Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-57281

Summary
Assigner-jenkins
Assigner Org ID-39769cd5-e6e2-4dc8-927e-97b3aa056f5b
Published At-24 Jun, 2026 | 13:20
Updated At-30 Jun, 2026 | 12:10
Rejected At-
Credits

Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions member, allowing attackers able to run sandboxed Groovy scripts to execute code outside the sandbox if a suitable script is present on the classpath of the component that evaluates the script.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:jenkins
Assigner Org ID:39769cd5-e6e2-4dc8-927e-97b3aa056f5b
Published At:24 Jun, 2026 | 13:20
Updated At:30 Jun, 2026 | 12:10
Rejected At:
▼CVE Numbering Authority (CNA)

Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions member, allowing attackers able to run sandboxed Groovy scripts to execute code outside the sandbox if a suitable script is present on the classpath of the component that evaluates the script.

Affected Products
Vendor
JenkinsJenkins Project
Product
Jenkins Script Security Plugin
Default Status
unaffected
Versions
Affected
  • From 0 through 1402.v94c9ce464861 (maven)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3793
vendor-advisory
Hyperlink: https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3793
Resource:
vendor-advisory
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-693CWE-693 Protection Mechanism Failure
CWECWE-93CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Type: CWE
CWE ID: CWE-693
Description: CWE-693 Protection Mechanism Failure
Type: CWE
CWE ID: CWE-93
Description: CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Metrics
VersionBase scoreBase severityVector
3.17.5HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
2. jenkins-script-security-plugin: Jenkins Script Security Plugin: Arbitrary code execution outside sandbox

A flaw was found in the Jenkins Script Security Plugin. Attackers with the ability to run sandboxed Groovy scripts can exploit this vulnerability to execute arbitrary code outside the sandbox environment. This is due to the plugin's failure to reject Groovy Abstract Syntax Tree (AST) transformation annotations that include an extensions member, allowing unauthorized script execution if a suitable script exists on the classpath.

Affected Products
Vendor
Red Hat, Inc.Red Hat
Product
OpenShift Developer Tools and Services
CPEs
  • cpe:/a:redhat:ocp_tools
Default Status
affected
Problem Types
TypeCWE IDDescription
CWECWE-917Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Type: CWE
CWE ID: CWE-917
Description: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Metrics
VersionBase scoreBase severityVector
3.18.5HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Version: 3.1
Base score: 8.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Metrics Other Info
Red Hat severity rating
value:
Important
namespace:
https://access.redhat.com/security/updates/classification/
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

Exploits

Credits

Timeline
EventDate
Reported to Red Hat.2026-06-24 14:02:12
Made public.2026-06-24 13:20:04
Event: Reported to Red Hat.
Date: 2026-06-24 14:02:12
Event: Made public.
Date: 2026-06-24 13:20:04
Replaced By

Rejected Reason

References
HyperlinkResource
https://access.redhat.com/security/cve/CVE-2026-57281
vdb-entry
x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2492200
issue-tracking
x_refsource_REDHAT
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-57281.json
x_sadp-csaf-vex
Hyperlink: https://access.redhat.com/security/cve/CVE-2026-57281
Resource:
vdb-entry
x_refsource_REDHAT
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=2492200
Resource:
issue-tracking
x_refsource_REDHAT
Hyperlink: https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-57281.json
Resource:
x_sadp-csaf-vex
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:jenkinsci-cert@googlegroups.com
Published At:24 Jun, 2026 | 14:17
Updated At:30 Jun, 2026 | 03:21

Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions member, allowing attackers able to run sandboxed Groovy scripts to execute code outside the sandbox if a suitable script is present on the classpath of the component that evaluates the script.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.5HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Secondary3.18.5HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
N/A
Type: Secondary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 8.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

Jenkins
jenkins
>>script_security>>Versions up to 1402.v94c9ce464861(inclusive)
cpe:2.3:a:jenkins:script_security:*:*:*:*:*:jenkins:*:*
Weaknesses
CWE IDTypeSource
CWE-93Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-693Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-917Secondary0b0ca135-0b70-47e7-9f44-1890c2a1c46c
CWE ID: CWE-93
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-693
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-917
Type: Secondary
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3793jenkinsci-cert@googlegroups.com
Vendor Advisory
https://access.redhat.com/security/cve/CVE-2026-572810b0ca135-0b70-47e7-9f44-1890c2a1c46c
N/A
https://bugzilla.redhat.com/show_bug.cgi?id=24922000b0ca135-0b70-47e7-9f44-1890c2a1c46c
N/A
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-57281.json0b0ca135-0b70-47e7-9f44-1890c2a1c46c
N/A
Hyperlink: https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3793
Source: jenkinsci-cert@googlegroups.com
Resource:
Vendor Advisory
Hyperlink: https://access.redhat.com/security/cve/CVE-2026-57281
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Resource: N/A
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=2492200
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Resource: N/A
Hyperlink: https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-57281.json
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

86Records found

CVE-2026-40477
Matching Score-10
Assigner-GitHub, Inc.
ShareView Details
Matching Score-10
Assigner-GitHub, Inc.
CVSS Score-9.1||CRITICAL
EPSS-0.86% / 54.09%
||
7 Day CHG+0.21%
Published-17 Apr, 2026 | 21:53
Updated-30 Jun, 2026 | 12:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper restriction of the scope of accessible objects in Thymeleaf expressions

Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.

Action-Not Available
Vendor-thymeleafthymeleafRed Hat, Inc.
Product-thymeleafthymeleaforg.thymeleaf:thymeleaf-spring6org.thymeleaf:thymeleaf-spring5Red Hat Single Sign-On 7Red Hat JBoss Enterprise Application Platform 7Red Hat build of Apache Camel for Spring Boot 4Red Hat OpenShift Dev Spaces 3.28Red Hat Fuse 7Red Hat JBoss Enterprise Application Platform 8Red Hat JBoss Enterprise Application Platform Expansion Pack
CWE ID-CWE-1336
Improper Neutralization of Special Elements Used in a Template Engine
CWE ID-CWE-917
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
CVE-2026-40478
Matching Score-10
Assigner-GitHub, Inc.
ShareView Details
Matching Score-10
Assigner-GitHub, Inc.
CVSS Score-9.1||CRITICAL
EPSS-0.78% / 51.29%
||
7 Day CHG+0.19%
Published-17 Apr, 2026 | 21:57
Updated-30 Jun, 2026 | 12:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf

Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI). This issue has ben fixed in version 3.1.4.RELEASE.

