Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

Red Hat JBoss Enterprise Application Platform Expansion Pack

Source -

ADPCNA

CNA CVEs -

80

ADP CVEs -

126

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated VendorsRelated AssignersReports
198Vulnerabilities found

CVE-2026-16104
Assigner-Red Hat, Inc.
ShareView Details
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.20% / 10.48%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 16:43
Updated-17 Jul, 2026 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Keycloak-services: keycloak-services: authenticator config endpoint exposes raw recaptcha secrets to view-only admins

A flaw was found in the authentication configuration endpoint of the keycloak-services component, which is the core engine for Red Hat Build of Keycloak identity and access management. The issue occurs because the system fails to mask sensitive configuration values, such as reCAPTCHA secret keys, when they are requested by administrators with view-only permissions. This can lead to the exposure of third-party service credentials to unauthorized personnel or through administrative logs.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat Build of KeycloakRed Hat Data Grid 8Red Hat Single Sign-On 7
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2026-16103
Assigner-Red Hat, Inc.
ShareView Details
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.21% / 10.82%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 16:43
Updated-17 Jul, 2026 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Keycloak-services: keycloak-services: incomplete fix for ciba brute-force lockout bypass at token redemption

A flaw was found in the keycloak-services component of Keycloak. This issue is an incomplete fix for CVE-2026-9798, where brute-force protection checks were added to the Client-Initiated Backchannel Authentication (CIBA) initiation handler but were omitted from the token redemption handler. This allows an attacker with valid client credentials to obtain access and refresh tokens for a user account that has been locked due to brute-force protection, provided the authentication request was started before the lockout occurred and was approved by the user.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat Build of KeycloakRed Hat Data Grid 8Red Hat Single Sign-On 7
CVE-2026-16106
Assigner-Red Hat, Inc.
ShareView Details
Assigner-Red Hat, Inc.
CVSS Score-4.9||MEDIUM
EPSS-0.20% / 10.06%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 16:43
Updated-19 Jul, 2026 | 09:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Keycloak-services: keycloak-services: incorrect authorization in admin role-composite deletion allows delegated admin to remove privileged child roles

A flaw was found in the admin REST API of Keycloak, a solution for identity and access management. The issue occurs when a delegated administrator attempts to remove a child role from a composite role. Due to missing authorization checks, an attacker with limited administrative permissions can remove privileged roles they are not authorized to manage, leading to a loss of access for other users and administrators.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat Build of KeycloakRed Hat Data Grid 8Red Hat Single Sign-On 7
CWE ID-CWE-862
Missing Authorization
CVE-2026-16108
Assigner-Red Hat, Inc.
ShareView Details
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.18% / 8.07%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 16:43
Updated-17 Jul, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Keycloak-services: keycloak-services: realm default-group reads disclose hidden groups under fgap v2

A flaw was found in the default-groups REST endpoint and realm representation of Keycloak. This component is responsible for managing groups that are automatically assigned to new users within a realm. The issue allows a delegated administrator with realm-viewing permissions to see the names and identifiers of hidden default groups, even if they lack the specific permissions to view those groups. This can lead to the exposure of sensitive organizational structures or internal group names.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat Build of KeycloakRed Hat Data Grid 8Red Hat Single Sign-On 7
CVE-2026-16093
Assigner-Red Hat, Inc.
ShareView Details
Assigner-Red Hat, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.19% / 9.17%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 16:42
Updated-17 Jul, 2026 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Keycloak-services: keycloak-services: required signed-jwt assertion policy can be bypassed with unsigned assertion headers

Keycloak provides a mechanism called Client Policies to enforce security requirements on clients, such as requiring them to use signed JWTs for authentication. A flaw was discovered where this enforcement can be bypassed. An attacker with valid client credentials can provide a fake, unsigned assertion header that tricks the system into thinking the policy requirements have been met. This allows the attacker to authenticate using simpler methods like a client secret even when the administrator has mandated more secure, signed assertions.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat Build of KeycloakRed Hat Data Grid 8Red Hat Single Sign-On 7
CWE ID-CWE-807
Reliance on Untrusted Inputs in a Security Decision
CVE-2026-16089
Assigner-Red Hat, Inc.
ShareView Details
Assigner-Red Hat, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.15% / 4.99%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 14:15
Updated-17 Jul, 2026 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Keycloak-services: keycloak-services: authorization codes can be retargeted to another client session

A flaw was found in the keycloak-services component of Red Hat Build of Keycloak. The issue occurs because OAuth 2.0 authorization codes are not properly bound to the client that originally requested them. An attacker who can intercept an authorization code can modify it to be redeemed by their own client, potentially allowing them to obtain access tokens for a victim's identity.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat Build of KeycloakRed Hat Data Grid 8Red Hat Single Sign-On 7
CVE-2026-16072
Assigner-Red Hat, Inc.
ShareView Details
Assigner-Red Hat, Inc.
CVSS Score-4.9||MEDIUM
EPSS-0.24% / 14.63%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 13:40
Updated-17 Jul, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Keycloak-services: keycloak-services: organization invitation link exposure allows unauthorized member creation

A flaw was found in the organization management component of Keycloak. A delegated administrator with permission to manage organizations can create an invitation for a non-existent email address and then retrieve the secret registration link directly through the application programming interface. By using this link, the administrator can create new user accounts and add them to the organization without having the required user management permissions or access to the invited email account. This allows an administrator to bypass security boundaries and add unauthorized members to an organization.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat Build of KeycloakRed Hat Data Grid 8Red Hat Single Sign-On 7
CVE-2026-15943
Assigner-Red Hat, Inc.
ShareView Details
Assigner-Red Hat, Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.21% / 10.88%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 11:49
Updated-17 Jul, 2026 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Keycloak-services: keycloak-services: oidc idp update reuses masked client secret after token url change

A flaw was found in the Keycloak keycloak-services component, which handles the management of identity providers. The issue occurs when a delegated administrator updates an OIDC identity provider using a masked client secret sentinel value. Due to improper validation, Keycloak reuses the existing real secret even if security-sensitive fields like the token URL have been changed, allowing an attacker to redirect and capture the secret.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat Build of KeycloakRed Hat Data Grid 8Red Hat Single Sign-On 7
CWE ID-CWE-1288
Improper Validation of Consistency within Input
CVE-2026-15945
Assigner-Red Hat, Inc.
ShareView Details
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 9.13%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 17:36
Updated-17 Jul, 2026 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Keycloak-services: keycloak-services: group hierarchy search discloses hidden parent groups under fgap v2

A flaw was found in the group search functionality of the Keycloak server's administrative API. When Fine-Grained Admin Permissions (FGAP) v2 is enabled, a delegated administrator can bypass access restrictions to view parent groups they are not authorized to see. By searching for a child group they have permission to view, the system incorrectly returns the full details of the parent group in the response, leading to the disclosure of sensitive group attributes and configuration.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat Build of KeycloakRed Hat Data Grid 8Red Hat Single Sign-On 7
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-1609
Assigner-Red Hat, Inc.
ShareView Details
Assigner-Red Hat, Inc.
CVSS Score-8.1||HIGH
EPSS-0.51% / 39.88%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 00:26
Updated-16 Jul, 2026 | 16:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Org.keycloak/keycloak-quarkus-server: keycloak: unauthorized access via jwt authorization grant with disabled users

A flaw was found in Keycloak. When the JSON Web Token (JWT) authorization grant preview feature is enabled and a user account is disabled, Keycloak fails to validate the user’s disabled status during JWT authorization grant processing. A remote attacker with low privileges can exploit this improper access control vulnerability by presenting a valid assertion token from an external identity provider to obtain a JWT for a disabled user. This allows unauthorized access to sensitive resources.

