 Apr, 2026 | 15:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kubevirt: kubevirt: unauthorized subresource access due to improper rbac evaluation

A flaw was found in KubeVirt's Role-Based Access Control (RBAC) evaluation logic. The authorization mechanism improperly truncates subresource names, leading to incorrect permission evaluations. This allows authenticated users with specific custom roles to gain unauthorized access to subresources, potentially disclosing sensitive information or performing actions they are not permitted to do. Additionally, legitimate users may be denied access to resources.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat OpenShift Virtualization 4
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-6848
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.26% / 17.65%
||
7 Day CHG~0.00%
Published-22 Apr, 2026 | 09:06
Updated-22 Apr, 2026 | 21:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Quay: red hat quay: authentication bypass allows privileged actions without valid credentials

A flaw was found in Red Hat Quay. When Red Hat Quay requests password re-verification for sensitive operations, such as token generation or robot account creation, the re-authentication prompt can be bypassed. This allows a user with a timed-out session, or an attacker with access to an idle authenticated browser session, to perform privileged actions without providing valid credentials. The vulnerability enables unauthorized execution of sensitive operations despite the user interface displaying an error for invalid credentials.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat Quay 3
CWE ID-CWE-613
Insufficient Session Expiration
CVE-2026-57281
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-7.5||HIGH
EPSS-0.59% / 44.08%
||
7 Day CHG+0.21%
Published-24 Jun, 2026 | 13:20
Updated-30 Jun, 2026 | 12:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions member, allowing attackers able to run sandboxed Groovy scripts to execute code outside the sandbox if a suitable script is present on the classpath of the component that evaluates the script.

Action-Not Available
Vendor-Red Hat, Inc.Jenkins
Product-script_securityJenkins Script Security PluginOpenShift Developer Tools and Services
CWE ID-CWE-693
Protection Mechanism Failure
CWE ID-CWE-917
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
CWE ID-CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
CVE-2025-14778
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.29% / 20.48%
||
7 Day CHG~0.00%
Published-09 Feb, 2026 | 18:58
Updated-10 Feb, 2026 | 02:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Keycloak: incorrect ownership checks in /uma-policy/

A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService (UMA Protection API). When updating or deleting a UMA policy associated with multiple resources, the authorization check only verifies the caller's ownership against the first resource in the policy's list. This allows a user (Owner A) who owns one resource (RA) to update a shared policy and modify authorization rules for other resources (e.g., RB) in that same policy, even if those other resources are owned by a different user (Owner B). This constitutes a horizontal privilege escalation.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat build of Keycloak 26.2Red Hat build of Keycloak 26.2.13Red Hat build of Keycloak 26.4Red Hat build of Keycloak 26.4.9
CWE ID-CWE-266
Incorrect Privilege Assignment
CVE-2025-1391
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.38% / 29.80%
||
7 Day CHG~0.00%
Published-17 Feb, 2025 | 14:01
Updated-06 May, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Keycloak-services: improper authorization in keycloak organization mapper allows unauthorized organization claims

A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization’s domain pattern. This issue occurs at the mapper level, leading to misrepresentation in tokens. If an application relies on these claims for authorization, it may incorrectly assume a user belongs to an organization they are not a member of, potentially granting unauthorized access or privileges.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat Build of KeycloakRed Hat build of Keycloak 26.0
CWE ID-CWE-284
Improper Access Control
CVE-2025-14025
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-8.5||HIGH
EPSS-0.39% / 30.88%
||
7 Day CHG~0.00%
Published-08 Jan, 2026 | 13:44
Updated-26 Feb, 2026 | 15:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ansible-automation-platform/aap-gateway: aap-gateway: read-only personal access token (pat) bypasses write restrictions

A flaw was found in Ansible Automation Platform (AAP). Read-only scoped OAuth2 API Tokens in AAP, are enforced at the Gateway level for Gateway-specific operations. However, this vulnerability allows read-only tokens to perform write operations on backend services (e.g., Controller, Hub, EDA). If this flaw were exploited, an attacker‘s capabilities would only be limited by role based access controls (RBAC).

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat Ansible Automation Platform 2.5 for RHEL 8Red Hat Ansible Automation Platform 2.6Red Hat Ansible Automation Platform 2.5Red Hat Ansible Automation Platform 2.6 for RHEL 9Red Hat Ansible Automation Platform 2.5 for RHEL 9
CWE ID-CWE-279
Incorrect Execution-Assigned Permissions
CVE-2012-5571
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-5.4||MEDIUM
EPSS-2.04% / 78.77%
||
7 Day CHG~0.00%
Published-18 Dec, 2012 | 01:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Openstack keystone: openstack keystone: authorization bypass via improper ec2 token handling

A flaw was found in OpenStack Keystone. This vulnerability allows remote authenticated users to bypass intended authorization restrictions. This occurs because OpenStack Keystone does not properly handle EC2 (Elastic Compute Cloud) tokens when a user's role has been removed from a tenant. An attacker can leverage a token associated with a removed user role to gain unauthorized access.