Action-Not Available
Vendor-thymeleafthymeleafRed Hat, Inc.
Product-thymeleafthymeleaforg.thymeleaf:thymeleaf-spring6org.thymeleaf:thymeleaf-spring5Red Hat Single Sign-On 7Red Hat JBoss Enterprise Application Platform 7Red Hat build of Apache Camel for Spring Boot 4Red Hat OpenShift Dev Spaces 3.28Red Hat Fuse 7Red Hat JBoss Enterprise Application Platform 8Red Hat JBoss Enterprise Application Platform Expansion Pack
CWE ID-CWE-1336
Improper Neutralization of Special Elements Used in a Template Engine
CWE ID-CWE-917
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
CVE-2026-6857
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-0.67% / 47.34%
||
7 Day CHG~0.00%
Published-22 Apr, 2026 | 12:55
Updated-30 Jun, 2026 | 12:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Camel-infinispan: camel-infinispan: remote code execution via unsafe deserialization

A flaw was found in camel-infinispan. This vulnerability involves unsafe deserialization in the ProtoStream remote aggregation repository. A remote attacker with low privileges could exploit this by sending specially crafted data, leading to arbitrary code execution. This allows the attacker to gain full control over the affected system, impacting its confidentiality, integrity, and availability.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14Red Hat Build of Apache Camel 4.18 for Quarkus 3.33Red Hat build of Apache Camel 4 for Quarkus 3Red Hat Fuse 7Red Hat JBoss Enterprise Application Platform 8Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14Red Hat Build of Apache Camel 4.18 for Quarkus 3.33Red Hat build of Apache Camel 4 for Quarkus 3Red Hat Fuse 7Red Hat JBoss Enterprise Application Platform 8Red Hat JBoss Enterprise Application Platform Expansion Pack
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-6734
Matching Score-8
Assigner-ce714d77-add3-4f53-aff5-83d477b104bb
ShareView Details
Matching Score-8
Assigner-ce714d77-add3-4f53-aff5-83d477b104bb
CVSS Score-7.5||HIGH
EPSS-0.32% / 23.28%
||
7 Day CHG+0.11%
Published-17 Jun, 2026 | 16:36
Updated-02 Jul, 2026 | 12:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse

Impact: When using Socks5ProxyAgent, undici reuses a single connection pool across different origins without verifying that the pool's origin matches the requested origin. All requests are dispatched through the pool connected to the first origin, regardless of the intended destination. This causes cross-origin request routing: credentials and request data intended for origin B are sent to origin A, responses from the wrong origin are trusted, and HTTPS requests may be silently downgraded to HTTP. Impacted users are applications that use Socks5ProxyAgent (directly or via setGlobalDispatcher) and make requests to more than one origin. This was introduced in undici 7.23.0 via PR #4385 and affects all versions through 8.1.0. Patches: Upgrade to undici v7.26.0 or v8.2.0. Workarounds: Use a separate Socks5ProxyAgent instance per origin, or avoid using Socks5ProxyAgent with multiple origins.

Action-Not Available
Vendor-undiciRed Hat, Inc.Node.js (OpenJS Foundation)
Product-undiciundiciRed Hat Enterprise Linux 9Self-service automation portal 2Red Hat OpenShift Dev SpacesRed Hat Enterprise Linux 8Red Hat Build of Podman DesktopRed Hat Openshift Data Foundation 4Cryostat 4Red Hat AMQ Broker 7Cluster Observability Operator 1.5.0Red Hat Developer HubRed Hat Enterprise Linux 10OpenShift PipelinesRed Hat Hardened ImagesRed Hat OpenShift AI (RHOAI)Red Hat OpenShift Container Platform 4
CWE ID-CWE-346
Origin Validation Error
CWE ID-CWE-940
Improper Verification of Source of a Communication Channel
CVE-2025-14025
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-8.5||HIGH
EPSS-0.39% / 30.88%
||
7 Day CHG~0.00%
Published-08 Jan, 2026 | 13:44
Updated-26 Feb, 2026 | 15:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ansible-automation-platform/aap-gateway: aap-gateway: read-only personal access token (pat) bypasses write restrictions

A flaw was found in Ansible Automation Platform (AAP). Read-only scoped OAuth2 API Tokens in AAP, are enforced at the Gateway level for Gateway-specific operations. However, this vulnerability allows read-only tokens to perform write operations on backend services (e.g., Controller, Hub, EDA). If this flaw were exploited, an attacker‘s capabilities would only be limited by role based access controls (RBAC).

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat Ansible Automation Platform 2.5 for RHEL 8Red Hat Ansible Automation Platform 2.6Red Hat Ansible Automation Platform 2.5Red Hat Ansible Automation Platform 2.6 for RHEL 9Red Hat Ansible Automation Platform 2.5 for RHEL 9
CWE ID-CWE-279
Incorrect Execution-Assigned Permissions
CVE-2026-5483
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-8.5||HIGH
EPSS-0.49% / 38.65%
||
7 Day CHG+0.01%
Published-10 Apr, 2026 | 17:33
Updated-30 Jun, 2026 | 12:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Odh-dashboard: odh dashboard kubernetes service account exposure

A flaw was found in odh-dashboard in Red Hat Openshift AI. This vulnerability in the `odh-dashboard` component of Red Hat OpenShift AI (RHOAI) allows for the disclosure of Kubernetes Service Account tokens through a NodeJS endpoint. This could enable an attacker to gain unauthorized access to Kubernetes resources.

Action-Not Available
Vendor-Red Hat, Inc.
Product-openshift_aiRed Hat OpenShift AI 2.16Red Hat OpenShift AI (RHOAI)Red Hat OpenShift AI 3.3Red Hat OpenShift AI 2.25Red Hat OpenShift AI 3.2Red Hat OpenShift AI 2.16Red Hat OpenShift AI (RHOAI)Red Hat OpenShift AI 3.3Red Hat OpenShift AI 2.25Red Hat OpenShift AI 3.2
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2022-30945
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-8.5||HIGH
EPSS-1.24% / 65.65%
||
7 Day CHG~0.00%
Published-17 May, 2022 | 14:05
Updated-03 Aug, 2024 | 07:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed pipelines.

Action-Not Available
Vendor-Jenkins
Product-pipeline\Jenkins Pipeline: Groovy Plugin
CVE-2019-1003043
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-7.5||HIGH
EPSS-1.46% / 70.38%
||
7 Day CHG~0.00%
Published-28 Mar, 2019 | 17:59
Updated-05 Aug, 2024 | 03:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Slack Notification Plugin 2.19 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-slack_notificationJenkins Slack Notification Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2026-48921
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-7.5||HIGH
EPSS-0.30% / 21.81%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 14:13
Updated-28 May, 2026 | 17:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Pipeline: Groovy Libraries Plugin 797.v90ea_a_9b_e45a_0 and earlier does not prohibit symbolic links in shared libraries, allowing attackers able to control the content of a library used by a Pipeline job to read arbitrary files on the Jenkins controller filesystem.

