Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

Red Hat OpenShift GitOps 1.19

Source -

ADP

CNA CVEs -

0

ADP CVEs -

8

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated VendorsRelated AssignersReports
8Vulnerabilities found

CVE-2026-42880
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-9.6||CRITICAL
EPSS-0.51% / 39.45%
||
7 Day CHG+0.13%
Published-07 May, 2026 | 22:20
Updated-30 Jun, 2026 | 12:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This issue has been patched in versions 3.2.11 and 3.3.9.

Action-Not Available
Vendor-argoprojargoprojRed Hat, Inc.
Product-argo_cdargo-cdRed Hat OpenShift GitOps 1.2Red Hat OpenShift GitOps 1.19Red Hat Openshift Data Foundation 4Red Hat OpenShift GitOps
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CWE ID-CWE-212
Improper Removal of Sensitive Information Before Storage or Transfer
CVE-2026-4800
Assigner-ce714d77-add3-4f53-aff5-83d477b104bb
ShareView Details
Assigner-ce714d77-add3-4f53-aff5-83d477b104bb
CVSS Score-8.1||HIGH
EPSS-1.74% / 74.89%
||
7 Day CHG+0.71%
Published-31 Mar, 2026 | 19:25
Updated-03 Jul, 2026 | 13:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
lodash vulnerable to Code Injection via `_.template` imports key names

Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time. Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function(). Patches: Users should upgrade to version 4.18.0. Workarounds: Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.

Action-Not Available
Vendor-lodashlodashRed Hat, Inc.
Product-lodash-eslodashlodash-amdlodash.templatelodash-eslodashlodash-amdlodash.templateRed Hat Developer Hub 1.8Red Hat Directory Server 13Cryostat 4 on RHEL 9Red Hat Enterprise Linux High Availability (v. 10)Red Hat Ansible Automation Platform 2.6 for RHEL 9Red Hat build of Apicurio Registry 2Red Hat Enterprise Linux High Availability E4S (v.8.6)Red Hat Quay 3Red Hat Enterprise Linux HighAvailability EUS EXTENSION (v.8.4)Red Hat OpenShift distributed tracing 3.9.3Red Hat Enterprise Linux Resilient Storage EUS (v.9.4)Red Hat OpenShift GitOps 1.18Red Hat Directory Server 11Red Hat Directory Server 12Red Hat Developer HubMulticluster Engine for KubernetesRed Hat OpenShift Service Mesh 3.3Red Hat OpenShift Service Mesh 3.0Red Hat OpenShift Service Mesh 3.2Red Hat OpenShift Container Platform 4.22Red Hat OpenShift Service Mesh 2.6Red Hat Ansible Automation Platform 2.5Red Hat Build of Podman DesktopRed Hat 3scale API Management Platform 2Red Hat OpenShift GitOpsRed Hat Discovery 2Red Hat JBoss Enterprise Application Platform 8Self-service automation portal 2Red Hat Trusted Profile AnalyzerRed Hat Enterprise Linux 7Red Hat OpenShift Container Platform 4.17Red Hat OpenShift Service Mesh 3.1Red Hat Fuse 7Red Hat Enterprise Linux High Availability (v. 9)Red Hat Openshift Data Foundation 4.16Gatekeeper 3Migration Toolkit for ContainersRed Hat Enterprise Linux 10Streams for Apache Kafka 2.9.4Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat OpenShift AI 3.3Red Hat Advanced Cluster Management for Kubernetes 2Node HealthCheck OperatorRed Hat Enterprise Linux 9OpenShift Service Mesh 3Red Hat Trusted Artifact SignerRed Hat Enterprise Linux 8Red Hat Ansible Automation Platform 2Red Hat build of Apache Camel - HawtIO 4Red Hat Enterprise Linux ResilientStorage E4S (v.9.0)Red Hat Advanced Cluster Security 4Red Hat Enterprise Linux High Availability E4S (v.9.2)Migration Toolkit for Applications 8Red Hat Developer Hub 1.9OpenShift LightspeedRed Hat Ansible Automation Platform 2.6Red Hat OpenShift AI 2.25Red Hat Enterprise Linux High Availability TUS (v.8.6)Red Hat Enterprise Linux High Availability EUS (v. 10.0)Red Hat Build of KeycloakRed Hat Process Automation 7Red Hat Enterprise Linux High Availability EUS (v.9.4)Red Hat Enterprise Linux AppStream (v. 10)Red Hat Satellite 6.18OpenShift PipelinesRed Hat Openshift Data Foundation 4.19Red Hat Trusted Artifact Signer 1.3Migration Toolkit for Virtualization 2.9Red Hat Openshift Data Foundation 4.2Migration Toolkit for Virtualization 2.1Streams for Apache Kafka 3.2.0Red Hat JBoss Enterprise Application Platform 7Red Hat Enterprise Linux High Availability E4S (v.9.0)Red Hat Openshift Data Foundation 4.18Red Hat Satellite 6Red Hat Data Grid 8.6.1Red Hat Ansible Automation Platform 2.6 for RHEL 10Red Hat Enterprise Linux High Availability EUS (v.9.6)Cluster Observability Operator 1.5.0Red Hat Enterprise Linux High Availability E4S (v.8.8)Red Hat OpenShift AI (RHOAI)Red Hat Enterprise Linux High Availability AUS (v.8.4)Confidential Compute AttestationRed Hat Edge Manager 1Network Observability (NETOBSERV) 1.11.2Red Hat OpenShift Container Platform 4.18Red Hat Enterprise Linux Resilient Storage (v. 9)Red Hat build of Apicurio Registry 3Red Hat OpenShift Container Platform 4.19Red Hat Enterprise Linux Resilient Storage EUS (v.9.6)Logging Subsystem for Red Hat OpenShiftRed Hat Enterprise Linux AI (RHEL AI) 3Red Hat Enterprise Linux High Availability TUS (v.8.8)Red Hat Openshift Data Foundation 4.17Red Hat OpenShift Dev Spaces 3.27Cryostat 4Red Hat OpenShift Virtualization 4Red Hat OpenShift GitOps 1.19Red Hat OpenShift Container Platform 4.20Red Hat Single Sign-On 7Red Hat Connectivity Link 1Red Hat Enterprise Linux Resilient Storage E4S (v.9.2)Red Hat OpenShift Container Platform 4
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-33487
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.30% / 21.58%
||
7 Day CHG+0.12%
Published-26 Mar, 2026 | 17:17
Updated-30 Jun, 2026 | 12:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
goxmldsig has validateSignature Loop Variable Capture Signature Bypass

goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one that matches the signed element's ID. In Go versions before 1.22, or when `go.mod` uses an older version, there is a loop variable capture issue. The code takes the address of the loop variable `_ref` instead of its value. As a result, if more than one reference matches the ID or if the loop logic is incorrect, the `ref` pointer will always end up pointing to the last element in the `SignedInfo.References` slice after the loop. goxmlsig version 1.6.0 contains a patch.

Action-Not Available
Vendor-goxmldsig_projectrussellhaeringRed Hat, Inc.
Product-goxmldsiggoxmldsigRed Hat OpenShift GitOps 1.18Multicluster Global Hub 1.3.4Multicluster Global Hub 1.5.4Multicluster Global Hub 1.4.5Red Hat Advanced Cluster Security 4Red Hat Enterprise Linux 9Red Hat OpenShift GitOps 1.19Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Advanced Cluster Management for Kubernetes 2.15Multicluster Global Hub 1.6.2
CWE ID-CWE-347
Improper Verification of Cryptographic Signature
CWE ID-CWE-682
Incorrect Calculation
CVE-2026-33186
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-9.1||CRITICAL
EPSS-1.56% / 72.16%
||
7 Day CHG+1.03%
Published-20 Mar, 2026 | 22:23
Updated-03 Jul, 2026 | 12:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
gRPC-Go has an authorization bypass via missing leading slash in :path

gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.

