Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

Red Hat Offline Knowledge Portal

Source -

ADP

CNA CVEs -

0

ADP CVEs -

6

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated VendorsRelated AssignersReports
6Vulnerabilities found

CVE-2026-54513
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-8.1||HIGH
EPSS-0.68% / 47.75%
||
7 Day CHG+0.08%
Published-23 Jun, 2026 | 20:53
Updated-03 Jul, 2026 | 13:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
jackson-databind: Array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array's component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.

Action-Not Available
Vendor-Red Hat, Inc.FasterXML, LLC.
Product-jackson-databindjackson-databindOpenShift Developer Tools and ServicesRed Hat OpenShift Dev SpacesRed Hat Build of KeycloakRed Hat Certificate System 10Red Hat AMQ ClientsRed Hat AI Inference ServerRed Hat AMQ Broker 7Red Hat Enterprise Linux 10Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat build of Apicurio Registry 3Red Hat Lightspeed for Runtimes OperatorRed Hat Enterprise Linux AI (RHEL AI) 3Red Hat build of Apache Camel for Spring Boot 4Red Hat Enterprise Linux 9Red Hat Data Grid 8streams for Apache Kafka 3Red Hat build of Debezium 3Red Hat Enterprise Linux 8Red Hat Ansible Automation Platform 2Red Hat build of Apache Camel - HawtIO 4Red Hat JBoss Enterprise Application Platform 7Red Hat Satellite 6Cryostat 4streams for Apache Kafka 2OpenShift ServerlessRed Hat build of Apache Camel 4 for Quarkus 3Red Hat Single Sign-On 7Red Hat Offline Knowledge PortalRed Hat JBoss Enterprise Application Platform 8Red Hat build of QuarkusRed Hat OpenShift AI (RHOAI)
CWE ID-CWE-184
Incomplete List of Disallowed Inputs
CVE-2026-40542
Assigner-Apache Software Foundation
ShareView Details
Assigner-Apache Software Foundation
CVSS Score-7.3||HIGH
EPSS-0.46% / 36.41%
||
7 Day CHG-0.11%
Published-22 Apr, 2026 | 07:07
Updated-30 Jun, 2026 | 03:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache HttpClient: SCRAM-SHA-256 mutual authentication bypass may cause the client to accept authentication without proper mutual authentication verification

Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.

Action-Not Available
Vendor-The Apache Software FoundationRed Hat, Inc.
Product-httpclientApache HttpClientRed Hat OpenShift AI (RHOAI)Red Hat build of QuarkusRed Hat AMQ Broker 7Red Hat Enterprise Linux 10Cryostat 4streams for Apache Kafka 2Red Hat AMQ ClientsRed Hat build of Apicurio Registry 3Red Hat Single Sign-On 7Red Hat build of Apache Camel 4 for Quarkus 3Red Hat JBoss Web Server 6Red Hat Process Automation 7Red Hat Lightspeed for Runtimes OperatorRed Hat Satellite 6OpenShift Developer Tools and ServicesRed Hat JBoss Enterprise Application Platform Expansion PackMigration Toolkit for Applications 8Red Hat build of Apache Camel - HawtIO 4Red Hat Certificate System 10Red Hat build of Apicurio Registry 2Red Hat Data Grid 8Red Hat JBoss Enterprise Application Platform 7Red Hat build of Debezium 3Red Hat Enterprise Linux 7Red Hat Enterprise Linux 9Red Hat JBoss Core ServicesRed Hat build of Apache Camel for Spring Boot 4Red Hat Fuse 7Red Hat build of OptaPlanner 8Red Hat JBoss Web Server 5Red Hat Offline Knowledge Portalstreams for Apache Kafka 3Red Hat OpenShift Dev SpacesRed Hat Enterprise Linux 8Red Hat JBoss Enterprise Application Platform 8OpenShift Serverless
CWE ID-CWE-304
Missing Critical Step in Authentication
CWE ID-CWE-325
Missing Cryptographic Step
CVE-2026-24308
Assigner-Apache Software Foundation
ShareView Details
Assigner-Apache Software Foundation
CVSS Score-6.5||MEDIUM
EPSS-1.15% / 62.86%
||
7 Day CHG+0.04%
Published-07 Mar, 2026 | 08:51
Updated-03 Jul, 2026 | 13:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache ZooKeeper: Sensitive information disclosure in client configuration handling

Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue. Users are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this issue.