Action-Not Available
Vendor-KeycloakRed Hat, Inc.
Product-Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat JBoss Enterprise Application Platform 8KeycloakRed Hat JBoss Enterprise Application Platform Expansion PackRed Hat JBoss Enterprise Application Platform 8
CWE ID-CWE-284
Improper Access Control
CVE-2025-12799
Assigner-Red Hat, Inc.
ShareView Details
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.25% / 15.88%
||
7 Day CHG~0.00%
Published-07 Jul, 2026 | 16:18
Updated-09 Jul, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jastow: jastow cross-site scripting attack due to unsanitized uri

A flaw was found in Jastow. Jastow is vulnerable to Cross-Site Scripting (XSS) attack. If using a set of combined configuration to allow unescaped characters in URL with embedded Undertow and Jastow, a server might be vulnerable to improper input handling.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9Red Hat JBoss Enterprise Application Platform 7Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 10Red Hat JBoss Enterprise Application Platform 8.1Red Hat Single Sign-On 7Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat JBoss Enterprise Application Platform 8
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-14781
Assigner-Red Hat, Inc.
ShareView Details
Assigner-Red Hat, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.20% / 9.55%
||
7 Day CHG~0.00%
Published-05 Jul, 2026 | 06:55
Updated-06 Jul, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Keycloak-services: keycloak-services: oidc email_verified claim incorrectly applied to userinfo email

A flaw exists in the org.keycloak.broker.oidc package where the OIDC broker incorrectly synchronizes the email_verified claim. When an OIDC identity provider is configured with trustEmail=true and the userinfo endpoint is enabled, Keycloak retrieves the email address from the userinfo response but retrieves the email_verified status exclusively from the id_token. The root cause is a lack of validation ensuring that the email_verified claim in the id_token actually refers to the email address returned by the userinfo endpoint. If these two sources return different email addresses, the id_token's email_verified=true claim is blindly applied to the userinfo email. Exploitation Conditions: The OIDC identity provider must have trustEmail set to true (non-default). The userinfo endpoint must be enabled (default). The attacker must control or have compromised the upstream OIDC provider. Concrete Impact: Mark arbitrary email addresses as verified in the Keycloak database. Bypass email-based security controls or verification workflows. Potential account takeover if the application relies solely on the email_verified flag from the IdP to link accounts.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat Build of KeycloakRed Hat Data Grid 8Red Hat Single Sign-On 7
CWE ID-CWE-1288
Improper Validation of Consistency within Input
CVE-2026-14614
Assigner-Red Hat, Inc.
ShareView Details
Assigner-Red Hat, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.15% / 4.30%
||
7 Day CHG~0.00%
Published-03 Jul, 2026 | 15:33
Updated-17 Jul, 2026 | 12:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Keycloak-services: keycloak-services: fgap v2 client scope assignment bypass via clientresource

A flaw was found in the ClientResource component of Keycloak's admin services when Fine-Grained Admin Permissions (FGAP) v2 is enabled. This issue allows a delegated administrator, who should only have limited control over specific clients, to attach or remove hidden client scopes that they are not authorized to see or manage. As a result, an attacker could inject unauthorized data or permissions into the security tokens issued to end-users, potentially tricking other applications into granting higher levels of access than intended.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat Build of KeycloakRed Hat Data Grid 8Red Hat Single Sign-On 7
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-14613
Assigner-Red Hat, Inc.
ShareView Details
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 6.78%
||
7 Day CHG~0.00%
Published-03 Jul, 2026 | 15:16
Updated-13 Jul, 2026 | 11:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Keycloak-services: keycloak-services: keycloak: fgap v2 role groups endpoint discloses hidden group metadata without group view permission

A vulnerability was discovered in Keycloak's administrative interface that allows certain administrators to see information about groups they shouldn't have access to. When the new Fine-Grained Admin Permissions (FGAP v2) are turned on, an administrator who is allowed to see a specific "role" can also see a list of all groups assigned to that role. The system fails to check if the administrator has permission to see those specific groups. This could allow a restricted administrator to discover "hidden" groups and see their details, such as internal names and custom settings, which might contain sensitive deployment information.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat Build of KeycloakRed Hat Data Grid 8Red Hat Single Sign-On 7
CWE ID-CWE-284
Improper Access Control
CVE-2026-14209
Assigner-Red Hat, Inc.
ShareView Details
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 6.97%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 11:48
Updated-13 Jul, 2026 | 06:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Keycloak-admin-ui: keycloak-admin-ui:admin ui extension brute-force-user endpoint bypasses fgapv2 user view restrictions

A vulnerability was discovered in Keycloak's Admin UI extension that allows certain administrative users to bypass security restrictions. When Fine-Grained Admin Permissions (FGAPv2) are enabled, an administrator who should only be able to search for users (but not view their full details) can use a specific "brute-force-user" endpoint to access a user's full profile. This includes sensitive information and security metadata. The issue occurs because the system fails to check if the administrator has the required "view" permission for that specific user when using this particular search path.

Action-Not Available
Vendor-Red Hat, Inc.
Product-build_of_keycloakjboss_enterprise_application_platform_expansion_packRed Hat JBoss Enterprise Application Platform Expansion PackRed Hat Build of Keycloak
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-57915
Assigner-Apache Software Foundation
ShareView Details
Assigner-Apache Software Foundation
CVSS Score-7.3||HIGH
EPSS-0.32% / 24.20%
||
7 Day CHG~0.00%
Published-26 Jun, 2026 | 12:09
Updated-15 Jul, 2026 | 01:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Kerby: Kerberos Pre-Authentication Bypass

It is possible to bypass the Kerberos pre-authentication check in Apache Kerby by sending a PA-DATA with an unrecognized or unsupported type. Users are recommended to upgrade to version 2.1.2, which fixes this issue.

Action-Not Available
Vendor-Red Hat, Inc.The Apache Software Foundation
Product-Apache KerbyRed Hat Data Grid 8streams for Apache Kafka 3Red Hat AMQ Clientsstreams for Apache Kafka 2Red Hat Fuse 7Red Hat JBoss Enterprise Application Platform Expansion Pack
CWE ID-CWE-304
Missing Critical Step in Authentication
CWE ID-CWE-358
Improperly Implemented Security Check for Standard
CVE-2026-11800
Assigner-Red Hat, Inc.
ShareView Details
Assigner-Red Hat, Inc.
CVSS Score-8.1||HIGH
EPSS-0.18% / 7.80%
||
7 Day CHG~0.00%
Published-25 Jun, 2026 | 20:57
Updated-15 Jul, 2026 | 02:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Org.keycloak:keycloak-services: keycloak: authentication bypass via jwt algorithm confusion

A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to bypass signature verification. By forging an assertion, the attacker can create unauthorized access tokens. This enables the attacker to impersonate any federated user linked to the affected Identity Provider, leading to unauthorized access and potential privilege escalation.