Action-Not Available
Vendor-OpenStackRed Hat, Inc.
Product-folsomessexRed Hat OpenStack Platform 18.0Red Hat OpenStack Platform 13 (Queens)Red Hat OpenStack Platform 16.2Red Hat OpenStack Platform 17.1
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2025-12110
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.27% / 19.02%
||
7 Day CHG~0.00%
Published-23 Oct, 2025 | 14:19
Updated-20 Jan, 2026 | 21:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Keycloak: org.keycloak:keycloak-services: user can refresh offline session even after client's offline_access scope was removed

A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and assumes that offline sessions are no longer available, but they are.

Action-Not Available
Vendor-KeycloakRed Hat, Inc.
Product-Red Hat build of Keycloak 26.2.11Red Hat build of Keycloak 26.4Red Hat build of Keycloak 26.2keycloakRed Hat build of Keycloak 26.4.4
CWE ID-CWE-613
Insufficient Session Expiration
CVE-2026-5483
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-8.5||HIGH
EPSS-0.49% / 38.65%
||
7 Day CHG+0.01%
Published-10 Apr, 2026 | 17:33
Updated-30 Jun, 2026 | 12:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Odh-dashboard: odh dashboard kubernetes service account exposure

A flaw was found in odh-dashboard in Red Hat Openshift AI. This vulnerability in the `odh-dashboard` component of Red Hat OpenShift AI (RHOAI) allows for the disclosure of Kubernetes Service Account tokens through a NodeJS endpoint. This could enable an attacker to gain unauthorized access to Kubernetes resources.

Action-Not Available
Vendor-Red Hat, Inc.
Product-openshift_aiRed Hat OpenShift AI 2.16Red Hat OpenShift AI (RHOAI)Red Hat OpenShift AI 3.3Red Hat OpenShift AI 2.25Red Hat OpenShift AI 3.2Red Hat OpenShift AI 2.16Red Hat OpenShift AI (RHOAI)Red Hat OpenShift AI 3.3Red Hat OpenShift AI 2.25Red Hat OpenShift AI 3.2
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2025-11429
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.21% / 11.74%
||
7 Day CHG~0.00%
Published-23 Oct, 2025 | 14:09
Updated-20 Jan, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Keycloak-server: too long and not settings compliant session

A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the administrator's recent security configuration change. This is a logic flaw in session management increases the potential window for successful session hijacking or unauthorized long-term access persistence. The flaw lies in the session expiration logic relying on the session-local "remember-me" flag without validating the current realm-level configuration.

Action-Not Available
Vendor-KeycloakRed Hat, Inc.
Product-keycloakRed Hat build of Keycloak 26.2.11Red Hat build of Keycloak 26.2
CWE ID-CWE-613
Insufficient Session Expiration
CVE-2026-14614
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-5.4||MEDIUM
EPSS-Not Assigned
Published-03 Jul, 2026 | 15:33
Updated-03 Jul, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Keycloak-services: keycloak-services: fgap v2 client scope assignment bypass via clientresource

A flaw was found in the ClientResource component of Keycloak's admin services when Fine-Grained Admin Permissions (FGAP) v2 is enabled. This issue allows a delegated administrator, who should only have limited control over specific clients, to attach or remove hidden client scopes that they are not authorized to see or manage. As a result, an attacker could inject unauthorized data or permissions into the security tokens issued to end-users, potentially tricking other applications into granting higher levels of access than intended.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat Build of KeycloakRed Hat Data Grid 8Red Hat Single Sign-On 7
CVE-2025-0604
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.56% / 42.70%
||
7 Day CHG~0.00%
Published-22 Jan, 2025 | 14:34
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Keycloak-ldap-federation: authentication bypass due to missing ldap bind after password reset in keycloak

A flaw was found in Keycloak. When an Active Directory user resets their password, the system updates it without performing an LDAP bind to validate the new credentials against AD. This vulnerability allows users whose AD accounts are expired or disabled to regain access in Keycloak, bypassing AD restrictions. The issue enables authentication bypass and could allow unauthorized access under certain conditions.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat Build of KeycloakRed Hat build of Keycloak 26.0Red Hat Single Sign-On 7
CWE ID-CWE-287
Improper Authentication
CVE-2019-14870
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-5.4||MEDIUM
EPSS-2.78% / 84.65%
||
7 Day CHG~0.00%
Published-10 Dec, 2019 | 00:00
Updated-05 Aug, 2024 | 00:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authentication, by forcing all tickets for these clients to be non-forwardable. In AD this is implemented by a user attribute delegation_not_allowed (aka not-delegated), which translates to disallow-forwardable. However the Samba AD DC does not do that for S4U2Self and does set the forwardable flag even if the impersonated client has the not-delegated flag set.