Action-Not Available
Vendor-grpcgrpcRed Hat, Inc.
Product-grpcgrpc-goCryostat 4 on RHEL 9Red Hat OpenShift distributed tracing 3.9.3Red Hat Container Native Virtualization 4.20Red Hat Quay 3.16Multicluster Engine for KubernetesRed Hat OpenShift Service Mesh 3.3Deployment Validation OperatorRed Hat OpenShift Service Mesh 3.0Red Hat OpenShift Builds 1.6.5Red Hat OpenShift Service Mesh 2.6Multicluster Global Hub 1.5.4Red Hat 3scale API Management Platform 2Red Hat Build of Podman Desktop - Tech PreviewRed Hat OpenShift GitOpsRed Hat OpenShift Container Platform 4.12Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)Red Hat Quay 3.10Red Hat Web Terminal 1.15Migration Toolkit for VirtualizationRed Hat OpenShift Cluster Manager CLIRed Hat Trusted Profile AnalyzerRed Hat OpenStack Platform 18.0Red Hat OpenShift Container Platform 4.17Red Hat Container Native Virtualization 4.21Red Hat OpenShift Service Mesh 3.1Red Hat Advanced Cluster Security for Kubernetes 4.10Migration Toolkit for ContainersKube Descheduler OperatorRed Hat Advanced Cluster Management for Kubernetes 2Red Hat Enterprise Linux 9Red Hat Enterprise Linux 8OpenShift Run Once Duration Override OperatorRed Hat Quay 3.14Migration Toolkit for Applications 8OpenShift Secondary Scheduler OperatorPower monitoring for Red Hat OpenShiftRed Hat OpenShift AI 2.25OpenShift Developer Tools and ServicesRed Hat OpenStack Platform 16.2Red Hat Web Terminal 1.14DevWorkspace Operator 0.4ExternalDNS OperatorRed Hat Advanced Cluster Management for Kubernetes 2.15Red Hat Enterprise Linux AppStream (v. 10)OpenShift PipelinesFile Integrity OperatorSecurity Profiles OperatorRed Hat Openshift Data Foundation 4.19Red Hat Advanced Cluster Management for Kubernetes 2.14Red Hat Trusted Artifact Signer 1.3Red Hat OpenShift Container Platform 4.13Red Hat Quay 3.15multicluster engine for Kubernetes 2.8Red Hat OpenShift Pipelines 1.2Red Hat AI Inference ServerSelf Node Remediation OperatorNetwork Observability (NETOBSERV) 1.11.2Red Hat OpenShift Container Platform 4.18Red Hat Satellite 6.16 for RHEL 8Red Hat Satellite 6.16 for RHEL 9Red Hat Quay 3.9Multicluster Global HubRed Hat Service Interconnect 1OpenShift API for Data Protection 1.4Storage-Based RemediationRed Hat OpenShift Dev Spaces 3.27Cryostat 4Red Hat OpenShift Virtualization 4Red Hat Advanced Cluster Security for Kubernetes 4.8Red Hat OpenShift Container Platform 4.16Red Hat CodeReady Linux Builder EUS (v.9.6)Red Hat OpenShift Container Platform 4Red Hat Developer Hub 1.8Red Hat Openshift Data Foundation 4Zero Trust Workload Identity Manager - Tech PreviewRed Hat Advanced Cluster Management for Kubernetes 2.16Red Hat Quay 3Machine Deletion Remediation OperatorRed Hat OpenShift GitOps 1.18Leader Worker SetService Telemetry Framework 1.5Red Hat OpenShift Container Platform 4.15Zero Trust Workload Identity ManagerRed Hat OpenShift Service Mesh 3.2Logging Subsystem for Red Hat OpenShift 6.4Red Hat Container Native Virtualization 4.18Red Hat Build of Podman DesktopExternal Secrets Operator for Red Hat OpenShiftcert-manager Operator for Red Hat OpenShiftKernel Module Management Operator for Red Hat Openshiftmulticluster engine for Kubernetes 2.10multicluster engine for Kubernetes 2.9Red Hat Enterprise Linux 7Red Hat Openshift Data Foundation 4.16Gatekeeper 3Red Hat Advanced Cluster Management for Kubernetes 2.13Red Hat Container Native Virtualization 4.19Red Hat Enterprise Linux 10Custom Metric Autoscaler operator for Red Hat OpenshiftRed Hat Enterprise Linux AppStream (v. 8)Red Hat OpenShift AI 3.3Red Hat OpenShift Dev Workspaces OperatorRed Hat Quay 3.17Red Hat Trusted Artifact SignerOpenShift Service Mesh 3Red Hat Ansible Automation Platform 2OpenShift ServerlessRed Hat Quay 3.12Red Hat Developer Hub 1.9OpenShift LightspeedRed Hat Enterprise Linux AppStream EUS (v.9.4)Red Hat Advanced Cluster Security for Kubernetes 4.9Red Hat OpenShift Container Platform 4.21multicluster engine for Kubernetes 2.11Red Hat Enterprise Linux AppStream EUS (v.9.6)OpenShift API for Data ProtectionRed Hat Build of KueueRed Hat Certification Program for Red Hat Enterprise Linux 9Builds for Red Hat OpenShiftRed Hat Openshift Data Foundation 4.2Red Hat Satellite 6OpenShift Compliance Operator 1Red Hat Openshift Data Foundation 4.18Red Hat Enterprise Linux AppStream (v. 9)Red Hat Lightspeed (formerly Insights) for Runtimes 1multicluster engine for Kubernetes 2.6Red Hat Web Terminal 1.13Red Hat OpenShift AI (RHOAI)Dynamic Accelerator Slicer Operator for Red Hat OpenShiftRed Hat OpenShift Pipelines 1.21Confidential Compute AttestationOpenShift Service Mesh 2Red Hat Edge Manager 1Multicluster Global Hub 1.3.4Multicluster Global Hub 1.6.2Logical Volume Manager StorageRed Hat Enterprise Linux AppStream EUS (v. 10.0)Red Hat OpenShift Container Platform 4.19Logging Subsystem for Red Hat OpenShiftRed Hat OpenShift Container Platform 4.14Red Hat Enterprise Linux AI (RHEL AI) 3Red Hat OpenShift Builds 1.7.3OpenShift API for Data Protection 1.5Red Hat OpenShift GitOps 1.19Red Hat OpenShift for Windows ContainersJob Set Tech PreviewRed Hat OpenShift Container Platform 4.20Red Hat OpenStack Platform 17.1Assisted Installer for Red Hat OpenShift Container Platform 2Red Hat Connectivity Link 1Multicluster Global Hub 1.4.5
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-551
Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
CVE-2026-27137
Assigner-Go Project
ShareView Details
Assigner-Go Project
CVSS Score-7.5||HIGH
EPSS-0.61% / 44.66%
||
7 Day CHG+0.25%
Published-06 Mar, 2026 | 21:28
Updated-03 Jul, 2026 | 12:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect enforcement of email constraints in crypto/x509