Action-Not Available
Vendor-Red Hat, Inc.
Product-build_of_keycloakRed Hat Data Grid 8Red Hat Build of KeycloakRed Hat build of Keycloak 26.6.4Red Hat Single Sign-On 7Red Hat build of Keycloak 26.6Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat Data Grid 8Red Hat Build of KeycloakRed Hat build of Keycloak 26.6.4Red Hat Single Sign-On 7Red Hat build of Keycloak 26.6Red Hat JBoss Enterprise Application Platform Expansion Pack
CWE ID-CWE-347
Improper Verification of Cryptographic Signature
CVE-2026-9800
Assigner-Red Hat, Inc.
ShareView Details
Assigner-Red Hat, Inc.
CVSS Score-8.1||HIGH
EPSS-0.30% / 22.03%
||
7 Day CHG~0.00%
Published-25 Jun, 2026 | 16:16
Updated-15 Jul, 2026 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Keycloak-policy-enforcer: keycloak policy enforcer: authorization bypass via incorrect uri comparison

A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied page path within a request URL, either as a path segment or a query parameter, an attacker can gain unauthorized access to protected resources.

Action-Not Available
Vendor-Red Hat, Inc.
Product-build_of_keycloakRed Hat build of Keycloak 26.6.4Red Hat Satellite 6Red Hat build of Keycloak 26.4Red Hat Single Sign-On 7Red Hat build of Keycloak 26.6Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat build of QuarkusRed Hat build of Keycloak 26.4.13Red Hat build of Keycloak 26.6.4Red Hat Satellite 6Red Hat build of Keycloak 26.4Red Hat Single Sign-On 7Red Hat build of Keycloak 26.6Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat build of QuarkusRed Hat build of Keycloak 26.4.13
CWE ID-CWE-1025
Comparison Using Wrong Factors
CVE-2026-11998
Assigner-HeroDevs
ShareView Details
Assigner-HeroDevs
CVSS Score-7.6||HIGH
EPSS-0.34% / 25.96%
||
7 Day CHG~0.00%
Published-24 Jun, 2026 | 20:29
Updated-15 Jul, 2026 | 02:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AngularJS XSS via SCE resource URL sanitization bypass

A flaw in AngularJS' Strict Contextual Escaping (SCE) logic allows bypassing certain SCE policies for resource URLs and can lead to arbitrary JavaScript execution within the context of the victim's browser session. SCE's purpose is to ensure that only trusted or safe values are used in certain security-sensitive contexts, such as resource URLs, including URLs that define executable JavaScript scripts, '<iframe>' documents, route templates, etc. A flaw in the logic that tries to match entire URLs against regular expression matchers can result in partial matches for certain types of regular expressions, effectively bypassing the policies and allowing the use of unsafe values as resource URLs. This issue affects AngularJS versions greater than or equal to 1.2.0-rc.3. Note: The AngularJS project was already End-of-Life when this CVE was published and will not receive any updates to address this issue. For more information see theĀ  End-of-Life announcement https://docs.angularjs.org/misc/version-support-status .

Action-Not Available
Vendor-Red Hat, Inc.Google LLC
Product-AngularJSRed Hat Enterprise Linux 9Red Hat OpenStack Platform 16.2Red Hat Enterprise Linux 7Red Hat Enterprise Linux 8Red Hat Quay 3Red Hat Fuse 7Red Hat Enterprise Linux 10Red Hat Single Sign-On 7Red Hat JBoss Enterprise Application Platform Expansion Pack
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-791
Incomplete Filtering of Special Elements
CVE-2026-54513
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-8.1||HIGH
EPSS-0.69% / 48.87%
||
7 Day CHG~0.00%
Published-23 Jun, 2026 | 20:53
Updated-17 Jul, 2026 | 13:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
jackson-databind: Array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array's component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.

Action-Not Available
Vendor-Red Hat, Inc.FasterXML, LLC.
Product-jackson-databindjackson-databindOpenShift Developer Tools and ServicesRed Hat Build of KeycloakRed Hat Certificate System 10streams for Apache Kafka 3Red Hat build of Debezium 3Red Hat JBoss Enterprise Application Platform 7Red Hat Satellite 6streams for Apache Kafka 2Red Hat JBoss Enterprise Application Platform 8Red Hat build of QuarkusRed Hat OpenShift AI (RHOAI)Red Hat Build of Apache Camel 4.18 for Quarkus 3.33Red Hat OpenShift Dev SpacesRed Hat AMQ ClientsRed Hat AI Inference ServerRed Hat Enterprise Linux 10Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat build of Apicurio Registry 3Red Hat Lightspeed for Runtimes OperatorRed Hat Enterprise Linux AI (RHEL AI) 3Red Hat Enterprise Linux 9Red Hat build of Apache Camel for Spring Boot 4Red Hat Data Grid 8Red Hat Ansible Automation Platform 2Red Hat Enterprise Linux 8Red Hat build of Apache Camel - HawtIO 4OpenShift ServerlessCryostat 4Red Hat Offline Knowledge PortalRed Hat build of Apache Camel 4 for Quarkus 3Red Hat Single Sign-On 7Red Hat AMQ Broker 7
CWE ID-CWE-184
Incomplete List of Disallowed Inputs
CVE-2026-50559
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.46% / 37.24%
||
7 Day CHG~0.00%
Published-19 Jun, 2026 | 20:26
Updated-15 Jul, 2026 | 01:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authentication/Authorization Bypass via Advanced Path Normalization Vulnerabilities

Quarkus is a Java framework for building cloud-native applications. Prior to versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2, Quarkus HTTP path-based authorization policies can be bypassed using encoded semicolons (%3B) to smuggle matrix parameters past the security layer, and using encoded slashes (%2F) or backslashes (%5C) to access protected static resources. This is a distinct issue from CVE-2026-39852, which addressed only literal semicolon stripping. Versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2 contain a patch.

Action-Not Available
Vendor-quarkusquarkusioRed Hat, Inc.
Product-quarkusquarkusRed Hat Build of KeycloakRed Hat build of Quarkus 3.20.6.SP2Red Hat Fuse 7Streams for Apache Kafka 2.9.4Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat build of Apicurio Registry 3Red Hat build of Quarkus 3.33.2.SP1streams for Apache Kafka 3Red Hat Build of Apache Camel 3.33 for Quarkus 3.33.2.SP1Red Hat build of Debezium 3Red Hat build of Apache Camel - HawtIO 4Cryostat 4OpenShift ServerlessRed Hat build of Quarkus 3.27.4.SP1Red Hat build of Apache Camel 4 for Quarkus 3Red Hat OpenShift Dev Spaces 3.29Red Hat OpenShift AI (RHOAI)
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-551
Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-48779
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.78% / 51.90%
||
7 Day CHG~0.00%
Published-16 Jun, 2026 | 21:26
Updated-17 Jul, 2026 | 13:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ws: Memory exhaustion DoS from tiny fragments and data chunks

ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are affected by a memory exhaustion DoS vulnerability. A peer can send a high volume of exceptionally small fragments and data chunks, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM. This issue has been fixed in versions 5.2.5, 6.2.4, 7.5.11, and 8.21.0.