Action-Not Available
Vendor-Canonical Ltd.Debian GNU/LinuxopenSUSESambaFedora ProjectRed Hat, Inc.
Product-ubuntu_linuxdebian_linuxsambafedoraleapsamba
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-287
Improper Authentication
CVE-2019-10156
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-4.6||MEDIUM
EPSS-1.76% / 75.24%
||
7 Day CHG~0.00%
Published-30 Jul, 2019 | 22:12
Updated-04 Aug, 2024 | 22:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed.

Action-Not Available
Vendor-Debian GNU/LinuxRed Hat, Inc.
Product-debian_linuxopenstackansibleansible
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2023-6544
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-5.4||MEDIUM
EPSS-1.07% / 60.88%
||
7 Day CHG~0.00%
Published-25 Apr, 2024 | 15:58
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Keycloak: authorization bypass

A flaw was found in the Keycloak package. This issue occurs due to a permissive regular expression hardcoded for filtering which allows hosts to register a dynamic client. A malicious user with enough information about the environment could jeopardize an environment with this specific Dynamic Client Registration and TrustedDomain configuration previously unauthorized.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat Single Sign-On 7.6 for RHEL 7Red Hat build of Keycloak 22Red Hat build of Keycloak 22.0.10RHSSO 7.6.8RHEL-8 based Middleware ContainersRed Hat Single Sign-On 7.6 for RHEL 9Red Hat Single Sign-On 7.6 for RHEL 8
CWE ID-CWE-625
Permissive Regular Expression
CVE-2026-43998
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-8.5||HIGH
EPSS-0.72% / 49.46%
||
7 Day CHG+0.10%
Published-13 May, 2026 | 17:19
Updated-30 Jun, 2026 | 12:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
vm2: NodeVM require.root bypass via symlink traversal allows sandbox escape

vm2 is an open source vm/sandbox for Node.js. In 3.10.5, NodeVM's require.root path restriction can be bypassed using filesystem symlinks, allowing sandboxed code to load modules from outside the allowed root directory in host context. Because path validation uses path.resolve() (which does not dereference symlinks) but module loading uses Node's native require() (which does), an attacker can load arbitrary host-realm modules and achieve remote code execution. This vulnerability is fixed in 3.11.0.

Action-Not Available
Vendor-vm2_projectpatriksimekRed Hat, Inc.
Product-vm2vm2Self-service automation portal 2Red Hat Developer Hub
CWE ID-CWE-59
Improper Link Resolution Before File Access ('Link Following')
CVE-2026-43003
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.84% / 53.28%
||
7 Day CHG+0.14%
Published-01 May, 2026 | 00:00
Updated-30 Jun, 2026 | 12:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in OpenStack ironic-python-agent 1.0.0 through 11.5.0. Ironic Python Agent (IPA) sometimes executes grub-install from within a chroot of the deployed partition image, leading to code execution in the case of a malicious image.

Action-Not Available
Vendor-Red Hat, Inc.OpenStack
Product-ironic_python_agentironic-python-agentRed Hat OpenShift Container Platform 4
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-829
Inclusion of Functionality from Untrusted Control Sphere
CVE-2026-40938
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.79% / 51.71%
||
7 Day CHG+0.27%
Published-21 Apr, 2026 | 20:45
Updated-30 Jun, 2026 | 12:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tekton Pipelines: Git Resolver Unsanitized Revision Parameter Enables git Argument Injection Leading to RCE

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, the git resolver's revision parameter is passed directly as a positional argument to git fetch without any validation that it does not begin with a - character. Because git parses flags from mixed positional arguments, an attacker can inject arbitrary git fetch flags such as --upload-pack=<binary>. Combined with the validateRepoURL function explicitly permitting URLs that begin with / (local filesystem paths), a tenant who can submit ResolutionRequest objects can chain these two behaviors to execute an arbitrary binary on the resolver pod. The tekton-pipelines-resolvers ServiceAccount holds cluster-wide get/list/watch on all Secrets, so code execution on the resolver pod enables full cluster-wide secret exfiltration. Versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1 fix the issue.