When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.

Action-Not Available
Vendor-Go standard libraryRed Hat, Inc.Go
Product-gocrypto/x509Red Hat Openshift Data Foundation 4Zero Trust Workload Identity Manager - Tech PreviewRed Hat Quay 3Red Hat OpenShift distributed tracing 3.9.3Machine Deletion Remediation OperatorRed Hat OpenShift GitOps 1.18mirror registry for Red Hat OpenShift 2Service Telemetry Framework 1.5Red Hat Developer HubRed Hat Quay 3.16Multicluster Engine for KubernetesDeployment Validation OperatorZero Trust Workload Identity ManagerLogging Subsystem for Red Hat OpenShift 6.4Red Hat OpenShift Builds 1.6.5Logging Subsystem for Red Hat OpenShift 6.0streams for Apache Kafka 3Multicluster Global Hub 1.5.4Red Hat 3scale API Management Platform 2External Secrets Operator for Red Hat OpenShiftRed Hat OpenShift on AWSRed Hat Web Terminal 1.15Network Observability Operatorcert-manager Operator for Red Hat OpenShiftRed Hat OpenShift Cluster Manager CLIRed Hat Enterprise Linux 7Red Hat OpenShift GitOps 1.2Red Hat OpenStack Platform 18.0Gatekeeper 3Custom Metric Autoscaler operator for Red Hat OpenshiftMigration Toolkit for ContainersRed Hat Enterprise Linux 10Node HealthCheck OperatorRed Hat Enterprise Linux 9OpenShift Service Mesh 3Red Hat Enterprise Linux 8Red Hat Ansible Automation Platform 2Red Hat build of Apache Camel - HawtIO 4Logging Subsystem for Red Hat OpenShift 6.2Compliance OperatorOpenShift ServerlessRed Hat Advanced Cluster Security 4Migration Toolkit for Applications 8OpenShift LightspeedPower monitoring for Red Hat OpenShiftRed Hat Ansible Automation Platform 2.6Red Hat OpenShift AI 2.25Red Hat Service Interconnect 2OpenShift Developer Tools and ServicesRed Hat OpenStack Platform 16.2Red Hat Web Terminal 1.14DevWorkspace Operator 0.4ExternalDNS OperatorRed Hat Advanced Cluster Management for Kubernetes 2.15Red Hat Enterprise Linux AppStream EUS (v.9.6)Red Hat Enterprise Linux AppStream (v. 10)Red Hat Satellite 6.18OpenShift PipelinesFile Integrity OperatorSecurity Profiles OperatorRed Hat Certification Program for Red Hat Enterprise Linux 9Red Hat Web Terminal 1.11Red Hat Trusted Artifact Signer 1.3Red Hat Satellite 6Red Hat Enterprise Linux AppStream (v. 9)Red Hat Lightspeed (formerly Insights) for Runtimes 1Red Hat Web Terminal 1.13Red Hat OpenShift AI (RHOAI)Confidential Compute Attestationmirror registry for Red Hat OpenShiftRed Hat Edge Manager 1OpenShift Service Mesh 2Multicluster Global Hub 1.3.4Multicluster Global Hub 1.6.2Logical Volume Manager StorageRed Hat Enterprise Linux AppStream EUS (v. 10.0)Red Hat Web Terminal 1.12Fence Agents Remediation OperatorMulticluster Global Hub 1.4.5Logging Subsystem for Red Hat OpenShiftRed Hat Enterprise Linux AI (RHEL AI) 3Red Hat Service Interconnect 1Red Hat OpenShift Builds 1.7.3OpenShift API for Data Protection 1.4Red Hat OpenShift Dev Spaces 3.27Cryostat 4Red Hat OpenShift Virtualization 4OpenShift API for Data Protection 1.5Red Hat OpenShift GitOps 1.19Red Hat OpenShift for Windows ContainersRed Hat OpenStack Platform 17.1Assisted Installer for Red Hat OpenShift Container Platform 2Red Hat Connectivity Link 1Red Hat Hardened ImagesRed Hat OpenShift Container Platform 4
CWE ID-CWE-295
Improper Certificate Validation
CVE-2025-61726
Assigner-Go Project
ShareView Details
Assigner-Go Project
CVSS Score-7.5||HIGH
EPSS-1.94% / 77.72%
||
7 Day CHG+1.18%
Published-28 Jan, 2026 | 19:30
Updated-03 Jul, 2026 | 12:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Memory exhaustion in query parameter parsing in net/url