Action-Not Available
Vendor-ws_projectwebsocketsRed Hat, Inc.
Product-wswsRed Hat Build of KeycloakRed Hat Quay 3OpenShift PipelinesRed Hat OpenShift Service Mesh 3.3Red Hat OpenShift Service Mesh 3.2Red Hat OpenShift Service Mesh 2.6Red Hat Build of Podman DesktopRed Hat Build of Podman Desktop - Tech PreviewRed Hat Satellite 6Red Hat Discovery 2Red Hat Developer Hub 1.10Cluster Observability Operator 1.5.0Red Hat JBoss Enterprise Application Platform 8Red Hat OpenShift AI (RHOAI)Red Hat Openshift Data Foundation 4.20Self-service automation portal 2Red Hat OpenShift Service Mesh 3.1Red Hat Fuse 7Gatekeeper 3Migration Toolkit for ContainersRed Hat Enterprise Linux 10Red Hat JBoss Enterprise Application Platform Expansion PackNode HealthCheck OperatorRed Hat Trusted Artifact Signer 1.4Red Hat Enterprise Linux AI (RHEL AI) 3Red Hat build of Apache Camel for Spring Boot 4Red Hat Enterprise Linux 9Red Hat Data Grid 8OpenShift Service Mesh 3Red Hat Ansible Automation Platform 2Red Hat Enterprise Linux 8Red Hat build of Apache Camel - HawtIO 4Red Hat OpenShift Service Mesh 3Cryostat 4Red Hat OpenShift Virtualization 4Red Hat Developer Hub 1.9OpenShift LightspeedRed Hat OpenShift Dev Spaces 3.29Red Hat AMQ Broker 7Red Hat Connectivity Link 1Red Hat Hardened ImagesRed Hat OpenShift Container Platform 4
CWE ID-CWE-1050
Excessive Platform Resource Consumption within a Loop
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-12143
Assigner-7ffcee3d-2c14-4c3e-b844-86c6a321a158
ShareView Details
Assigner-7ffcee3d-2c14-4c3e-b844-86c6a321a158
CVSS Score-8.7||HIGH
EPSS-0.41% / 33.13%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 18:01
Updated-17 Jul, 2026 | 13:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
form-data does not escape CR/LF/quote in multipart field names and filenames (CRLF injection)

form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line feed (LF), or double-quote (") characters. An application that passes attacker-controlled data as a field name or filename (for example, an API gateway that turns JSON object keys into multipart field names) allows the attacker to terminate the header line and inject additional headers, or to smuggle entire additional multipart parts, into the request the application forwards to a backend. This can let the attacker add or override form fields (e.g. set `is_admin=true`) seen by the downstream parser. This is an instance of CWE-93 (CRLF injection). The fix escapes CR, LF, and `"` as `%0D`, `%0A`, and `%22` in field names and filenames, matching the serialization browsers use per the WHATWG HTML multipart/form-data encoding algorithm. Exploitation requires the consuming application to use untrusted input as a field name or filename; applications that use only fixed/trusted field names are not affected. Fixed in 2.5.6, 3.0.5, and 4.0.6.

Action-Not Available
Vendor-form-dataRed Hat, Inc.
Product-form-dataRed Hat Advanced Cluster Security for Kubernetes 4.9Red Hat Openshift Data Foundation 4OpenShift PipelinesRed Hat Quay 3.16Multicluster Engine for KubernetesRed Hat OpenShift Service Mesh 3.3Red Hat OpenShift Service Mesh 3.2Red Hat OpenShift Service Mesh 2.6Red Hat Build of Podman DesktopRed Hat 3scale API Management Platform 2Red Hat JBoss Enterprise Application Platform 7Red Hat Build of Podman Desktop - Tech PreviewRed Hat Satellite 6Red Hat OpenShift GitOpsRed Hat Discovery 2Red Hat Developer Hub 1.10Cluster Observability Operator 1.5.0Red Hat Quay 3.10Red Hat JBoss Enterprise Application Platform 8Network Observability OperatorRed Hat OpenShift AI (RHOAI)Red Hat Enterprise Linux 7Red Hat Trusted Profile AnalyzerRed Hat OpenShift Dev SpacesSelf-service automation portal 2Red Hat OpenShift Service Mesh 3.1Red Hat Advanced Cluster Security for Kubernetes 4.10Red Hat Fuse 7Migration Toolkit for ContainersRed Hat Enterprise Linux 10Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat build of Apicurio Registry 3Red Hat Advanced Cluster Management for Kubernetes 2Node HealthCheck OperatorRed Hat Quay 3.9Red Hat Enterprise Linux AI (RHEL AI) 3Red Hat build of Apache Camel for Spring Boot 4Red Hat Enterprise Linux 9Red Hat Data Grid 8OpenShift Service Mesh 3Red Hat Trusted Artifact SignerRed Hat Ansible Automation Platform 2Red Hat Enterprise Linux 8Red Hat build of Apache Camel - HawtIO 4Red Hat OpenShift Service Mesh 3Cryostat 4Red Hat OpenShift Virtualization 4Migration Toolkit for Applications 8Red Hat AMQ Broker 7Red Hat Hardened ImagesRed Hat OpenShift Container Platform 4
CWE ID-CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
CVE-2026-50011
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.38% / 30.26%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 14:52
Updated-15 Jul, 2026 | 01:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Netty has unbounded pre-allocation in RedisArrayAggregator from RESP array length

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, RedisArrayAggregator pre-allocates ArrayList with initial capacity equal to the RESP array element count declared in an array header. That count is taken from the wire before the corresponding child messages exist. A small malicious header can claim a huge initial capacity. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Action-Not Available
Vendor-Red Hat, Inc.The Netty Project
Product-nettynettyRed Hat Data Grid 8Red Hat JBoss Enterprise Application Platform 7Red Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16Red Hat Fuse 7Red Hat Single Sign-On 7Red Hat JBoss Enterprise Application Platform Expansion Pack
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-50010
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.27% / 18.69%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 14:50
Updated-15 Jul, 2026 | 01:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Netty's wrapping plain trust manager silently disables hostname verification

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SimpleTrustManagerFactory.engineGetTrustManagers() and related paths wrap any user-supplied plain X509TrustManager in X509TrustManagerWrapper, which extends X509ExtendedTrustManager but implements the 3-arg checkServerTrusted(chain, authType, SSLEngine) by discarding the SSLEngine and calling the 2-arg delegate. Because the object now IS an X509ExtendedTrustManager, neither SunJSSE's internal AbstractTrustManagerWrapper nor Netty's own OpenSslX509TrustManagerWrapper will re-wrap it to add endpoint-identification. Consequently, even though Netty 4.2 sets endpointIdentificationAlgorithm="HTTPS" by default, a client built with `SslContextBuilder.forClient().trustManager(somePlainX509TrustManager)` performs no hostname verification at all. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Action-Not Available
Vendor-Red Hat, Inc.The Netty Project
Product-nettynettyRed Hat OpenShift Dev SpacesRed Hat Build of KeycloakRed Hat AMQ ClientsRed Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16Red Hat Fuse 7Red Hat Offline Knowledge Portal 1.2.7Streams for Apache Kafka 2.9.4Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat build of Apicurio Registry 3Red Hat build of Quarkus 3.33.2.SP1Red Hat Enterprise Linux AI (RHEL AI) 3Red Hat Data Grid 8streams for Apache Kafka 3Red Hat Build of Apache Camel 3.33 for Quarkus 3.33.2.SP1Red Hat build of Debezium 3Red Hat build of Apache Camel - HawtIO 4Red Hat JBoss Enterprise Application Platform 7Red Hat Satellite 6Cryostat 4OpenShift ServerlessRed Hat build of Quarkus 3.27.4.SP1Red Hat build of Apache Camel 4 for Quarkus 3Red Hat Single Sign-On 7Red Hat AMQ Broker 7Red Hat JBoss Enterprise Application Platform 8Red Hat OpenShift AI (RHOAI)
CWE ID-CWE-347
Improper Verification of Cryptographic Signature
CVE-2026-48059
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-0.61% / 45.04%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 14:42
Updated-15 Jul, 2026 | 02:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Netty HAProxy: Unbalanced Reference Count in Nested PP2_TYPE_SSL TLV Parsing Leads to Memory Exhaustion