Action-Not Available
Vendor-tektoncdThe Linux FoundationRed Hat, Inc.
Product-tekton_pipelinespipelineRed Hat OpenShift Pipelines 1.21Red Hat OpenShift AI (RHOAI)OpenShift LightspeedRed Hat OpenShift Builds 1.8.0Red Hat OpenShift Virtualization 4OpenShift PipelinesRed Hat Trusted Artifact SignerRed Hat OpenShift Builds 1.7.3OpenShift Serverless
CWE ID-CWE-88
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CVE-2026-40477
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-9.1||CRITICAL
EPSS-0.86% / 54.09%
||
7 Day CHG+0.21%
Published-17 Apr, 2026 | 21:53
Updated-30 Jun, 2026 | 12:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper restriction of the scope of accessible objects in Thymeleaf expressions

Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.

Action-Not Available
Vendor-thymeleafthymeleafRed Hat, Inc.
Product-thymeleafthymeleaforg.thymeleaf:thymeleaf-spring6org.thymeleaf:thymeleaf-spring5Red Hat Single Sign-On 7Red Hat JBoss Enterprise Application Platform 7Red Hat build of Apache Camel for Spring Boot 4Red Hat OpenShift Dev Spaces 3.28Red Hat Fuse 7Red Hat JBoss Enterprise Application Platform 8Red Hat JBoss Enterprise Application Platform Expansion Pack
CWE ID-CWE-1336
Improper Neutralization of Special Elements Used in a Template Engine
CWE ID-CWE-917
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
CVE-2026-40478
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-9.1||CRITICAL
EPSS-0.78% / 51.29%
||
7 Day CHG+0.19%
Published-17 Apr, 2026 | 21:57
Updated-30 Jun, 2026 | 12:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf

Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.

Action-Not Available
Vendor-thymeleafthymeleafRed Hat, Inc.
Product-thymeleafthymeleaforg.thymeleaf:thymeleaf-spring6org.thymeleaf:thymeleaf-spring5Red Hat Single Sign-On 7Red Hat JBoss Enterprise Application Platform 7Red Hat build of Apache Camel for Spring Boot 4Red Hat OpenShift Dev Spaces 3.28Red Hat Fuse 7Red Hat JBoss Enterprise Application Platform 8Red Hat JBoss Enterprise Application Platform Expansion Pack
CWE ID-CWE-1336
Improper Neutralization of Special Elements Used in a Template Engine
CWE ID-CWE-917
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
CVE-2026-34971
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-9||CRITICAL
EPSS-0.32% / 23.70%
||
7 Day CHG+0.06%
Published-09 Apr, 2026 | 18:45
Updated-30 Jun, 2026 | 03:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Wasmtime miscompiled guest heap access enables sandbox escape on aarch64 Cranelift

Wasmtime is a runtime for WebAssembly. From 32.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Cranelift compilation backend contains a bug on aarch64 when performing a certain shape of heap accesses which means that the wrong address is accessed. When combined with explicit bounds checks a guest WebAssembly module this can create a situation where there are two diverging computations for the same address: one for the address to bounds-check and one for the address to load. This difference in address being operated on means that a guest module can pass a bounds check but then load a different address. Combined together this enables an arbitrary read/write primitive for guest WebAssembly when accesssing host memory. This is a sandbox escape as guests are able to read/write arbitrary host memory. This vulnerability has a few ingredients, all of which must be met, for this situation to occur and bypass the sandbox restrictions. This miscompiled shape of load only occurs on 64-bit WebAssembly linear memories, or when Config::wasm_memory64 is enabled. 32-bit WebAssembly is not affected. Spectre mitigations or signals-based-traps must be disabled. When spectre mitigations are enabled then the offending shape of load is not generated. When signals-based-traps are disabled then spectre mitigations are also automatically disabled. The specific bug in Cranelift is a miscompile of a load of the shape load(iadd(base, ishl(index, amt))) where amt is a constant. The amt value is masked incorrectly to test if it's a certain value, and this incorrect mask means that Cranelift can pattern-match this lowering rule during instruction selection erroneously, diverging from WebAssembly's and Cranelift's semantics. This incorrect lowering would, for example, load an address much further away than intended as the correct address's computation would have wrapped around to a smaller value insetad. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.