Action-Not Available
Vendor-Jenkins
Product-pipeline\Jenkins Pipeline: Groovy Libraries Plugin
CWE ID-CWE-59
Improper Link Resolution Before File Access ('Link Following')
CVE-2026-48922
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-7.5||HIGH
EPSS-0.36% / 28.45%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 14:13
Updated-28 May, 2026 | 17:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Credentials Binding Plugin 720.v3f6decef43ea_ and earlier does not properly sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node.

Action-Not Available
Vendor-Jenkins
Product-credentials_bindingJenkins Credentials Binding Plugin
CWE ID-CWE-20
Improper Input Validation
CVE-2026-4525
Matching Score-8
Assigner-HashiCorp Inc.
ShareView Details
Matching Score-8
Assigner-HashiCorp Inc.
CVSS Score-7.5||HIGH
EPSS-0.41% / 32.50%
||
7 Day CHG+0.10%
Published-17 Apr, 2026 | 03:00
Updated-30 Jun, 2026 | 12:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vault Token Leaked to Backends via Authorization: Bearer Passthrough Header

If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

Action-Not Available
Vendor-HashiCorp, Inc.Red Hat, Inc.
Product-vaultVaultVault EnterpriseRed Hat Openshift Data Foundation 4Red Hat OpenShift Container Platform 4
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2026-45833
Matching Score-8
Assigner-HiddenLayer, Inc.
ShareView Details
Matching Score-8
Assigner-HiddenLayer, Inc.
CVSS Score-9.4||CRITICAL
EPSS-0.34% / 26.22%
||
7 Day CHG+0.05%
Published-12 Jun, 2026 | 15:16
Updated-30 Jun, 2026 | 12:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A code injection vulnerability in version 0.4.17 or later of the ChromaDB Python project allows an authenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in the /api/v2/tenants/default_tenant/databases/default_database/collections/{collection_id} if they have the UPDATE_COLLECTION permission.

Action-Not Available
Vendor-trychromaChromaRed Hat, Inc.
Product-chromadbChromaDBRed Hat OpenShift AI (RHOAI)Red Hat Enterprise Linux AI (RHEL AI) 3
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-4154
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-1.15% / 63.06%
||
7 Day CHG~0.00%
Published-07 Nov, 2023 | 19:14
Updated-02 Aug, 2024 | 07:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Samba: ad dc password exposure to privileged users and rodcs

A design flaw was found in Samba's DirSync control implementation, which exposes passwords and secrets in Active Directory to privileged users and Read-Only Domain Controllers (RODCs). This flaw allows RODCs and users possessing the GET_CHANGES right to access all attributes, including sensitive secrets and passwords. Even in a default setup, RODC DC accounts, which should only replicate some passwords, can gain access to all domain secrets, including the vital krbtgt, effectively eliminating the RODC / DC distinction. Furthermore, the vulnerability fails to account for error conditions (fail open), like out-of-memory situations, potentially granting access to secret attributes, even under low-privileged attacker influence.

Action-Not Available
Vendor-n/aSambaFedora ProjectRed Hat, Inc.
Product-sambasambaRed Hat Enterprise Linux 9Red Hat Storage 3Red Hat Enterprise Linux 6Red Hat Enterprise Linux 8Red Hat Enterprise Linux 7Fedora
CWE ID-CWE-787
Out-of-bounds Write
CVE-2026-43998
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-8.5||HIGH
EPSS-0.72% / 49.46%
||
7 Day CHG+0.10%
Published-13 May, 2026 | 17:19
Updated-30 Jun, 2026 | 12:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
vm2: NodeVM require.root bypass via symlink traversal allows sandbox escape

vm2 is an open source vm/sandbox for Node.js. In 3.10.5, NodeVM's require.root path restriction can be bypassed using filesystem symlinks, allowing sandboxed code to load modules from outside the allowed root directory in host context. Because path validation uses path.resolve() (which does not dereference symlinks) but module loading uses Node's native require() (which does), an attacker can load arbitrary host-realm modules and achieve remote code execution. This vulnerability is fixed in 3.11.0.

Action-Not Available
Vendor-vm2_projectpatriksimekRed Hat, Inc.
Product-vm2vm2Self-service automation portal 2Red Hat Developer Hub
CWE ID-CWE-59
Improper Link Resolution Before File Access ('Link Following')
CVE-2026-44417
Matching Score-8
Assigner-Apache Software Foundation
ShareView Details
Matching Score-8
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-0.64% / 46.20%
||
7 Day CHG+0.19%
Published-22 May, 2026 | 12:17
Updated-30 Jun, 2026 | 03:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache CXF: Incomplete fix for CVE-2025-48913 (Untrusted JMS configuration can lead to RCE)

The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.

Action-Not Available
Vendor-The Apache Software FoundationRed Hat, Inc.
Product-cxfApache CXFRed Hat Single Sign-On 7Red Hat JBoss Enterprise Application Platform 7Red Hat build of Apache Camel for Spring Boot 4Red Hat Fuse 7Red Hat JBoss Enterprise Application Platform 8Red Hat JBoss Enterprise Application Platform Expansion Pack
CWE ID-CWE-15
External Control of System or Configuration Setting
CWE ID-CWE-20
Improper Input Validation
CVE-2026-42520
Matching Score-8
Assigner-Jenkins Project
ShareView Details
Matching Score-8
Assigner-Jenkins Project
CVSS Score-7.5||HIGH
EPSS-0.41% / 32.98%
||
7 Day CHG~0.00%
Published-29 Apr, 2026 | 13:31
Updated-06 May, 2026 | 16:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Credentials Binding Plugin 719.v80e905ef14eb_ and earlier does not sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node.

Action-Not Available
Vendor-Jenkins
Product-credentials_bindingJenkins Credentials Binding Plugin
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-43003
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.84% / 53.28%
||
7 Day CHG+0.14%
Published-01 May, 2026 | 00:00
Updated-30 Jun, 2026 | 12:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in OpenStack ironic-python-agent 1.0.0 through 11.5.0. Ironic Python Agent (IPA) sometimes executes grub-install from within a chroot of the deployed partition image, leading to code execution in the case of a malicious image.