Action-Not Available
Vendor-Red Hat, Inc.The Apache Software Foundation
Product-zookeeperApache ZooKeeperRed Hat build of Debezium 2Red Hat Fuse 7Red Hat AMQ Broker 7.12.7Streams for Apache Kafka 2.9.4Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat build of Apache Camel for Spring Boot 4Red Hat Data Grid 8streams for Apache Kafka 3Red Hat build of Debezium 3Red Hat JBoss Enterprise Application Platform 7Red Hat AMQ Broker 7.14.0Red Hat AMQ Broker 7.13.5Red Hat OpenShift AI 2.25Red Hat Offline Knowledge PortalRed Hat JBoss Enterprise Application Platform 8Red Hat OpenShift AI (RHOAI)
CWE ID-CWE-117
Improper Output Neutralization for Logs
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2026-24281
Assigner-Apache Software Foundation
ShareView Details
Assigner-Apache Software Foundation
CVSS Score-5.9||MEDIUM
EPSS-0.62% / 45.17%
||
7 Day CHG+0.31%
Published-07 Mar, 2026 | 08:50
Updated-03 Jul, 2026 | 13:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache ZooKeeper: Reverse-DNS fallback enables hostname verification bypass in ZooKeeper ZKTrustManager

Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's important to note that attacker must present a certificate which is trusted by ZKTrustManager which makes the attack vector harder to exploit. Users are recommended to upgrade to version 3.8.6 or 3.9.5, which fixes this issue by introducing a new configuration option to disable reverse DNS lookup in client and quorum protocols.

Action-Not Available
Vendor-Red Hat, Inc.The Apache Software Foundation
Product-zookeeperApache ZooKeeperRed Hat build of Debezium 2Red Hat Fuse 7Red Hat AMQ Broker 7.12.7Streams for Apache Kafka 2.9.4Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat build of Apache Camel for Spring Boot 4Red Hat Data Grid 8streams for Apache Kafka 3Red Hat build of Debezium 3Red Hat JBoss Enterprise Application Platform 7Red Hat AMQ Broker 7.14.0Red Hat AMQ Broker 7.13.5Red Hat OpenShift AI 2.25Red Hat Offline Knowledge PortalRed Hat JBoss Enterprise Application Platform 8Red Hat OpenShift AI (RHOAI)
CWE ID-CWE-295
Improper Certificate Validation
CWE ID-CWE-350
Reliance on Reverse DNS Resolution for a Security-Critical Action
CVE-2026-1605
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-7.5||HIGH
EPSS-0.62% / 45.55%
||
7 Day CHG+0.26%
Published-05 Mar, 2026 | 09:39
Updated-30 Jun, 2026 | 12:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed. This happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response. In this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.