Action-Not Available
Vendor-bytecodealliancebytecodeallianceRed Hat, Inc.
Product-wasmtimewasmtimeRed Hat Connectivity Link 1Red Hat Enterprise Linux 10
CWE ID-CWE-125
Out-of-bounds Read
CWE ID-CWE-787
Out-of-bounds Write
CVE-2026-32871
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-10||CRITICAL
EPSS-0.99% / 58.18%
||
7 Day CHG-0.09%
Published-02 Apr, 2026 | 14:52
Updated-30 Jun, 2026 | 12:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability

FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The RequestDirector class is responsible for constructing HTTP requests to the backend service. A vulnerability exists in the _build_url() method. When an OpenAPI operation defines path parameters (e.g., /api/v1/users/{user_id}), the system directly substitutes parameter values into the URL template string without URL-encoding. Subsequently, urllib.parse.urljoin() resolves the final URL. Since urljoin() interprets ../ sequences as directory traversal, an attacker controlling a path parameter can perform path traversal attacks to escape the intended API prefix and access arbitrary backend endpoints. This results in authenticated SSRF, as requests are sent with the authorization headers configured in the MCP provider. This issue has been patched in version 3.2.0.

Action-Not Available
Vendor-jlowinPrefectHQRed Hat, Inc.
Product-fastmcpfastmcpRed Hat Satellite 6Red Hat OpenShift AI (RHOAI)
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-10306
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.26% / 17.40%
||
7 Day CHG~0.00%
Published-23 Apr, 2025 | 09:59
Updated-30 Jun, 2026 | 00:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mod_proxy_cluster: mod_proxy_cluster unauthorized mcmp requests

A vulnerability was found in mod_proxy_cluster. The issue is that the <Directory> directive should be replaced by the <Location> directive as the former does not restrict IP/host access as `Require ip IP_ADDRESS` would suggest. This means that anyone with access to the host might send MCMP requests that may result in adding/removing/updating nodes for the balancing. However, this host should not be accessible to the public network as it does not serve the general traffic.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat JBoss Core ServicesRed Hat Enterprise Linux 9Red Hat Enterprise Linux 9.4 Extended Update SupportRed Hat Enterprise Linux 10
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-13325
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-8.5||HIGH
EPSS-0.17% / 6.83%
||
7 Day CHG~0.00%
Published-26 Jun, 2026 | 10:41
Updated-26 Jun, 2026 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Virt-handler-rhel9: kubevirt: kubevirt: disabletls migration setting removes authentication, exposing unauthenticated virtqemud proxy on all interfaces

A flaw was found in KubeVirt's migration proxy. When spec.configuration.migrations.disableTLS is set to true on the KubeVirt custom resource, the target virt-handler binds a plain TCP listener on all interfaces (0.0.0.0/::) on a random port with no authentication, peer allow-list, or handshake token. This listener proxies directly into the target virt-launcher's virtqemud control socket. An attacker with a running pod on the cluster network can connect to this listener and issue unfiltered libvirt RPC commands against another tenant's virtual machine, including reading VM memory and configuration, modifying VM state via QMP, or destroying the VM. The bind address is unconditionally 0.0.0.0 — configuring a dedicated migration network via migrations.network only changes the advertised migration IP, not the listener bind address, so the port remains reachable on the pod network even when a dedicated migration network is configured. The API documentation describes disableTLS as removing "the additional layer of live migration encryption" without disclosing that it also removes all mutual authentication.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat OpenShift Virtualization 4
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2023-0119
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.56% / 42.25%
||
7 Day CHG~0.00%
Published-12 Sep, 2023 | 15:14
Updated-02 Aug, 2024 | 05:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Foreman: stored cross-site scripting in host tab

A stored Cross-site scripting vulnerability was found in foreman. The Comment section in the Hosts tab has incorrect filtering of user input data. As a result of the attack, an attacker with an existing account on the system can steal another user's session, make requests on behalf of the user, and obtain user credentials.

Action-Not Available
Vendor-Red Hat, Inc.
Product-satelliteenterprise_linuxRed Hat Satellite 6.13 for RHEL 8Red Hat Satellite 6.14 for RHEL 8
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-14179
Matching Score-6
Assigner-PHP Group
ShareView Details
Matching Score-6
Assigner-PHP Group
CVSS Score-7.4||HIGH
EPSS-0.30% / 21.55%
||
7 Day CHG+0.04%
Published-10 May, 2026 | 03:51
Updated-30 Jun, 2026 | 12:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SQL injection in pdo_firebird via NUL bytes in quoted strings

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.