Action-Not Available
Vendor-Red Hat, Inc.OpenStack
Product-ironic_python_agentironic-python-agentRed Hat OpenShift Container Platform 4
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-829
Inclusion of Functionality from Untrusted Control Sphere
CVE-2026-40938
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.79% / 51.71%
||
7 Day CHG+0.27%
Published-21 Apr, 2026 | 20:45
Updated-30 Jun, 2026 | 12:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tekton Pipelines: Git Resolver Unsanitized Revision Parameter Enables git Argument Injection Leading to RCE

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, the git resolver's revision parameter is passed directly as a positional argument to git fetch without any validation that it does not begin with a - character. Because git parses flags from mixed positional arguments, an attacker can inject arbitrary git fetch flags such as --upload-pack=<binary>. Combined with the validateRepoURL function explicitly permitting URLs that begin with / (local filesystem paths), a tenant who can submit ResolutionRequest objects can chain these two behaviors to execute an arbitrary binary on the resolver pod. The tekton-pipelines-resolvers ServiceAccount holds cluster-wide get/list/watch on all Secrets, so code execution on the resolver pod enables full cluster-wide secret exfiltration. Versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1 fix the issue.

Action-Not Available
Vendor-tektoncdThe Linux FoundationRed Hat, Inc.
Product-tekton_pipelinespipelineRed Hat OpenShift Pipelines 1.21Red Hat OpenShift AI (RHOAI)OpenShift LightspeedRed Hat OpenShift Builds 1.8.0Red Hat OpenShift Virtualization 4OpenShift PipelinesRed Hat Trusted Artifact SignerRed Hat OpenShift Builds 1.7.3OpenShift Serverless
CWE ID-CWE-88
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CVE-2026-40860
Matching Score-8
Assigner-Apache Software Foundation
ShareView Details
Matching Score-8
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-0.88% / 54.71%
||
7 Day CHG+0.19%
Published-27 Apr, 2026 | 08:03
Updated-30 Jun, 2026 | 03:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Camel: Unsafe Deserialization of JMS ObjectMessage in camel-jms, camel-sjms, camel-sjms2 and camel-amqp

JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject() without applying any ObjectInputFilter, class allowlist or class denylist. Because this code path is reached whenever the mapJmsMessage option is enabled (the default) and Camel acts as a JMS consumer, an attacker able to publish a crafted ObjectMessage to a queue or topic consumed by a Camel application could achieve remote code execution when a deserialization gadget chain was present on the classpath. The same handling was reached transitively through camel-sjms2 (whose Sjms2Endpoint extends SjmsEndpoint) and through camel-amqp (whose AMQPJmsBinding extends JmsBinding), and by other JMS-family components built on JmsComponent such as camel-activemq and camel-activemq6. This issue affects Apache Camel: from 3.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.7. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.

Action-Not Available
Vendor-The Apache Software FoundationRed Hat, Inc.
Product-camelApache CamelRed Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14Red Hat Build of Apache Camel 4.18 for Quarkus 3.33Red Hat build of Apache Camel 4 for Quarkus 3Red Hat Fuse 7Red Hat JBoss Enterprise Application Platform 8Red Hat JBoss Enterprise Application Platform Expansion Pack
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-34971
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-9||CRITICAL
EPSS-0.32% / 23.70%
||
7 Day CHG+0.06%
Published-09 Apr, 2026 | 18:45
Updated-30 Jun, 2026 | 03:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Wasmtime miscompiled guest heap access enables sandbox escape on aarch64 Cranelift

Wasmtime is a runtime for WebAssembly. From 32.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Cranelift compilation backend contains a bug on aarch64 when performing a certain shape of heap accesses which means that the wrong address is accessed. When combined with explicit bounds checks a guest WebAssembly module this can create a situation where there are two diverging computations for the same address: one for the address to bounds-check and one for the address to load. This difference in address being operated on means that a guest module can pass a bounds check but then load a different address. Combined together this enables an arbitrary read/write primitive for guest WebAssembly when accesssing host memory. This is a sandbox escape as guests are able to read/write arbitrary host memory. This vulnerability has a few ingredients, all of which must be met, for this situation to occur and bypass the sandbox restrictions. This miscompiled shape of load only occurs on 64-bit WebAssembly linear memories, or when Config::wasm_memory64 is enabled. 32-bit WebAssembly is not affected. Spectre mitigations or signals-based-traps must be disabled. When spectre mitigations are enabled then the offending shape of load is not generated. When signals-based-traps are disabled then spectre mitigations are also automatically disabled. The specific bug in Cranelift is a miscompile of a load of the shape load(iadd(base, ishl(index, amt))) where amt is a constant. The amt value is masked incorrectly to test if it's a certain value, and this incorrect mask means that Cranelift can pattern-match this lowering rule during instruction selection erroneously, diverging from WebAssembly's and Cranelift's semantics. This incorrect lowering would, for example, load an address much further away than intended as the correct address's computation would have wrapped around to a smaller value insetad. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.

Action-Not Available
Vendor-bytecodealliancebytecodeallianceRed Hat, Inc.
Product-wasmtimewasmtimeRed Hat Connectivity Link 1Red Hat Enterprise Linux 10
CWE ID-CWE-125
Out-of-bounds Read
CWE ID-CWE-787
Out-of-bounds Write
CVE-2026-32871
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-10||CRITICAL
EPSS-0.99% / 58.18%
||
7 Day CHG-0.09%
Published-02 Apr, 2026 | 14:52
Updated-30 Jun, 2026 | 12:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability

FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The RequestDirector class is responsible for constructing HTTP requests to the backend service. A vulnerability exists in the _build_url() method. When an OpenAPI operation defines path parameters (e.g., /api/v1/users/{user_id}), the system directly substitutes parameter values into the URL template string without URL-encoding. Subsequently, urllib.parse.urljoin() resolves the final URL. Since urljoin() interprets ../ sequences as directory traversal, an attacker controlling a path parameter can perform path traversal attacks to escape the intended API prefix and access arbitrary backend endpoints. This results in authenticated SSRF, as requests are sent with the authorization headers configured in the MCP provider. This issue has been patched in version 3.2.0.

Action-Not Available
Vendor-jlowinPrefectHQRed Hat, Inc.
Product-fastmcpfastmcpRed Hat Satellite 6Red Hat OpenShift AI (RHOAI)
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-32304
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.57% / 43.07%
||
7 Day CHG+0.02%
Published-12 Mar, 2026 | 21:24
Updated-30 Jun, 2026 | 12:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Locutus: RCE via unsanitized input in create_function()

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from CVE-2026-29091 which was call_user_func_array using eval() in v2.x. This finding affects create_function using new Function() in v3.x. This vulnerability is fixed in 3.0.14.