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nested `PP2_TYPE_SSL` TLVs (type-length-value records) at depth two or greater. The leak occurs on the successful parse path — no exception is thrown, the message fires downstream, the decoder removes itself, and the application releases the `HAProxyMessage` normally. Yet the underlying cumulation buffer (a pooled, potentially direct `ByteBuf` allocated by the channel) remains permanently pinned. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Action-Not Available
Vendor-Red Hat, Inc.The Netty Project
Product-nettynettyRed Hat Build of KeycloakRed Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16Red Hat Fuse 7Streams for Apache Kafka 2.9.4Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat build of Apicurio Registry 3Red Hat build of Quarkus 3.33.2.SP1Red Hat Data Grid 8streams for Apache Kafka 3Red Hat Build of Apache Camel 3.33 for Quarkus 3.33.2.SP1Red Hat build of Debezium 3Red Hat build of Apache Camel - HawtIO 4Red Hat JBoss Enterprise Application Platform 7Red Hat Satellite 6Cryostat 4OpenShift ServerlessRed Hat build of Quarkus 3.27.4.SP1Red Hat build of Apache Camel 4 for Quarkus 3Red Hat OpenShift Dev Spaces 3.29Red Hat Single Sign-On 7Red Hat AMQ Broker 7Red Hat OpenShift AI (RHOAI)
CWE ID-CWE-1286
Improper Validation of Syntactic Correctness of Input
CWE ID-CWE-401
Missing Release of Memory after Effective Lifetime
CVE-2026-48043
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.59% / 44.46%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 14:39
Updated-15 Jul, 2026 | 02:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion

Netty is a network application framework for development of protocol servers and clients. In netty-codec-http2 prior to versions 4.1.135.Final and 4.2.15.Final, the `DelegatingDecompressorFrameListener` class orchestrates HTTP/2 decompression by embedding a per-stream `EmbeddedChannel` that runs the appropriate decompression codec (gzip, deflate, zstd) and forwards decompressed chunks to a wrapped listener. Each decompressed chunk is a pooled `ByteBuf` handed to an anonymous `ChannelInboundHandlerAdapter` tail handler, which becomes the sole owner responsible for releasing it. A remote peer could send frames that would result in the flow-controller throwing and so trigger a resource leak which at the end might take down the whole JVM due OOME. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Action-Not Available
Vendor-Red Hat, Inc.The Netty Project
Product-nettynettyRed Hat OpenShift Dev SpacesRed Hat Build of KeycloakRed Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16Red Hat Fuse 7Streams for Apache Kafka 2.9.4Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat build of Apicurio Registry 3Red Hat build of Quarkus 3.33.2.SP1Red Hat Enterprise Linux AI (RHEL AI) 3Red Hat Data Grid 8streams for Apache Kafka 3Red Hat Build of Apache Camel 3.33 for Quarkus 3.33.2.SP1Red Hat build of Debezium 3Red Hat build of Apache Camel - HawtIO 4Red Hat JBoss Enterprise Application Platform 7Cryostat 4OpenShift ServerlessRed Hat build of Quarkus 3.27.4.SP1Red Hat build of Apache Camel 4 for Quarkus 3Red Hat OpenShift Dev Spaces 3.29Red Hat Single Sign-On 7Red Hat AMQ Broker 7Red Hat OpenShift AI (RHOAI)
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-401
Missing Release of Memory after Effective Lifetime
CWE ID-CWE-772
Missing Release of Resource after Effective Lifetime
CVE-2026-48006
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-0.50% / 39.49%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 14:36
Updated-15 Jul, 2026 | 02:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Netty's Lack of Lifecycle Cleanup Leads to Pooled ByteBuf Leak in RedisArrayAggregator

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the RedisArrayAggregator handler permanently leaks pooled direct-memory buffers when a Redis pipeline connection closes before a RESP array aggregate completes. The handler retains child messages in per-handler state (`depths` field) but defines no `channelInactive`, `handlerRemoved`, or `exceptionCaught` method to release them when the pipeline tears down. Because the leaked buffers are slices of `PooledByteBufAllocator` chunks, they prevent those chunks from being returned to the JVM-wide direct-memory pool. Repeated connection churn by any network peer monotonically drains this shared pool, eventually causing allocation failures on all Netty channels in the process. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Action-Not Available
Vendor-Red Hat, Inc.The Netty Project
Product-nettynettyRed Hat Data Grid 8Red Hat JBoss Enterprise Application Platform 7Red Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16Red Hat Fuse 7Red Hat Single Sign-On 7Red Hat JBoss Enterprise Application Platform Expansion Pack
CWE ID-CWE-401
Missing Release of Memory after Effective Lifetime
CWE ID-CWE-772
Missing Release of Resource after Effective Lifetime
CVE-2026-47691
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-0.29% / 21.19%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 14:33
Updated-15 Jul, 2026 | 02:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Netty has Insufficient Bailiwick Validation for NS Records

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's `DnsResolveContext` insufficiently validates the bailiwick of NS records, enabling DNS Cache Poisoning. An attacker controlling an authoritative name server for a subdomain can poison the cache for parent domains (like `.co.uk`). In `io.netty.resolver.dns.DnsResolveContext.AuthoritativeNameServerList#add` method accepts any NS record from the AUTHORITY section as long as the record's name is a suffix of the questionName. Subsequently, the `handleWithAdditional` method caches the associated A records from the ADDITIONAL section directly into the `authoritativeDnsServerCache` under the parent domain's key. This bypasses standard bailiwick rules, where a server authoritative for a subdomain should not be trusted to provide authoritative records for its parent. The poisoned cache is then used for all future resolutions under the parent domain's key. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Action-Not Available
Vendor-Red Hat, Inc.The Netty Project
Product-nettynettyRed Hat OpenShift Dev SpacesRed Hat Build of KeycloakRed Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16Red Hat Fuse 7Streams for Apache Kafka 2.9.4Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat build of Apicurio Registry 3Red Hat build of Quarkus 3.33.2.SP1Red Hat Enterprise Linux AI (RHEL AI) 3Red Hat Data Grid 8streams for Apache Kafka 3Red Hat Build of Apache Camel 3.33 for Quarkus 3.33.2.SP1Red Hat build of Debezium 3Red Hat build of Apache Camel - HawtIO 4Red Hat JBoss Enterprise Application Platform 7Cryostat 4OpenShift ServerlessRed Hat build of Quarkus 3.27.4.SP1Red Hat build of Apache Camel 4 for Quarkus 3Red Hat Single Sign-On 7Red Hat JBoss Enterprise Application Platform 8Red Hat OpenShift AI (RHOAI)
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CWE ID-CWE-346
Origin Validation Error
CVE-2026-46340
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.38% / 30.26%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 14:19
Updated-15 Jul, 2026 | 02:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Netty: SCTP reassembly nests buffers without bound