Action-Not Available
Vendor-Red Hat, Inc.The PHP Group
Product-phpPHPRed Hat Enterprise Linux 7Red Hat Hardened ImagesRed Hat Enterprise Linux 9Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Enterprise Linux 6
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-34265
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-73.27% / 99.39%
||
7 Day CHG~0.00%
Published-04 Jul, 2022 | 00:00
Updated-13 Feb, 2025 | 16:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.

Action-Not Available
Vendor-n/aDjango
Product-djangon/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-53908
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.42% / 69.66%
||
7 Day CHG+0.03%
Published-06 Dec, 2024 | 00:00
Updated-09 Jun, 2025 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)

Action-Not Available
Vendor-n/aDjango
Product-djangon/adjango
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-28347
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.92% / 85.34%
||
7 Day CHG+0.04%
Published-12 Apr, 2022 | 00:00
Updated-13 Feb, 2025 | 16:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.

Action-Not Available
Vendor-n/aDjangoDebian GNU/Linux
Product-djangodebian_linuxn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-42005
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.23% / 65.21%
||
7 Day CHG~0.00%
Published-07 Aug, 2024 | 00:00
Updated-04 Nov, 2025 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.

Action-Not Available
Vendor-n/aDjango
Product-djangon/adjango
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-28346
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-18.52% / 96.89%
||
7 Day CHG+0.12%
Published-12 Apr, 2022 | 00:00
Updated-13 Feb, 2025 | 16:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.

Action-Not Available
Vendor-n/aDjangoDebian GNU/Linux
Product-djangodebian_linuxn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-13372
Matching Score-6
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
ShareView Details
Matching Score-6
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS Score-4.3||MEDIUM
EPSS-0.90% / 55.38%
||
7 Day CHG+0.03%
Published-02 Dec, 2025 | 15:13
Updated-12 Dec, 2025 | 12:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential SQL injection in FilteredRelation column aliases on PostgreSQL

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.

Action-Not Available
Vendor-Django
Product-djangoDjango
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-44172
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.42% / 33.67%
||
7 Day CHG+0.14%
Published-12 Jun, 2026 | 17:34
Updated-03 Jul, 2026 | 13:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MariaDB: mysql_real_escape_string() incorrectly handled big5

MariaDB server is a community developed fork of MySQL server. In versions 3.3.18 and 3.4.8, an application that was taking non-validated user input, escaping it with mysql_real_escape_string() and sending it to the database using text protocol and big5 character set was vulnerable to SQL injections, even though mysql_real_escape_string() was supposed to prevent them. This issue has been patched in versions 3.3.19 and 3.4.9.

Action-Not Available
Vendor-Red Hat, Inc.MariaDB Foundation
Product-mariadbserverRed Hat Enterprise Linux 9Red Hat Enterprise Linux 7Red Hat Enterprise Linux 8Red Hat Enterprise Linux AppStream (v. 9)Red Hat Enterprise Linux AppStream (v. 10)Red Hat Enterprise Linux 10Red Hat Enterprise Linux AppStream (v. 8)Red Hat Hardened Images
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-4324
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.26% / 17.56%
||
7 Day CHG~0.00%
Published-17 Mar, 2026 | 13:52
Updated-01 Jun, 2026 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Rubygem-katello: katello: denial of service and potential information disclosure via sql injection

A flaw was found in the Katello plugin for Red Hat Satellite. This vulnerability, caused by improper sanitization of user-provided input, allows a remote attacker to inject arbitrary SQL commands into the sort_by parameter of the /api/hosts/bootc_images API endpoint. This can lead to a Denial of Service (DoS) by triggering database errors, and potentially enable Boolean-based Blind SQL injection, which could allow an attacker to extract sensitive information from the database.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat Satellite 6.18 for RHEL 9Red Hat Satellite 6Red Hat Satellite 6.19 for RHEL 9Red Hat Satellite 6.17 for RHEL 9
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-42208
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-9.3||CRITICAL
EPSS-86.61% / 99.72%
||
7 Day CHG+2.50%
Published-08 May, 2026 | 03:38
Updated-29 Jun, 2026 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2026-05-11||Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
LiteLLM: SQL injection in Proxy API key verification

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach this query through the proxy's error-handling path. An attacker could read data from the proxy's database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages. This issue has been patched in version 1.83.7.

Action-Not Available
Vendor-litellmBerriAIBerriAIRed Hat, Inc.
Product-litellmlitellmRed Hat Ansible Automation Platform 2Lightspeed CoreRed Hat OpenShift AI (RHOAI)LiteLLM
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40906
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-10||CRITICAL
EPSS-0.46% / 36.77%
||
7 Day CHG+0.06%
Published-21 Apr, 2026 | 20:05
Updated-30 Jun, 2026 | 12:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Electric: SQL Injection via ORDER BY Parameter in Shape API

Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of the underlying PostgreSQL database through crafted ORDER BY expressions. This vulnerability is fixed in 1.5.0.