Action-Not Available
Vendor-locutuslocutusjsRed Hat, Inc.
Product-locutuslocutusLogging Subsystem for Red Hat OpenShift
CWE ID-CWE-88
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-23479
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-1.29% / 66.64%
||
7 Day CHG+0.33%
Published-05 May, 2026 | 16:36
Updated-30 Jun, 2026 | 12:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
redis-server use-after-free in unblock client flow may allow remote code execution

Redis is an in-memory data structure store. In redis-server from 7.2.0 until 8.6.3, the unblock client flow does not handle an error return from `processCommandAndResetClient` when re-executing a blocked command. If a blocked client is evicted during this flow, an authenticated attacker can trigger a use-after-free that may lead to remote code execution. This has been patched in version 8.6.3.

Action-Not Available
Vendor-Red Hat, Inc.Redis Inc.
Product-redisredisRed Hat Enterprise Linux AppStream EUS (v. 10.0)Red Hat Enterprise Linux AppStream EUS (v.9.6)Red Hat Hardened ImagesRed Hat Enterprise Linux 9Red Hat Enterprise Linux 8Red Hat Enterprise Linux AppStream (v. 9)Red Hat Enterprise Linux AppStream (v. 10)
CWE ID-CWE-416
Use After Free
CVE-2026-21413
Matching Score-8
Assigner-Talos
ShareView Details
Matching Score-8
Assigner-Talos
CVSS Score-9.8||CRITICAL
EPSS-0.75% / 50.30%
||
7 Day CHG+0.20%
Published-07 Apr, 2026 | 13:49
Updated-30 Jun, 2026 | 12:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A heap-based buffer overflow vulnerability exists in the lossless_jpeg_load_raw functionality of LibRaw Commit 0b56545 and Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

Action-Not Available
Vendor-librawLibRawRed Hat, Inc.
Product-librawLibRawRed Hat Enterprise Linux CRB (v. 8)Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)Red Hat Enterprise Linux AppStream EUS (v.9.6)Red Hat Enterprise Linux AppStream AUS (v.8.6)Red Hat Enterprise Linux AppStream E4S (v.8.6)Red Hat Enterprise Linux 7Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)Red Hat Enterprise Linux AppStream TUS (v.8.8)Red Hat Enterprise Linux AppStream (v. 9)Red Hat Enterprise Linux AppStream (v. 8)Red Hat Enterprise Linux 6Red Hat CodeReady Linux Builder EUS (v.9.4)Red Hat Enterprise Linux AppStream E4S (v.9.2)Red Hat Enterprise Linux AppStream TUS (v.8.6)Red Hat Enterprise Linux AppStream E4S (v.8.8)Red Hat CodeReady Linux Builder EUS (v.9.6)Red Hat Enterprise Linux AppStream EUS (v.9.4)Red Hat Enterprise Linux 8Red Hat Enterprise Linux AppStream AUS (v.8.4)Red Hat Enterprise Linux AppStream E4S (v.9.0)
CWE ID-CWE-129
Improper Validation of Array Index
CWE ID-CWE-787
Out-of-bounds Write
CVE-2026-20889
Matching Score-8
Assigner-Talos
ShareView Details
Matching Score-8
Assigner-Talos
CVSS Score-9.8||CRITICAL
EPSS-0.65% / 46.41%
||
7 Day CHG+0.14%
Published-07 Apr, 2026 | 13:49
Updated-30 Jun, 2026 | 12:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A heap-based buffer overflow vulnerability exists in the x3f_thumb_loader functionality of LibRaw Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

Action-Not Available
Vendor-librawLibRawRed Hat, Inc.
Product-librawLibRawRed Hat Enterprise Linux CRB (v. 8)Red Hat Enterprise Linux AppStream AUS (v.8.6)Red Hat Enterprise Linux AppStream E4S (v.8.6)Red Hat Enterprise Linux 7Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)Red Hat Enterprise Linux AppStream TUS (v.8.6)Red Hat Enterprise Linux AppStream E4S (v.8.8)Red Hat Enterprise Linux AppStream TUS (v.8.8)Red Hat Enterprise Linux 9Red Hat Enterprise Linux 8Red Hat Enterprise Linux AppStream (v. 8)Red Hat Enterprise Linux AppStream AUS (v.8.4)Red Hat Enterprise Linux 6
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE ID-CWE-190
Integer Overflow or Wraparound
CVE-2026-20911
Matching Score-8
Assigner-Talos
ShareView Details
Matching Score-8
Assigner-Talos
CVSS Score-9.8||CRITICAL
EPSS-0.50% / 39.36%
||
7 Day CHG+0.01%
Published-07 Apr, 2026 | 13:49
Updated-30 Jun, 2026 | 12:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A heap-based buffer overflow vulnerability exists in the HuffTable::initval functionality of LibRaw Commit 0b56545 and Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

Action-Not Available
Vendor-librawLibRawRed Hat, Inc.
Product-librawLibRawRed Hat Enterprise Linux 8Red Hat Enterprise Linux 9Red Hat Enterprise Linux 6Red Hat Enterprise Linux 7
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE ID-CWE-131
Incorrect Calculation of Buffer Size
CVE-2026-1312
Matching Score-8
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
ShareView Details
Matching Score-8
Assigner-6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS Score-5.4||MEDIUM
EPSS-0.80% / 52.16%
||
7 Day CHG+0.31%
Published-03 Feb, 2026 | 14:36
Updated-30 Jun, 2026 | 12:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential SQL injection via QuerySet.order_by and FilteredRelation

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.

Action-Not Available
Vendor-Red Hat, Inc.Django
Product-djangoDjangoRed Hat Ansible Automation Platform 2.6Red Hat Ansible Automation Platform 2.5Red Hat Satellite 6.18Red Hat Discovery 2Red Hat Ansible Automation Platform 2.6 for RHEL 9Red Hat Update Infrastructure 4 for Cloud ProvidersRed Hat OpenStack Platform 18.0Red Hat Ansible Automation Platform 2Red Hat Satellite 6.16 for RHEL 9Red Hat Ansible Automation Platform 2.5 for RHEL 9Red Hat Satellite 6.17 for RHEL 9Red Hat OpenStack Platform 16.2Red Hat Ansible Automation Platform 2.6 for RHEL 10Red Hat Satellite 6Red Hat Ansible Automation Platform 2.5 for RHEL 8Red Hat Satellite 6.18 for RHEL 9Red Hat OpenStack Platform 17.1Red Hat Satellite 6.16 for RHEL 8
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-12398
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-0.89% / 54.93%
||
7 Day CHG~0.00%
Published-16 Jun, 2026 | 14:52
Updated-29 Jun, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Galaxy_ng: shell injection in legacy role import via unsanitized git ref names