Action-Not Available
Vendor-Eclipse Foundation AISBLRed Hat, Inc.
Product-jettyEclipse JettyRed Hat AMQ Broker 7.14.0Red Hat build of Apicurio Registry 2Red Hat Data Grid 8Red Hat JBoss Enterprise Application Platform 7Red Hat build of Debezium 3Red Hat Enterprise Linux 7Red Hat Enterprise Linux 9Red Hat build of Apache Camel for Spring Boot 4Red Hat Fuse 7Red Hat build of Debezium 2streams for Apache Kafka 2HawtIO HawtIO 4.4.0Red Hat JBoss EAP 8.1 for RHEL 9Red Hat JBoss Enterprise Application Platform 8.1Red Hat Offline Knowledge PortalRed Hat build of Apicurio Registry 3Red Hat Single Sign-On 7streams for Apache Kafka 3Red Hat JBoss EAP 8.1 for RHEL 8Red Hat JBoss Web Server 6Red Hat Process Automation 7Red Hat Satellite 6Red Hat Enterprise Linux 8Red Hat OpenShift Dev Spaces 3.28OpenShift Developer Tools and ServicesRed Hat JBoss Enterprise Application Platform Expansion Pack
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-401
Missing Release of Memory after Effective Lifetime
CWE ID-CWE-772
Missing Release of Resource after Effective Lifetime
CVE-2026-21441
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-8.9||HIGH
EPSS-2.67% / 83.89%
||
7 Day CHG+1.99%
Published-07 Jan, 2026 | 22:09
Updated-03 Jul, 2026 | 13:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)

urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source.