The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.

Action-Not Available
Vendor-Go standard libraryRed Hat, Inc.Go
Product-gonet/urlCryostat 4 on RHEL 9Red Hat Enterprise Linux AppStream E4S (v.9.2)Red Hat OpenShift distributed tracing 3.9.3Red Hat Connectivity Link 1Multiarch Tuning OperatorRed Hat OpenShift Dev Spaces (RHOSDS) 3.26Red Hat Quay 3.16Multicluster Engine for KubernetesDeployment Validation OperatorRed Hat OpenShift Service Mesh 3.0Red Hat OpenShift Builds 1.6.5Red Hat OpenShift Service Mesh 2.6Logging Subsystem for Red Hat OpenShift 6.0Multicluster Global Hub 1.5.4Red Hat 3scale API Management Platform 2Red Hat OpenShift Container Platform 4.12Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)Red Hat Quay 3.10Red Hat OpenShift on AWSRed Hat Web Terminal 1.15Red Hat OpenShift Cluster Manager CLICustom Metric Autoscaler 2.19Red Hat OpenStack Platform 18.0Red Hat OpenShift Container Platform 4.17Red Hat OpenShift Service Mesh 3.1Migration Toolkit for ContainersRed Hat Enterprise Linux AppStream E4S (v.8.8)Red Hat Advanced Cluster Management for Kubernetes 2Node HealthCheck OperatorRed Hat Enterprise Linux 9Red Hat Satellite 6.18 for RHEL 9Red Hat OpenShift distributed tracing 3Red Hat Enterprise Linux 8Red Hat OpenShift GitOps 1.17Red Hat Quay 3.14Migration Toolkit for Applications 8Power monitoring for Red Hat OpenShiftOpenShift File Integrity Operator - FIO 1Red Hat OpenShift AI 2.25OpenShift Developer Tools and Services 1.6.2Red Hat Service Interconnect 2Red Hat OpenStack Services on OpenShift 18OpenShift Developer Tools and ServicesRed Hat OpenStack Platform 16.2Red Hat Web Terminal 1.14Red Hat Enterprise Linux AppStream AUS (v.8.6)DevWorkspace Operator 0.4Red Hat Advanced Cluster Management for Kubernetes 2.15ExternalDNS OperatorRed Hat Ceph Storage 5Red Hat Enterprise Linux AppStream (v. 10)Zero Trust Workload Identity Manager 1OpenShift PipelinesFile Integrity OperatorRed Hat Openshift Data Foundation 4.19Red Hat Advanced Cluster Management for Kubernetes 2.14Red Hat Web Terminal 1.11Red Hat Trusted Artifact Signer 1.3Red Hat OpenShift Container Platform 4.13Red Hat Ansible Automation Platform 2.6 for RHEL 10Red Hat Ceph Storage 8Red Hat Ansible Automation Platform 2.4 for RHEL 9Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)Red Hat Quay 3.15multicluster engine for Kubernetes 2.8mirror registry for Red Hat OpenShiftIronic content for Red Hat OpenShift Container Platform 4.18Red Hat OpenShift Dev SpacesRed Hat Enterprise Linux AppStream TUS (v.8.6)Red Hat AMQ ClientsNetwork Observability (NETOBSERV) 1.11.2Red Hat Web Terminal 1.12Fence Agents Remediation OperatorRed Hat OpenShift Container Platform 4.18Red Hat OpenShift AI 2.16Red Hat Quay 3.9Red Hat Service Interconnect 1OpenShift API for Data Protection 1.4Cert Manager support for Red Hat OpenShift release 1.17Red Hat OpenShift Dev Spaces 3.27Red Hat Update Infrastructure 5Cryostat 4Red Hat OpenShift Virtualization 4HawtIO HawtIO 4.4.0Red Hat Advanced Cluster Security for Kubernetes 4.8Red Hat OpenShift Container Platform 4.16Logging Subsystem for Red Hat OpenShift 6.3Red Hat Hardened ImagesRed Hat CodeReady Linux Builder EUS (v.9.6)Red Hat OpenShift Container Platform 4Red Hat Developer