A command injection vulnerability was found in galaxy_ng. The do_git_checkout() function in the legacy role import API (v1) interpolates unsanitized git ref names (branch/tag names) into shell commands executed via subprocess.run() with shell=True. An authenticated user who controls a git repository can create a branch or tag with shell metacharacters in the name to achieve remote code execution on the pulp worker. The vulnerable endpoint is only reachable when GALAXY_ENABLE_LEGACY_ROLES is set to True, which is not the default configuration.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat Ansible Automation Platform 2
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2026-13325
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-8.5||HIGH
EPSS-0.17% / 6.83%
||
7 Day CHG~0.00%
Published-26 Jun, 2026 | 10:41
Updated-26 Jun, 2026 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Virt-handler-rhel9: kubevirt: kubevirt: disabletls migration setting removes authentication, exposing unauthenticated virtqemud proxy on all interfaces

A flaw was found in KubeVirt's migration proxy. When spec.configuration.migrations.disableTLS is set to true on the KubeVirt custom resource, the target virt-handler binds a plain TCP listener on all interfaces (0.0.0.0/::) on a random port with no authentication, peer allow-list, or handshake token. This listener proxies directly into the target virt-launcher's virtqemud control socket. An attacker with a running pod on the cluster network can connect to this listener and issue unfiltered libvirt RPC commands against another tenant's virtual machine, including reading VM memory and configuration, modifying VM state via QMP, or destroying the VM. The bind address is unconditionally 0.0.0.0 — configuring a dedicated migration network via migrations.network only changes the advertised migration IP, not the listener bind address, so the port remains reachable on the pod network even when a dedicated migration network is configured. The API documentation describes disableTLS as removing "the additional layer of live migration encryption" without disclosing that it also removes all mutual authentication.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat OpenShift Virtualization 4
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2023-39417
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-1.57% / 72.40%
||
7 Day CHG~0.00%
Published-11 Aug, 2023 | 12:19
Updated-12 Mar, 2026 | 06:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Postgresql: extension script @substitutions@ within quoting allow sql injection

IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.

Action-Not Available
Vendor-The PostgreSQL Global Development GroupDebian GNU/LinuxRed Hat, Inc.
Product-software_collectionsdebian_linuxpostgresqlenterprise_linuxRed Hat Enterprise Linux 9.0 Extended Update SupportRed Hat Enterprise Linux 8.2 Update Services for SAP SolutionsRed Hat Enterprise Linux 8.4 Update Services for SAP SolutionsRed Hat Enterprise Linux 8.8 Extended Update SupportRed Hat Enterprise Linux 8.2 Telecommunications Update ServiceRed Hat Enterprise Linux 8.4 Telecommunications Update ServiceRed Hat Software CollectionsRed Hat Enterprise Linux 7Red Hat Software Collections for Red Hat Enterprise Linux 7Red Hat Advanced Cluster Security 4.2RHACS-4.1-RHEL-8Red Hat Enterprise Linux 6Red Hat Enterprise Linux 9.2 Extended Update SupportRHACS-3.74-RHEL-8Red Hat Enterprise Linux 8.6 Extended Update SupportRed Hat Enterprise Linux 8.4 Advanced Mission Critical Update SupportRed Hat Enterprise Linux 9Red Hat Enterprise Linux 8.2 Advanced Update SupportRed Hat Enterprise Linux 8
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2020-25720
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-0.48% / 38.20%
||
7 Day CHG~0.00%
Published-17 Nov, 2024 | 10:17
Updated-27 Apr, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Samba: check attribute access rights for ldap adds of computers

A vulnerability was found in Samba where a delegated administrator with permission to create objects in Active Directory can write to all attributes of the newly created object, including security-sensitive attributes, even after the object's creation. This issue occurs because the administrator owns the object due to the lack of an Access Control List (ACL) at the time of creation and later being recognized as the 'creator owner.' The retained significant rights of the delegated administrator may not be well understood, potentially leading to unintended privilege escalation or security risks.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat Enterprise Linux 10Red Hat OpenShift Container Platform 4Red Hat Storage 3Red Hat Enterprise Linux 6Red Hat Enterprise Linux 8Red Hat Enterprise Linux 7Red Hat Enterprise Linux 9
CWE ID-CWE-266
Incorrect Privilege Assignment
CVE-2026-8945
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-7.5||HIGH
EPSS-0.37% / 28.93%
||
7 Day CHG+0.07%
Published-19 May, 2026 | 12:29
Updated-30 Jun, 2026 | 03:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sandbox escape in Firefox and Firefox Focus for Android

Sandbox escape in Firefox and Firefox Focus for Android. This vulnerability was fixed in Firefox 151.

Action-Not Available
Vendor-Red Hat, Inc.Mozilla Corporation
Product-firefoxfirefox_focusFirefoxRed Hat Enterprise Linux 7Red Hat Enterprise Linux 9Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Enterprise Linux 6
CWE ID-CWE-653
Improper Isolation or Compartmentalization
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2025-69264
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-8.8||HIGH
EPSS-1.02% / 59.28%
||
7 Day CHG+0.21%
Published-07 Jan, 2026 | 21:53
Updated-30 Jun, 2026 | 12:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
pnpm v10+ Bypass "Dependency lifecycle scripts execution disabled by default"

pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the onlyBuiltDependencies mechanism, git dependencies can still execute prepare, prepublish, and prepack scripts during the fetch phase, enabling remote code execution without user consent or approval. This issue is fixed in version 10.26.0.

Action-Not Available
Vendor-pnpmpnpmRed Hat, Inc.
Product-pnpmpnpmRed Hat JBoss Enterprise Application Platform 8Red Hat JBoss Enterprise Application Platform Expansion Pack
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2022-43434
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-5.3||MEDIUM
EPSS-0.64% / 46.15%
||
7 Day CHG~0.00%
Published-19 Oct, 2022 | 00:00
Updated-08 May, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins NeuVector Vulnerability Scanner Plugin 1.20 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.

Action-Not Available
Vendor-Jenkins
Product-neuvector_vulnerability_scannerJenkins NeuVector Vulnerability Scanner Plugin
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2026-8401
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.31% / 23.17%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 14:24
Updated-30 Jun, 2026 | 03:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sandbox escape in the Profile Backup component

Sandbox escape in the Profile Backup component. This vulnerability was fixed in Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11, and Thunderbird 140.11.