Netty is a network application framework for development of protocol servers and clients. In versions of netty-transport-sctp prior to 4.1.135.Final and 4.2.15.Final, for each non-complete SctpMessage fragment the handler does `fragments.put(streamId, Unpooled.wrappedBuffer(frag, byteBuf))`, wrapping the previous accumulator and the new slice into a *new* CompositeByteBuf every time. After N fragments the accumulator is an N-deep chain of composites, each holding references and component arrays; readableBytes()/getBytes() on the final buffer recurse N levels. There is no limit on N, on total bytes, or on the number of streamIdentifiers an attacker can open (each gets its own map entry). A peer that never sets the `complete` flag can grow this structure indefinitely from tiny 1-byte DATA chunks. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Action-Not Available
Vendor-Red Hat, Inc.The Netty Project
Product-nettynettyRed Hat Data Grid 8Red Hat JBoss Enterprise Application Platform 7Red Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16Red Hat Fuse 7Red Hat Single Sign-On 7Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat Enterprise Linux AI (RHEL AI) 3
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-45674
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-0.22% / 12.97%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 14:17
Updated-15 Jul, 2026 | 02:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Netty Vulnerable to DNS Cache Poisoning via Missing Bailiwick Checks in CNAME Records

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Action-Not Available
Vendor-Red Hat, Inc.The Netty Project
Product-nettynettyRed Hat OpenShift Dev SpacesRed Hat Build of KeycloakRed Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16Red Hat Fuse 7Streams for Apache Kafka 2.9.4Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat build of Apicurio Registry 3Red Hat build of Quarkus 3.33.2.SP1Red Hat Enterprise Linux AI (RHEL AI) 3Red Hat Data Grid 8streams for Apache Kafka 3Red Hat Build of Apache Camel 3.33 for Quarkus 3.33.2.SP1Red Hat build of Debezium 3Red Hat build of Apache Camel - HawtIO 4Red Hat JBoss Enterprise Application Platform 7Cryostat 4OpenShift ServerlessRed Hat build of Quarkus 3.27.4.SP1Red Hat build of Apache Camel 4 for Quarkus 3Red Hat Single Sign-On 7Red Hat JBoss Enterprise Application Platform 8Red Hat OpenShift AI (RHOAI)
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CWE ID-CWE-346
Origin Validation Error
CVE-2026-45416
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.46% / 37.09%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 14:10
Updated-15 Jul, 2026 | 02:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Netty: SNI handler pre-allocates up to 16 MiB from nine attacker bytes

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SslClientHelloHandler.decode() reads the 24-bit TLS handshake length and, when the ClientHello does not fit in the first record, eagerly allocates `ctx.alloc().buffer(handshakeLength)` (line 161). The guard at line 140 is `handshakeLength > maxClientHelloLength && maxClientHelloLength != 0`, and the commonly-used SniHandler/AbstractSniHandler constructors (SniHandler(Mapping), SniHandler(AsyncMapping), AbstractSniHandler()) pass maxClientHelloLength=0 and handshakeTimeoutMillis=0, so the length guard is disabled and no timeout is scheduled. A 16 MiB request exceeds the default pooled chunk size and becomes a huge/unpooled allocation performed immediately. The buffer is retained in the handler until the channel closes. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Action-Not Available
Vendor-Red Hat, Inc.The Netty Project
Product-nettynettyRed Hat OpenShift Dev SpacesRed Hat Build of KeycloakRed Hat AMQ ClientsRed Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16Red Hat Fuse 7Red Hat Offline Knowledge Portal 1.2.7Streams for Apache Kafka 2.9.4Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat build of Apicurio Registry 3Red Hat build of Quarkus 3.33.2.SP1Red Hat Enterprise Linux AI (RHEL AI) 3Red Hat Data Grid 8streams for Apache Kafka 3Red Hat Build of Apache Camel 3.33 for Quarkus 3.33.2.SP1Red Hat build of Debezium 3Red Hat build of Apache Camel - HawtIO 4Red Hat JBoss Enterprise Application Platform 7Red Hat Satellite 6Cryostat 4OpenShift ServerlessRed Hat build of Quarkus 3.27.4.SP1Red Hat build of Apache Camel 4 for Quarkus 3Red Hat Single Sign-On 7Red Hat AMQ Broker 7Red Hat JBoss Enterprise Application Platform 8Red Hat OpenShift AI (RHOAI)
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-44893
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.59% / 44.46%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 14:00
Updated-15 Jul, 2026 | 02:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Netty: HAProxy SSL TLV parsing leaks retained slice on invalid TLV length

Netty is a network application framework for development of protocol servers and clients. In netty-codec-haproxy prior to versions 4.1.135.Final and 4.2.15.Final, when decoding a PP2_TYPE_SSL TLV, HAProxyMessage.readNextTLV() first calls `header.retainedSlice(header.readerIndex(), length)` and only then reads the 1-byte client field and 4-byte verify field. If the attacker sets the TLV length below 5, the subsequent readByte/readInt throws IndexOutOfBoundsException. HAProxyMessageDecoder only catches HAProxyProtocolException around this call, so the IOOBE propagates and the retained slice on the pooled cumulation buffer is never released. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Action-Not Available
Vendor-Red Hat, Inc.The Netty Project
Product-nettynettyRed Hat Build of KeycloakRed Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16Red Hat Fuse 7Streams for Apache Kafka 2.9.4Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat build of Apicurio Registry 3Red Hat build of Quarkus 3.33.2.SP1Red Hat Data Grid 8streams for Apache Kafka 3Red Hat Build of Apache Camel 3.33 for Quarkus 3.33.2.SP1Red Hat build of Debezium 3Red Hat build of Apache Camel - HawtIO 4Red Hat JBoss Enterprise Application Platform 7Red Hat Satellite 6Cryostat 4OpenShift ServerlessRed Hat build of Quarkus 3.27.4.SP1Red Hat build of Apache Camel 4 for Quarkus 3Red Hat OpenShift Dev Spaces 3.29Red Hat Single Sign-On 7Red Hat AMQ Broker 7Red Hat OpenShift AI (RHOAI)
CWE ID-CWE-703
Improper Check or Handling of Exceptional Conditions
CWE ID-CWE-805
Buffer Access with Incorrect Length Value
CVE-2026-50633
Assigner-Apache Software Foundation
ShareView Details
Assigner-Apache Software Foundation
CVSS Score-8.1||HIGH
EPSS-0.83% / 53.46%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 09:02
Updated-15 Jul, 2026 | 01:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache CXF: JNDI Injection vulnerability in DispatchMDBMessageListenerImpl

A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an attacker is able to manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters.Ā Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Action-Not Available
Vendor-Red Hat, Inc.The Apache Software Foundation
Product-cxfApache CXFRed Hat Fuse 7Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-50632
Assigner-Apache Software Foundation
ShareView Details
Assigner-Apache Software Foundation
CVSS Score-8.1||HIGH
EPSS-0.65% / 46.87%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 09:00
Updated-15 Jul, 2026 | 01:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache CXF: JNDI Injection Vulnerability in JMSConfigFactory

A further incomplete fix forĀ a previous advisory CVE-2026-44417Ā (Untrusted JMS configuration can lead to RCE) for Apache CXF has been identified, which can allow code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Action-Not Available
Vendor-Red Hat, Inc.The Apache Software Foundation
Product-cxfApache CXFRed Hat JBoss Enterprise Application Platform 7Red Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16Red Hat Fuse 7Red Hat Single Sign-On 7Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat JBoss Enterprise Application Platform 8
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-50628
Assigner-Apache Software Foundation
ShareView Details
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-0.67% / 47.77%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 08:56
Updated-15 Jul, 2026 | 01:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache CXF: OAuth2: Inverted IP Binding Check Defeats Security Control