Action-Not Available
Vendor-electricelectric-sqlRed Hat, Inc.
Product-sync-serviceelectricRed Hat Developer Hub
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-3118
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.53% / 40.72%
||
7 Day CHG~0.00%
Published-25 Feb, 2026 | 11:25
Updated-05 May, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Rhdh: graphql injection leading to platform-wide denial of service (dos) in rh developer hub orchestrator plugin

A security flaw was identified in the Orchestrator Plugin of Red Hat Developer Hub (Backstage). The issue occurs due to insufficient input validation in GraphQL query handling. An authenticated user can inject specially crafted input into API requests, which disrupts backend query processing. This results in the entire Backstage application crashing and restarting, leading to a platform-wide Denial of Service (DoS). As a result, legitimate users temporarily lose access to the platform.

Action-Not Available
Vendor-Red Hat, Inc.
Product-developer_hubRed Hat Developer Hub 1.8Red Hat Developer Hub 1.9
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-30951
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.42% / 34.01%
||
7 Day CHG+0.04%
Published-10 Mar, 2026 | 20:22
Updated-30 Jun, 2026 | 12:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type

Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The _traverseJSON() function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST(... AS <type>) SQL. An attacker who controls JSON object keys can inject arbitrary SQL and exfiltrate data from any table. This vulnerability is fixed in 6.37.8.

Action-Not Available
Vendor-sequelizejssequelizeRed Hat, Inc.
Product-sequelizesequelizeRed Hat Satellite 6.18Red Hat Enterprise Linux 10Confidential Compute AttestationRed Hat Enterprise Linux 9
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-27876
Matching Score-6
Assigner-Grafana Labs
ShareView Details
Matching Score-6
Assigner-Grafana Labs
CVSS Score-9.1||CRITICAL
EPSS-1.93% / 77.52%
||
7 Day CHG+0.65%
Published-27 Mar, 2026 | 14:24
Updated-30 Jun, 2026 | 12:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
RCE on Grafana via sqlExpressions

A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only instances with the sqlExpressions feature toggle enabled are vulnerable. Only instances in the following version ranges are affected: - 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected. - 12.0.0 (inclusive) to 12.1.10 (exclusive): 12.1.10 has the fix. 12.0 did not receive an update, as it is end-of-life. - 12.2.0 (inclusive) to 12.2.8 (exclusive): 12.2.8 has the fix. - 12.3.0 (inclusive) to 12.3.6 (exclusive): 12.3.6 has the fix. - 12.4.0 (inclusive) to 12.4.2 (exclusive): 12.4.2 has the fix. 13.0.0 and above also have the fix: no v13 release is affected.

Action-Not Available
Vendor-Red Hat, Inc.Grafana Labs
Product-grafanaGrafanaRed Hat Enterprise Linux 9Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-27851
Matching Score-6
Assigner-Open-Xchange
ShareView Details
Matching Score-6
Assigner-Open-Xchange
CVSS Score-7.4||HIGH
EPSS-0.41% / 32.50%
||
7 Day CHG+0.10%
Published-12 May, 2026 | 13:28
Updated-30 Jun, 2026 | 12:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe data to be unescaped. This can enable SQL / LDAP injection attacks when used in authentication. Avoid using safe filter until on fixed version. No publicly available exploits are known.

Action-Not Available
Vendor-Open-Xchange AGDovecotRed Hat, Inc.
Product-dovecotOX Dovecot ProRed Hat Enterprise Linux 9Red Hat Enterprise Linux 6Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8
CWE ID-CWE-235
Improper Handling of Extra Parameters
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-24031
Matching Score-6
Assigner-Open-Xchange
ShareView Details
Matching Score-6
Assigner-Open-Xchange
CVSS Score-7.7||HIGH
EPSS-0.40% / 31.49%
||
7 Day CHG+0.10%
Published-27 Mar, 2026 | 08:10
Updated-30 Jun, 2026 | 12:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dovecot SQL based authentication can be bypassed when auth_username_chars is cleared by admin. This vulnerability allows bypassing authentication for any user and user enumeration. Do not clear auth_username_chars. If this is not possible, install latest fixed version. No publicly available exploits are known.