Hub 1.8Red Hat Ansible Automation Platform 2.6 for RHEL 9Zero Trust Workload Identity Manager - Tech PreviewRed Hat Quay 3Machine Deletion Remediation OperatorRed Hat OpenShift GitOps 1.18Red Hat Enterprise Linux AppStream AUS (v. 8.2)Red Hat Ceph Storage 7Red Hat OpenShift Container Platform 4.15Zero Trust Workload Identity ManagerRed Hat OpenShift Service Mesh 3.2Logging Subsystem for Red Hat OpenShift 6.4External Secrets Operator for Red Hat OpenShiftcert-manager Operator for Red Hat OpenShiftmulticluster engine for Kubernetes 2.10multicluster engine for Kubernetes 2.9Red Hat CodeReady Linux Builder EUS (v.9.4)Red Hat Enterprise Linux 7Red Hat Enterprise Linux Server (v. 7 ELS)Gatekeeper 3Red Hat Advanced Cluster Management for Kubernetes 2.13Red Hat Enterprise Linux 10Red Hat Ansible Automation Platform 2.4 for RHEL 8Red Hat Ansible Automation Platform 2.5 for RHEL 8Red Hat Enterprise Linux AppStream (v. 8)Red Hat OpenShift AI 3.3Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)Red Hat Ansible Automation Platform 2.5 for RHEL 9OpenShift Service Mesh 3Red Hat Ansible Automation Platform 2Logging Subsystem for Red Hat OpenShift 6.2OpenShift ServerlessRed Hat Quay 3.12OpenShift LightspeedRed Hat Enterprise Linux AppStream TUS (v.8.8)Red Hat Enterprise Linux AppStream EUS (v.9.4)Red Hat Ansible Automation Platform 2.6Red Hat Advanced Cluster Security for Kubernetes 4.9Red Hat Enterprise Linux AppStream EUS (v.9.6)Red Hat Satellite 6.18OpenShift API for Data ProtectionRed Hat Certification Program for Red Hat Enterprise Linux 9Streams for Apache Kafka 3.2.0Red Hat Satellite 6OpenShift Compliance Operator 1Red Hat Openshift Data Foundation 4.18Red Hat Enterprise Linux AppStream (v. 9)Red Hat Lightspeed (formerly Insights) for Runtimes 1multicluster engine for Kubernetes 2.6Red Hat Web Terminal 1.13Red Hat OpenShift AI (RHOAI)Confidential Compute AttestationOpenShift Service Mesh 2Red Hat Edge Manager 1Ironic content for Red Hat OpenShift Container Platform 4.17Red Hat Enterprise Linux AppStream E4S (v.8.6)Multicluster Global Hub 1.6.2Logical Volume Manager StorageRed Hat Enterprise Linux AppStream EUS (v. 10.0)Red Hat Enterprise Linux AppStream E4S (v.9.0)mirror registry for Red Hat OpenShift 2.0Node Maintenance OperatorRed Hat OpenShift Container Platform 4.19Logging Subsystem for Red Hat OpenShiftRed Hat OpenShift Container Platform 4.14multicluster engine for Kubernetes 2.7HawtIO HawtIO 4.3.1OpenShift API for Data Protection 1.5Red Hat OpenShift GitOps 1.19Red Hat OpenShift for Windows ContainersRed Hat OpenShift Container Platform 4.20Red Hat OpenStack Platform 17.1Assisted Installer for Red Hat OpenShift Container Platform 2Red Hat Enterprise Linux AppStream AUS (v.8.4)Red Hat Ceph Storage 6Custom Metric Autoscaler operator for Red Hat OpenshiftMulticluster Global Hub 1.4.5
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-13465
Assigner-ce714d77-add3-4f53-aff5-83d477b104bb
ShareView Details
Assigner-ce714d77-add3-4f53-aff5-83d477b104bb
CVSS Score-6.9||MEDIUM
EPSS-1.54% / 71.77%
||
7 Day CHG+1.22%
Published-21 Jan, 2026 | 19:05
Updated-03 Jul, 2026 | 13:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution Vulnerability in Lodash _.unset and _.omit functions