Action-Not Available
Vendor-urllib3Red Hat, Inc.Python Software Foundation
Product-urllib3urllib3Red Hat Ceph Storage 7.1Red Hat Enterprise Linux AppStream E4S (v.9.2)Red Hat Enterprise Linux Resilient Storage EUS (v.9.4)Multiarch Tuning OperatorRed Hat OpenShift Dev Spaces (RHOSDS) 3.26Red Hat Quay 3.16Red Hat Ansible Automation Platform 2.4cert-manager operator for Red Hat OpenShift 1.18Multicluster Engine for KubernetesOpenShift API for Data Protection 1.3Red Hat Enterprise Linux BaseOS E4S (v.8.6)Red Hat Ansible Automation Platform 2.5Red Hat Satellite 6.17 for RHEL 9Red Hat Enterprise Linux BaseOS EUS (v.9.4)Multicluster Global Hub 1.5.4Red Hat OpenShift GitOpsRed Hat Discovery 2Red Hat Quay 3.13Red Hat Quay 3.10Migration Toolkit for VirtualizationRed Hat Enterprise Linux BaseOS (v. 8)Red Hat OpenStack Platform 18.0Migration Toolkit for ContainersRed Hat Enterprise Linux AppStream E4S (v.8.8)Red Hat Advanced Cluster Management for Kubernetes 2Node HealthCheck OperatorRed Hat Enterprise Linux 9Red Hat Satellite 6.18 for RHEL 9Red Hat Enterprise Linux BaseOS E4S (v.8.8)Red Hat Enterprise Linux ResilientStorage (v. 8)Red Hat Enterprise Linux 8Red Hat OpenShift GitOps 1.17Red Hat Ceph Storage 9Red Hat Quay 3.14Red Hat OpenShift AI 2.25Red Hat Enterprise Linux BaseOS AUS (v.8.4)Red Hat Trusted Artifact Signer 1.2OpenShift Developer Tools and ServicesRed Hat OpenStack Platform 16.2Red Hat Enterprise Linux AppStream AUS (v.8.6)Red Hat Advanced Cluster Management for Kubernetes 2.15RHUI 4 for RHEL 8Red Hat Enterprise Linux High Availability EUS (v.9.4)Zero Trust Workload Identity Manager 1OpenShift PipelinesRed Hat Advanced Cluster Management for Kubernetes 2.14Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)Red Hat Trusted Artifact Signer 1.3Red Hat AI Inference Server 3.2Red Hat Ceph Storage 8Red Hat Quay 3.15Red Hat Enterprise Linux HighAvailability (v. 8)Red Hat OpenShift Dev SpacesRed Hat Enterprise Linux AppStream TUS (v.8.6)Red Hat AI Inference ServerRed Hat Enterprise Linux BaseOS TUS (v.8.8)Self Node Remediation OperatorNetwork Observability (NETOBSERV) 1.11.2Fence Agents Remediation OperatorRed Hat Satellite 6.16 for RHEL 8Red Hat Satellite 6.16 for RHEL 9Red Hat build of Quarkus Native builderRed Hat Enterprise Linux High Availability TUS (v.8.8)Red Hat Update Infrastructure 5Red Hat Advanced Cluster Security for Kubernetes 4.8Red Hat Enterprise Linux Resilient Storage E4S (v.9.2)Red Hat OpenShift Container Platform 4Red Hat Openshift Data Foundation 4Zero Trust Workload Identity Manager - Tech PreviewRed Hat Enterprise Linux High Availability E4S (v.8.6)Red Hat Quay 3Red Hat Enterprise Linux HighAvailability EUS EXTENSION (v.8.4)Service Telemetry Framework 1.5Red Hat OpenShift GitOps 1.18Red Hat Developer HubRed Hat Enterprise Linux BaseOS E4S (v.9.2)Red Hat Enterprise Linux BaseOS EUS (v.9.6)External Secrets Operator for Red Hat OpenShiftRed Hat Enterprise Linux BaseOS E4S (v.9.0)Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6Red Hat Enterprise Linux 10Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)Red Hat Enterprise Linux AppStream (v. 8)Red Hat Enterprise Linux BaseOS EUS (v. 10.0)Red Hat OpenShift AI 3.3OpenShift Service Mesh 3Red Hat Ansible Automation Platform 2Red Hat Enterprise Linux ResilientStorage E4S (v.9.0)OpenShift ServerlessRed Hat Enterprise Linux High Availability E4S (v.9.2)Red Hat Quay 3.12OpenShift LightspeedRed Hat Enterprise Linux AppStream TUS (v.8.8)Red Hat Ansible Automation Platform 2.6Red Hat Enterprise Linux AppStream EUS (v.9.4)Red Hat Enterprise Linux High Availability TUS (v.8.6)Red Hat Enterprise Linux BaseOS TUS (v.8.6)Red Hat Ansible Automation Platform Ansible Core 2Red Hat Advanced Cluster Security for Kubernetes 4.9Red Hat Enterprise Linux AppStream EUS (v.9.6)external secrets operator for Red Hat OpenShift - Tech PreviewRed Hat Satellite 6.18OpenShift API for Data ProtectionRed Hat Enterprise Linux Server HighAvailability (v. 7 ELS)Red Hat Certification Program for Red Hat Enterprise Linux 9Red Hat Enterprise Linux BaseOS (v. 10)Red Hat OpenShift Update ServiceRed Hat Enterprise Linux High Availability E4S (v.9.0)Red Hat Satellite 6Red Hat Enterprise Linux AppStream (v. 9)Red Hat Enterprise Linux High Availability E4S (v.8.8)Red Hat OpenShift AI (RHOAI)Dynamic Accelerator Slicer Operator for Red Hat OpenShiftRed Hat Enterprise Linux High Availability AUS (v.8.4)Confidential Compute AttestationRed Hat Edge Manager previewOpenShift Service Mesh 2Red Hat Enterprise Linux AppStream E4S (v.8.6)Red Hat Enterprise Linux AppStream E4S (v.9.0)Red Hat Enterprise Linux BaseOS (v. 9)mirror registry for Red Hat OpenShift 2.0Logging Subsystem for Red Hat OpenShiftRed Hat Enterprise Linux AI (RHEL AI) 3Red Hat OpenStack Platform 13 (Queens)Red Hat Enterprise Linux Server ResilientStorage (v. 7 ELS)Red Hat OpenShift GitOps 1.19Red Hat OpenStack Platform 17.1Red Hat Enterprise Linux BaseOS AUS (v. 8.2)Assisted Installer for Red Hat OpenShift Container Platform 2Red Hat Enterprise Linux AppStream AUS (v.8.4)Red Hat Offline Knowledge PortalRed Hat Connectivity Link 1Red Hat Enterprise Linux BaseOS AUS (v.8.6)Multicluster Global Hub 1.4.5
CWE ID-CWE-409
Improper Handling of Highly Compressed Data (Data Amplification)