Action-Not Available
Vendor-Red Hat, Inc.Mozilla Corporation
Product-firefoxThunderbirdFirefoxRed Hat Enterprise Linux AppStream EUS (v. 10.0)Red Hat Enterprise Linux AppStream EUS (v.9.6)Red Hat Enterprise Linux AppStream AUS (v.8.6)Red Hat Enterprise Linux 7Red Hat Enterprise Linux AppStream E4S (v.9.4)Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)Red Hat Enterprise Linux AppStream TUS (v.8.8)Red Hat Enterprise Linux 10Red Hat Enterprise Linux AppStream (v. 9)Red Hat Enterprise Linux AppStream (v. 8)Red Hat Enterprise Linux Server (v. 7 ELS)Red Hat Enterprise Linux 6Red Hat Enterprise Linux AppStream (v. 10)Red Hat Enterprise Linux AppStream E4S (v.9.2)Red Hat Enterprise Linux AppStream E4S (v.8.8)Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.6)Red Hat Enterprise Linux AppStream AUS (v.8.4)
CWE ID-CWE-653
Improper Isolation or Compartmentalization
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2022-43432
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.54% / 41.55%
||
7 Day CHG~0.00%
Published-19 Oct, 2022 | 00:00
Updated-08 May, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins XFramium Builder Plugin 1.0.22 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.

Action-Not Available
Vendor-Jenkins
Product-xframium_builderJenkins XFramium Builder Plugin
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2022-43422
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-5.3||MEDIUM
EPSS-0.67% / 47.30%
||
7 Day CHG~0.00%
Published-19 Oct, 2022 | 00:00
Updated-08 May, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Compuware Topaz Utilities Plugin 1.0.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process.

Action-Not Available
Vendor-Jenkins
Product-jenkinscompuware_topaz_utilitiesJenkins Compuware Topaz Utilities Plugin
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2026-57280
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.37% / 29.18%
||
7 Day CHG+0.01%
Published-24 Jun, 2026 | 13:20
Updated-26 Jun, 2026 | 19:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not intercept the implicit type casts applied to the elements of typed for-each loops in sandboxed Groovy scripts, allowing attackers able to provide such scripts to invoke arbitrary constructors and bypass the sandbox protection.

Action-Not Available
Vendor-Jenkins
Product-script_securityJenkins Script Security Plugin
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2026-24781
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-1.16% / 63.15%
||
7 Day CHG+0.17%
Published-04 May, 2026 | 16:33
Updated-30 Jun, 2026 | 12:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
vm2: Sandbox Breakout Through Inspect

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the inspect function. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0.

Action-Not Available
Vendor-vm2_projectpatriksimekRed Hat, Inc.
Product-vm2vm2Red Hat Developer Hub 1.9Red Hat Developer Hub
CWE ID-CWE-653
Improper Isolation or Compartmentalization
CWE ID-CWE-693
Protection Mechanism Failure
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-34144
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-9.8||CRITICAL
EPSS-48.08% / 98.71%
||
7 Day CHG~0.00%
Published-02 May, 2024 | 13:28
Updated-10 Oct, 2025 | 15:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A sandbox bypass vulnerability involving crafted constructor bodies in Jenkins Script Security Plugin 1335.vf07d9ce377a_e and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

Action-Not Available
Vendor-Jenkins
Product-script_securityJenkins Script Security Pluginscript_security
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2019-10328
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-9.9||CRITICAL
EPSS-1.94% / 77.65%
||
7 Day CHG+0.02%
Published-31 May, 2019 | 14:20
Updated-04 Aug, 2024 | 22:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Pipeline Remote Loader Plugin 1.4 and earlier provided a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection.

Action-Not Available
Vendor-Jenkins
Product-pipeline_remote_loaderJenkins Pipeline Remote Loader Plugin
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2019-1003030
Matching Score-6
Assigner-Jenkins Project
ShareView Details
Matching Score-6
Assigner-Jenkins Project
CVSS Score-9.9||CRITICAL
EPSS-75.59% / 99.46%
||
7 Day CHG-0.37%
Published-08 Mar, 2019 | 21:00
Updated-24 Oct, 2025 | 20:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-04-15||Apply updates per vendor instructions.

A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java that allows attackers able to control pipeline scripts to execute arbitrary code on the Jenkins master JVM.

Action-Not Available
Vendor-Red Hat, Inc.Jenkins
Product-pipeline\openshift_container_platformJenkins Pipeline: Groovy PluginMatrix Project Plugin
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2023-5557
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-0.87% / 54.28%
||
7 Day CHG~0.00%
Published-13 Oct, 2023 | 01:41
Updated-20 Nov, 2025 | 07:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tracker-miners: sandbox escape

A flaw was found in the tracker-miners package. A weakness in the sandbox allows a maliciously-crafted file to execute code outside the sandbox if the tracker-extract process has first been compromised by a separate vulnerability.

Action-Not Available
Vendor-The GNOME ProjectRed Hat, Inc.
Product-tracker_minersenterprise_linuxRed Hat Enterprise Linux 8.8 Extended Update SupportRed Hat Enterprise Linux 8.4 Advanced Mission Critical Update SupportRed Hat Enterprise Linux 9Red Hat Enterprise Linux 8.4 Update Services for SAP SolutionsRed Hat Enterprise Linux 8.2 Telecommunications Update ServiceRed Hat Enterprise Linux 8.6 Extended Update SupportRed Hat Enterprise Linux 8.4 Telecommunications Update ServiceRed Hat Enterprise Linux 9.0 Extended Update SupportRed Hat Enterprise Linux 8.2 Advanced Update SupportRed Hat Enterprise Linux 7Red Hat Enterprise Linux 9.2 Extended Update SupportRed Hat Enterprise Linux 8.2 Update Services for SAP SolutionsRed Hat Enterprise Linux 8
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2026-44209
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.54% / 41.39%
||
7 Day CHG+0.12%
Published-26 May, 2026 | 20:46
Updated-30 Jun, 2026 | 12:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Banks: Critical Remote Code Execution (RCE) via Jinja2 SSTI

Banks generates meaningful LLM prompts using a template language that makes sense. Prior to 2.4.2, banks uses jinja2.Environment() (unsandboxed) to render prompt templates. Applications that pass user-supplied strings as the template argument to Prompt() are vulnerable to Server-Side Template Injection (SSTI), which can lead to Remote Code Execution (RCE) on the host system. This vulnerability is fixed in 2.4.2.

Action-Not Available
Vendor-masciRed Hat, Inc.
Product-banksExploit IntelligenceOpenShift LightspeedRed Hat Ansible Automation Platform 2
CWE ID-CWE-1336
Improper Neutralization of Special Elements Used in a Template Engine
CWE ID-CWE-917
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
CVE-2026-42258
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-5.8||MEDIUM
EPSS-0.81% / 52.52%
||
7 Day CHG-0.12%
Published-09 May, 2026 | 19:40
Updated-02 Jul, 2026 | 12:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
net-imap: Command Injection via unvalidated Symbol inputs

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.