A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing requests from any other IP address. Enabling this security feature inadvertently creates an inverse security check.Ā Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Action-Not Available
Vendor-Red Hat, Inc.The Apache Software Foundation
Product-cxfApache CXFRed Hat Fuse 7Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat JBoss Web Server 5Red Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-358
Improperly Implemented Security Check for Standard
CVE-2026-50627
Assigner-Apache Software Foundation
ShareView Details
Assigner-Apache Software Foundation
CVSS Score-9.1||CRITICAL
EPSS-0.45% / 36.02%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 08:55
Updated-15 Jul, 2026 | 01:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache CXF: OAuth2: Missing JWT Audience and Issuer Validation in Access Token Validator

The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks.Ā Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Action-Not Available
Vendor-Red Hat, Inc.The Apache Software Foundation
Product-cxfApache CXFRed Hat Fuse 7Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat JBoss Web Server 5Red Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16
CWE ID-CWE-289
Authentication Bypass by Alternate Name
CWE ID-CWE-303
Incorrect Implementation of Authentication Algorithm
CVE-2026-49875
Assigner-Apache Software Foundation
ShareView Details
Assigner-Apache Software Foundation
CVSS Score-6.5||MEDIUM
EPSS-0.53% / 41.07%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 08:54
Updated-15 Jul, 2026 | 02:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache CXF: XML External Entity (XXE) Injection in W3CMultiSchemaFactory and EndpointReferenceUtils

Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution.Ā Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.

Action-Not Available
Vendor-Red Hat, Inc.The Apache Software Foundation
Product-cxfApache CXFRed Hat Build of Apache Camel 4.18 for Quarkus 3.33Red Hat JBoss Enterprise Application Platform 7Red Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16Red Hat Fuse 7Red Hat JBoss Web Server 5Red Hat build of Apache Camel 4 for Quarkus 3Red Hat Single Sign-On 7Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat JBoss Enterprise Application Platform 8
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2026-44890
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.38% / 30.26%
||
7 Day CHG~0.00%
Published-11 Jun, 2026 | 20:52
Updated-15 Jul, 2026 | 02:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Netty has Unbounded Direct Memory Consumption in its RedisDecoder

Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending crafted Redis payloads across multiple connections without `\r\n`. This exhausts the server's direct memory pool (OutOfDirectMemoryError), preventing legitimate connections from being processed. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Action-Not Available
Vendor-Red Hat, Inc.The Netty Project
Product-nettynettyRed Hat Data Grid 8Red Hat JBoss Enterprise Application Platform 7Red Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16Red Hat Fuse 7Red Hat Single Sign-On 7Red Hat JBoss Enterprise Application Platform Expansion Pack
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-44250
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.38% / 30.26%
||
7 Day CHG~0.00%
Published-11 Jun, 2026 | 20:49
Updated-15 Jul, 2026 | 02:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Netty: Memory Exhaustion in RedisArrayAggregator due to Deeply Nested Arrays

Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending a crafted Redis payload with deeply nested arrays. This forces the server to allocate a massive number of state objects and collections, leading to memory exhaustion and an OutOfMemoryError. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Action-Not Available
Vendor-Red Hat, Inc.The Netty Project
Product-nettynettyRed Hat Data Grid 8Red Hat JBoss Enterprise Application Platform 7Red Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16Red Hat Fuse 7Red Hat Single Sign-On 7Red Hat JBoss Enterprise Application Platform Expansion Pack
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-44249
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-8.1||HIGH
EPSS-0.57% / 43.52%
||
7 Day CHG~0.00%
Published-11 Jun, 2026 | 20:46
Updated-15 Jul, 2026 | 02:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Netty has an IPv6 Subnet Filter Bypass via Incorrect Comparator Masking

Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid public IP addresses can bypass the restrictions. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Action-Not Available
Vendor-Red Hat, Inc.The Netty Project
Product-nettynettyRed Hat OpenShift Dev SpacesRed Hat Build of KeycloakRed Hat AMQ ClientsRed Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16Red Hat Fuse 7Red Hat Offline Knowledge Portal 1.2.7Streams for Apache Kafka 2.9.4Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat build of Apicurio Registry 3Red Hat build of Quarkus 3.33.2.SP1Red Hat Enterprise Linux AI (RHEL AI) 3Red Hat Data Grid 8streams for Apache Kafka 3Red Hat Build of Apache Camel 3.33 for Quarkus 3.33.2.SP1Red Hat build of Debezium 3Red Hat build of Apache Camel - HawtIO 4Red Hat JBoss Enterprise Application Platform 7Red Hat Satellite 6Cryostat 4OpenShift ServerlessRed Hat build of Quarkus 3.27.4.SP1Red Hat build of Apache Camel 4 for Quarkus 3Red Hat OpenShift Dev Spaces 3.29Red Hat Single Sign-On 7Red Hat AMQ Broker 7Red Hat JBoss Enterprise Application Platform 8Red Hat OpenShift AI (RHOAI)
CWE ID-CWE-1287
Improper Validation of Specified Type of Input
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-697
Incorrect Comparison
CVE-2026-11986
Assigner-Red Hat, Inc.
ShareView Details
Assigner-Red Hat, Inc.
CVSS Score-4.9||MEDIUM
EPSS-0.20% / 10.06%
||
7 Day CHG~0.00%
Published-11 Jun, 2026 | 16:47
Updated-11 Jun, 2026 | 20:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Keycloak-rest-admin-ui-ext: authorization bypass vulnerability in the admin-ui-ext bulk role-mapping-delete endpoints of keycloak

A flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities. The issue occurs because certain bulk role-removal endpoints fail to perform granular permission checks when deleting role mappings. This allows a delegated administrator with limited permissions to remove highly privileged roles from other users or groups, potentially disrupting administrative access control.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat Build of KeycloakRed Hat JBoss Enterprise Application Platform Expansion Pack
CWE ID-CWE-425
Direct Request ('Forced Browsing')
CVE-2026-46625
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.43% / 35.03%
||
7 Day CHG~0.00%
Published-10 Jun, 2026 | 21:18
Updated-15 Jul, 2026 | 02:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection

JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign() helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "__proto__" member is an own enumerable property, so the for…in enumerates it and the target[key] = source[key] write triggers the Object.prototype.__proto__ setter on the fresh target ({}). The result is a per-instance prototype hijack: Object.prototype itself is untouched, but the merged attributes object now inherits attacker-controlled keys. Because the consuming set() function then enumerates the merged object with another for...in, every key the attacker placed on the polluted prototype lands in the resulting Set-Cookie string as an attribute pair. The attacker can set domain=, secure=, samesite=, expires=, and path= on cookies whose attributes the developer thought were locked down. This issue has been patched in version 3.0.7.

Action-Not Available
Vendor-js-cookieRed Hat, Inc.
Product-js-cookieSelf-service automation portal 2Red Hat Advanced Cluster Security for Kubernetes 4.10Red Hat Enterprise Linux 10Red Hat Developer HubRed Hat JBoss Enterprise Application Platform Expansion PackRed Hat OpenShift Service Mesh 3.3Red Hat Enterprise Linux 9Red Hat Ansible Automation Platform 2Red Hat Enterprise Linux 8Red Hat 3scale API Management Platform 2Cryostat 4Red Hat JBoss Enterprise Application Platform 7OpenShift LightspeedRed Hat Discovery 2Red Hat JBoss Enterprise Application Platform 8Red Hat OpenShift AI (RHOAI)Red Hat OpenShift Container Platform 4
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE ID-CWE-915
Improperly Controlled Modification of Dynamically-Determined Object Attributes
CVE-2026-41731
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-8.1||HIGH
EPSS-0.51% / 40.08%
||
7 Day CHG+0.02%
Published-09 Jun, 2026 | 23:49
Updated-17 Jul, 2026 | 20:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization

JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted header values that caused the consumer to deserialize arbitrary JDK types. Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.