Action-Not Available
Vendor-Open-Xchange AGDovecotRed Hat, Inc.
Product-dovecotOX Dovecot ProRed Hat Enterprise Linux 7Red Hat Enterprise Linux 9Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Enterprise Linux 6
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-0603
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-8.3||HIGH
EPSS-0.78% / 51.50%
||
7 Day CHG+0.18%
Published-23 Jan, 2026 | 06:31
Updated-30 Jun, 2026 | 12:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Org.hibernate/hibernate-core: hibernate: information disclosure and data deletion via second-order sql injection

A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive information disclosure, such as reading system files, and allow for data manipulation or deletion within the application's database, resulting in an application level denial of service.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat OpenShift AI (RHOAI)Red Hat AMQ Broker 7Red Hat Data Grid 8Red Hat JBoss Enterprise Application Platform 7Red Hat Fuse 7Red Hat JBoss Enterprise Application Platform 7.4 ELS on RHEL 9Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7Red Hat build of OptaPlanner 8Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7Red Hat JBoss Enterprise Application PlatformRed Hat Single Sign-On 7Red Hat OpenShift Dev SpacesRed Hat JBoss Enterprise Application Platform 7.4 ELS on RHEL 7Red Hat JBoss Enterprise Application Platform 7.4 ELS on RHEL 8Red Hat Process Automation 7Red Hat Satellite 6Red Hat JBoss Enterprise Application Platform 8Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat OpenShift AI (RHOAI)Red Hat AMQ Broker 7Red Hat Data Grid 8Red Hat JBoss Enterprise Application Platform 7Red Hat Fuse 7Red Hat build of OptaPlanner 8Red Hat JBoss EAP 7.4 ELS for RHEL 8Red Hat JBoss Enterprise Application PlatformRed Hat JBoss EAP 7.4 ELS for RHEL 7 ServerRed Hat Single Sign-On 7Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 ServerRed Hat OpenShift Dev SpacesRed Hat Process Automation 7Red Hat JBoss EAP 7.4 ELS for RHEL 9Red Hat Satellite 6Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 ServerRed Hat JBoss Enterprise Application Platform 8Red Hat JBoss Enterprise Application Platform Expansion Pack
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-35042
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-44.37% / 98.61%
||
7 Day CHG~0.00%
Published-02 Jul, 2021 | 09:54
Updated-04 Aug, 2024 | 00:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.

Action-Not Available
Vendor-n/aDjangoFedora Project
Product-djangofedoran/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2023-39417
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-1.57% / 72.40%
||
7 Day CHG~0.00%
Published-11 Aug, 2023 | 12:19
Updated-12 Mar, 2026 | 06:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Postgresql: extension script @substitutions@ within quoting allow sql injection

IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.

Action-Not Available
Vendor-The PostgreSQL Global Development GroupDebian GNU/LinuxRed Hat, Inc.
Product-software_collectionsdebian_linuxpostgresqlenterprise_linuxRed Hat Enterprise Linux 9.0 Extended Update SupportRed Hat Enterprise Linux 8.2 Update Services for SAP SolutionsRed Hat Enterprise Linux 8.4 Update Services for SAP SolutionsRed Hat Enterprise Linux 8.8 Extended Update SupportRed Hat Enterprise Linux 8.2 Telecommunications Update ServiceRed Hat Enterprise Linux 8.4 Telecommunications Update ServiceRed Hat Software CollectionsRed Hat Enterprise Linux 7Red Hat Software Collections for Red Hat Enterprise Linux 7Red Hat Advanced Cluster Security 4.2RHACS-4.1-RHEL-8Red Hat Enterprise Linux 6Red Hat Enterprise Linux 9.2 Extended Update SupportRHACS-3.74-RHEL-8Red Hat Enterprise Linux 8.6 Extended Update SupportRed Hat Enterprise Linux 8.4 Advanced Mission Critical Update SupportRed Hat Enterprise Linux 9Red Hat Enterprise Linux 8.2 Advanced Update SupportRed Hat Enterprise Linux 8
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-64459
Matching Score-6
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
ShareView Details
Matching Score-6
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS Score-9.1||CRITICAL
EPSS-19.40% / 97.02%
||
7 Day CHG+0.26%
Published-05 Nov, 2025 | 15:09
Updated-26 Feb, 2026 | 17:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential SQL injection via _connector keyword argument in QuerySet and Q objects

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue.

Action-Not Available
Vendor-Django
Product-djangoDjango
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2020-7471
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-65.34% / 99.16%
||
7 Day CHG~0.00%
Published-03 Feb, 2020 | 11:59
Updated-04 Aug, 2024 | 09:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.

Action-Not Available
Vendor-n/aDjango
Product-djangon/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found