Action-Not Available
Vendor-Red Hat, Inc.Ruby
Product-net\net-imapRed Hat Enterprise Linux 7Red Hat OpenShift Dev SpacesRed Hat Enterprise Linux 6Red Hat Enterprise Linux AppStream EUS (v.9.6)Red Hat Enterprise Linux AppStream (v. 10)Red Hat Enterprise Linux AppStream E4S (v.8.8)Red Hat Enterprise Linux AppStream (v. 8)Red Hat Enterprise Linux AppStream E4S (v.9.4)Red Hat 3scale API Management Platform 2Red Hat CodeReady Linux Builder EUS (v.9.6)Red Hat Enterprise Linux AppStream (v. 9)Red Hat Enterprise Linux AppStream TUS (v.8.8)Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)Red Hat Hardened ImagesRed Hat OpenShift AI (RHOAI)Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)Red Hat OpenShift Container Platform 4
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
CVE-2026-42578
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-2.9||LOW
EPSS-0.67% / 47.35%
||
7 Day CHG+0.26%
Published-13 May, 2026 | 17:57
Updated-30 Jun, 2026 | 12:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Netty: HTTP Header Injection via HttpProxyHandler Disabled Validation

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

Action-Not Available
Vendor-The Netty ProjectRed Hat, Inc.
Product-nettynettyRed Hat OpenShift AI (RHOAI)Red Hat build of Apicurio Registry 2Red Hat build of Quarkus 3.27.4Cryostat 4 on RHEL 9Red Hat AMQ Broker 7Red Hat Data Grid 8Red Hat JBoss Enterprise Application Platform 7Red Hat build of Debezium 3Red Hat build of Apache Camel for Spring Boot 4OpenShift ServerlessRed Hat Enterprise Linux AI (RHEL AI) 3Red Hat Fuse 7streams for Apache Kafka 2Red Hat build of OptaPlanner 8Red Hat AMQ ClientsRed Hat build of Apicurio Registry 3Red Hat Single Sign-On 7Red Hat build of Apache Camel 4 for Quarkus 3streams for Apache Kafka 3Red Hat Build of KeycloakRed Hat OpenShift Dev SpacesRed Hat Process Automation 7Red Hat Satellite 6Red Hat OpenShift Dev Spaces 3.28Red Hat build of Quarkus 3.33.2Red Hat JBoss Enterprise Application Platform 8Red Hat JBoss Enterprise Application Platform Expansion Pack
CWE ID-CWE-113
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
CWE ID-CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
CVE-2026-41316
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-8.1||HIGH
EPSS-1.13% / 62.48%
||
7 Day CHG+0.62%
Published-24 Apr, 2026 | 02:35
Updated-30 Jun, 2026 | 13:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ERB has an @_init deserialization guard bypass via def_module / def_method / def_class

ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and `ERB#run` to prevent code execution when an ERB object is reconstructed via `Marshal.load` (deserialization). However, three other public methods that also evaluate `@src` via `eval()` were not given the same guard: `ERB#def_method`, `ERB#def_module`, and `ERB#def_class`. An attacker who can trigger `Marshal.load` on untrusted data in a Ruby application that has `erb` loaded can use `ERB#def_module` (zero-arg, default parameters) as a code execution sink, bypassing the `@_init` protection entirely. ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4 patch the issue.

Action-Not Available
Vendor-RubyRed Hat, Inc.
Product-erbRed Hat Enterprise Linux CodeReady Linux Builder (v. 9)Red Hat Enterprise Linux AppStream EUS (v. 10.0)Red Hat Enterprise Linux AppStream EUS (v.9.6)Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)Red Hat Enterprise Linux 7Red Hat Enterprise Linux AppStream E4S (v.9.4)Red Hat Hardened ImagesRed Hat Enterprise Linux AppStream (v. 9)Red Hat Enterprise Linux AppStream (v. 8)Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)Red Hat Enterprise Linux 6Red Hat Enterprise Linux AppStream (v. 10)Red Hat OpenShift Container Platform 4Red Hat CodeReady Linux Builder EUS (v.9.6)Red Hat Enterprise Linux 8Red Hat Enterprise Linux AppStream E4S (v.9.0)
CWE ID-CWE-502
Deserialization of Untrusted Data
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2026-39983
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-8.6||HIGH
EPSS-2.19% / 80.19%
||
7 Day CHG+0.24%
Published-09 Apr, 2026 | 17:05
Updated-30 Jun, 2026 | 12:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FTP Command Injection via CRLF in basic-ftp

basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \r\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands. This vulnerability is fixed in 5.2.1.

Action-Not Available
Vendor-patrickjuchlipatrickjuchliRed Hat, Inc.
Product-basic-ftpbasic-ftpRed Hat OpenShift AI (RHOAI)Red Hat OpenShift Container Platform 4Self-service automation portal 2Red Hat Developer Hub 1.8Red Hat Developer Hub 1.9
CWE ID-CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
CVE-2026-40897
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-8.8||HIGH
EPSS-0.55% / 42.01%
||
7 Day CHG+0.10%
Published-24 Apr, 2026 | 16:48
Updated-30 Jun, 2026 | 12:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Math.js: Unsafe object property setter in mathjs

Math.js is an extensive math library for JavaScript and Node.js. From 13.1.1 to before 15.2.0, a vulnerability allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be affected when you have an application where users can evaluate arbitrary expressions using the mathjs expression parser. This vulnerability is fixed in 15.2.0.

Action-Not Available
Vendor-mathjsjosdejongRed Hat, Inc.
Product-mathjsmathjsRed Hat Developer HubRed Hat OpenShift AI (RHOAI)Red Hat OpenShift Container Platform 4Red Hat Enterprise Linux 9Self-service automation portal 2Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8
CWE ID-CWE-915
Improperly Controlled Modification of Dynamically-Determined Object Attributes
CWE ID-CWE-917
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
CVE-2026-3633
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-3.9||LOW
EPSS-0.22% / 12.88%
||
7 Day CHG~0.00%
Published-17 Mar, 2026 | 09:44
Updated-19 Mar, 2026 | 20:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Libsoup: libsoup: header and http request injection via crlf injection

A flaw was found in libsoup. A remote attacker, by controlling the method parameter of the `soup_message_new()` function, could inject arbitrary headers and additional request data. This vulnerability, known as CRLF (Carriage Return Line Feed) injection, occurs because the method value is not properly escaped during request line construction, potentially leading to HTTP request injection.

Action-Not Available
Vendor-The GNOME ProjectRed Hat, Inc.
Product-enterprise_linuxlibsoupRed Hat Enterprise Linux 9Red Hat Enterprise Linux 8Red Hat Enterprise Linux 10Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6
CWE ID-CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
  • Previous
  • 1
  • 2
  • Next
Details not found