Action-Not Available
Vendor-VMware (Broadcom Inc.)Red Hat, Inc.
Product-spring_for_apache_kafkafusejboss_enterprise_application_platform_expansion_packSpring for Apache KafkaRed Hat Fuse 7Red Hat JBoss Enterprise Application Platform Expansion Pack
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-71319
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-8.7||HIGH
EPSS-0.64% / 46.60%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 19:57
Updated-15 Jul, 2026 | 02:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
image-size 2.0.2 Denial of Service via Infinite Loop in JXL/HEIF Parser

image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted image buffer with a zero-valued size field in a recognized box-type. Attackers can trigger an infinite loop in the JXL or HEIF image parsers by providing a crafted image containing a box with a size of zero, causing the offset to never advance and permanently hanging the application.

Action-Not Available
Vendor-image-sizeimage-sizeRed Hat, Inc.
Product-image-sizeimage-sizeRed Hat Enterprise Linux 7Red Hat OpenShift Dev SpacesRed Hat Enterprise Linux 8Red Hat Build of Podman DesktopRed Hat JBoss Enterprise Application Platform 7Red Hat Satellite 6Red Hat Discovery 2Red Hat Fuse 7Gatekeeper 3Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat JBoss Enterprise Application Platform 8Red Hat OpenShift AI (RHOAI)Red Hat Trusted Artifact Signer 1.4
CWE ID-CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')
CVE-2026-40984
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-7.5||HIGH
EPSS-0.62% / 45.85%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 03:47
Updated-17 Jul, 2026 | 12:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Micrometer HTTP server instrumentations DoS vulnerability

In Micrometer, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Affected versions: micrometer-core 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18; 1.9.0 through 1.9.17. micrometer-jetty11 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18. micrometer-jetty12 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18.

Action-Not Available
Vendor-VMware (Broadcom Inc.)Red Hat, Inc.
Product-MicrometerRed Hat Build of Apache Camel 4.18 for Quarkus 3.33Red Hat OpenShift Dev SpacesRed Hat Build of KeycloakRed Hat Process Automation 7Red Hat AMQ ClientsRed Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16Red Hat Fuse 7Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat build of Apicurio Registry 3Red Hat Data Grid 8streams for Apache Kafka 3Red Hat build of Debezium 3Red Hat build of Apache Camel - HawtIO 4streams for Apache Kafka 2Red Hat build of Apache Camel 4 for Quarkus 3Red Hat build of OptaPlanner 8Red Hat AMQ Broker 7Red Hat build of QuarkusRed Hat OpenShift AI (RHOAI)
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-40983
Assigner-VMware by Broadcom
ShareView Details
Assigner-VMware by Broadcom
CVSS Score-7.5||HIGH
EPSS-0.47% / 37.94%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 03:46
Updated-15 Jul, 2026 | 02:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Micrometer gRPC server instrumentation DoS vulnerability

In Micrometer, it is possible for a user to provide specially crafted gRPC requests that may cause a denial-of-service (DoS) condition. Affected versions: Micrometer 1.16.0 through 1.16.5; 1.15.0 through 1.15.11.

Action-Not Available
Vendor-Red Hat, Inc.VMware (Broadcom Inc.)
Product-MicrometerRed Hat Build of Apache Camel 4.18 for Quarkus 3.33Red Hat OpenShift Dev SpacesRed Hat Build of KeycloakRed Hat AMQ ClientsRed Hat Fuse 7Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat build of Apicurio Registry 3Red Hat build of Apache Camel for Spring Boot 4Red Hat Data Grid 8streams for Apache Kafka 3Red Hat build of Debezium 3Red Hat build of Apache Camel - HawtIO 4Red Hat Satellite 6streams for Apache Kafka 2Red Hat build of Apache Camel 4 for Quarkus 3Red Hat AMQ Broker 7Red Hat build of QuarkusRed Hat OpenShift AI (RHOAI)
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-11577
Assigner-Red Hat, Inc.
ShareView Details
Assigner-Red Hat, Inc.
CVSS Score-Not Assigned
EPSS-0.33% / 24.81%
||
7 Day CHG+0.01%
Published-08 Jun, 2026 | 11:44
Updated-03 Jul, 2026 | 10:16
Rejected-03 Jul, 2026 | 09:01
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The reported behavior does not constitute a privilege escalation. Exploitation requires the attacker to already possess the manage-realm administrative role within the realm-management client. By design, the manage-realm role is intended to be equivalent in administrative authority to realm-admin. A user with manage-realm already has full administrative control over the realm. Therefore, importing users with realm-admin role mappings through POST /admin/realms/{realm}/partialImport does not grant any additional privileges beyond those already held by the administrator and does not represent a security vulnerability.

Action-Not Available
Vendor-Red Hat, Inc.
Product-
CVE-2026-10805
Assigner-Red Hat, Inc.
ShareView Details
Assigner-Red Hat, Inc.
CVSS Score-6.7||MEDIUM
EPSS-0.12% / 1.99%
||
7 Day CHG~0.00%
Published-04 Jun, 2026 | 05:21
Updated-02 Jul, 2026 | 06:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Networkmanager: networkmanager: local privilege escalation via malformed mud urls in dhclient backend

A flaw was found in NetworkManager. This local privilege escalation vulnerability exists in NetworkManager's dhclient backend when processing malformed Manufacturer Usage Description (MUD) URLs. A local user can exploit this flaw to escalate privileges by triggering a script via a crafted MUD URL, provided an administrator has explicitly configured NetworkManager to use dhclient. This issue does not affect default configurations of NetworkManager.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat Enterprise Linux 9Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat Enterprise Linux 7Red Hat Enterprise Linux 6Red Hat Enterprise Linux 8Red Hat Enterprise Linux 10Multicluster Engine for KubernetesRed Hat OpenShift Container Platform 4
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-52011
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.52% / 40.79%
||
7 Day CHG~0.00%
Published-01 Jun, 2026 | 17:17
Updated-15 Jul, 2026 | 02:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
launch-editor vulnerable to command injection via the crafted request on Windows

launch-editor allows users to open files with line numbers in editor from Node.js. Prior to version 2.9.0, due to the insufficient sanitization of the `file` argument in the `launchEditor`, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters. This issue has been fixed in the `launch-editor` version 2.9.0, corresponding to vite version 5.4.9.

Action-Not Available
Vendor-vitejsRed Hat, Inc.
Product-launch-editorviteOpenShift Service Mesh 2Self-service automation portal 2Red Hat OpenShift Dev SpacesRed Hat Build of KeycloakRed Hat Quay 3Migration Toolkit for ContainersRed Hat Developer HubOpenShift PipelinesRed Hat JBoss Enterprise Application Platform Expansion PackNode HealthCheck OperatorRed Hat Enterprise Linux AI (RHEL AI) 3Red Hat Data Grid 8OpenShift Service Mesh 3Red Hat Ansible Automation Platform 2Red Hat Build of Podman DesktopRed Hat build of Apache Camel - HawtIO 4Cryostat 4Red Hat Build of Podman Desktop - Tech PreviewRed Hat OpenShift Virtualization 4Red Hat Discovery 2OpenShift LightspeedCluster Observability Operator 1.5.0Red Hat AMQ Broker 7Red Hat JBoss Enterprise Application Platform 8Red Hat OpenShift AI (RHOAI)Red Hat OpenShift Container Platform 4
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-88
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • Next