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23

Action-Not Available
Vendor-lodashLodashlodash.unsetlodash-esLodash-amdRed Hat, Inc.Siemens AG
Product-lodashlodash-eslodash.unsetLodash-amdLodashRed Hat Developer Hub 1.8Red Hat Directory Server 13Cryostat 4 on RHEL 9Red Hat Ceph Storage 7.1Red Hat Enterprise Linux High Availability (v. 10)Red Hat Ansible Automation Platform 2.6 for RHEL 9Red Hat build of Apicurio Registry 2Red Hat Openshift Data Foundation 4Red Hat Enterprise Linux High Availability E4S (v.8.6)Red Hat Quay 3Red Hat Enterprise Linux HighAvailability EUS EXTENSION (v.8.4)Red Hat Advanced Cluster Security for Kubernetes 4.8Red Hat Enterprise Linux Resilient Storage EUS (v.9.4)Red Hat OpenShift GitOps 1.18Red Hat Directory Server 11Red Hat Directory Server 12Red Hat Quay 3.16Multicluster Engine for KubernetesRed Hat OpenShift Container Platform 4.15Red Hat OpenShift Service Mesh 3.0Red Hat OpenShift Service Mesh 3.2Red Hat OpenShift Service Mesh 2.6streams for Apache Kafka 3Red Hat Ansible Automation Platform 2.5Red Hat 3scale API Management Platform 2Red Hat Ceph Storage 4Red Hat OpenShift GitOpsRed Hat Discovery 2Red Hat OpenShift Container Platform 4.12Red Hat build of OptaPlanner 8Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 ServerRed Hat JBoss Enterprise Application Platform 8multicluster engine for Kubernetes 2.10Migration Toolkit for Virtualizationmulticluster engine for Kubernetes 2.9Red Hat Enterprise Linux 7Red Hat Trusted Profile AnalyzerRed Hat OpenShift Container Platform 4.17Red Hat OpenShift Service Mesh 3.1Red Hat Advanced Cluster Security for Kubernetes 4.10Red Hat Fuse 7Red Hat Enterprise Linux High Availability (v. 9)Gatekeeper 3Red Hat Advanced Cluster Management for Kubernetes 2.13Migration Toolkit for ContainersRed Hat Enterprise Linux 10Streams for Apache Kafka 2.9.4Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat OpenShift AI 3.3Red Hat Advanced Cluster Management for Kubernetes 2Node HealthCheck OperatorRed Hat Enterprise Linux 9Red Hat OpenShift distributed tracing 3OpenShift Service Mesh 3Red Hat Enterprise Linux 8Red Hat OpenShift GitOps 1.17Red Hat Ansible Automation Platform 2Red Hat Enterprise Linux ResilientStorage E4S (v.9.0)Red Hat Data Grid 8.6.0Red Hat Advanced Cluster Security 4Red Hat Enterprise Linux High Availability E4S (v.9.2)Migration Toolkit for Applications 8OpenShift LightspeedRed Hat Ansible Automation Platform 2.6Red Hat OpenShift AI 2.25Red Hat Enterprise Linux High Availability TUS (v.8.6)Red Hat Enterprise Linux High Availability EUS (v. 10.0)Red Hat Trusted Artifact Signer 1.2Red Hat Advanced Cluster Security for Kubernetes 4.9Red Hat OpenShift Container Platform 4.21Red Hat Advanced Cluster Management for Kubernetes 2.15Red Hat Process Automation 7Red Hat OpenShift Pipelines 1.15Red Hat Enterprise Linux High Availability EUS (v.9.4)Red Hat Enterprise Linux AppStream (v. 10)Red Hat Ceph Storage 5Red Hat Satellite 6.18OpenShift PipelinesRed Hat Trusted Artifact Signer 1.3RUGGEDCOM RST2428PCluster Observability Operator 1.4.0Red Hat JBoss Enterprise Application Platform 7Red Hat Enterprise Linux High Availability E4S (v.9.0)Red Hat Advanced Cluster Management for Kubernetes 2.12Red Hat OpenShift Container Platform 4.13Red Hat Ansible Automation Platform 2.6 for RHEL 10Red Hat Satellite 6Red Hat Enterprise Linux High Availability EUS (v.9.6)Red Hat Ceph Storage 8Red Hat Enterprise Linux AppStream (v. 9)Red Hat Enterprise Linux High Availability E4S (v.8.8)multicluster engine for Kubernetes 2.6Red Hat OpenShift AI (RHOAI)Red Hat Enterprise Linux High Availability AUS (v.8.4)multicluster engine for Kubernetes 2.8Confidential Compute AttestationRed Hat Edge Manager 1Red Hat Edge Manager previewRed Hat OpenShift Pipelines 1.2Red Hat OpenShift Dev SpacesOpenShift Service Mesh 2Network Observability (NETOBSERV) 1.11.2Red Hat OpenShift Container Platform 4.18Red Hat Enterprise Linux Resilient Storage (v. 9)Red Hat OpenShift Container Platform 4.19Red Hat Enterprise Linux Resilient Storage EUS (v.9.6)Red Hat OpenShift Container Platform 4.14Logging Subsystem for Red Hat OpenShiftRed Hat Enterprise Linux High Availability TUS (v.8.8)Red Hat Enterprise Linux AI (RHEL AI) 3multicluster engine for Kubernetes 2.7Red Hat OpenShift Dev Spaces 3.27Red Hat OpenShift Virtualization 4Red Hat OpenShift GitOps 1.19HawtIO HawtIO 4.4.0Red Hat OpenShift Container Platform 4.20Red Hat Single Sign-On 7Red Hat OpenShift Container Platform 4.16Red Hat Ceph Storage 6Red Hat Connectivity Link 1Red Hat Enterprise Linux Resilient Storage E4S (v.9.2)Red Hat OpenShift Container Platform 4
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2026-21441
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-8.9||HIGH
EPSS-2.67% / 83.89%
||
7 Day CHG+1.99%
Published-07 Jan, 2026 | 22:09
Updated-03 Jul, 2026 | 13:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)

urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source.

Action-Not Available
Vendor-urllib3Red Hat, Inc.Python Software Foundation
Product-urllib3urllib3Red Hat Ceph Storage 7.1Red Hat Enterprise Linux AppStream E4S (v.9.2)Red Hat Enterprise Linux Resilient Storage EUS (v.9.4)Multiarch Tuning OperatorRed Hat OpenShift Dev Spaces (RHOSDS) 3.26Red Hat Quay 3.16Red Hat Ansible Automation Platform 2.4cert-manager operator for Red Hat OpenShift 1.18Multicluster Engine for KubernetesOpenShift API for Data Protection 1.3Red Hat Enterprise Linux BaseOS E4S (v.8.6)Red Hat Ansible Automation Platform 2.5Red Hat Satellite 6.17 for RHEL 9Red Hat Enterprise Linux BaseOS EUS (v.9.4)Multicluster Global Hub 1.5.4Red Hat OpenShift GitOpsRed Hat Discovery 2Red Hat Quay 3.13Red Hat Quay 3.10Migration Toolkit for VirtualizationRed Hat Enterprise Linux BaseOS (v. 8)Red Hat OpenStack Platform 18.0Migration Toolkit for ContainersRed Hat Enterprise Linux AppStream E4S (v.8.8)Red Hat Advanced Cluster Management for Kubernetes 2Node HealthCheck OperatorRed Hat Enterprise Linux 9Red Hat Satellite 6.18 for RHEL 9Red Hat Enterprise Linux BaseOS E4S (v.8.8)Red Hat Enterprise Linux ResilientStorage (v. 8)Red Hat Enterprise Linux 8Red Hat OpenShift GitOps 1.17Red Hat Ceph Storage 9Red Hat Quay 3.14Red Hat OpenShift AI 2.25Red Hat Enterprise Linux BaseOS AUS (v.8.4)Red Hat Trusted Artifact Signer 1.2OpenShift Developer Tools and ServicesRed Hat OpenStack Platform 16.2Red Hat Enterprise Linux AppStream AUS (v.8.6)Red Hat Advanced Cluster Management for Kubernetes 2.15RHUI 4 for RHEL 8Red Hat Enterprise Linux High Availability EUS (v.9.4)Zero Trust Workload Identity Manager 1OpenShift PipelinesRed Hat Advanced Cluster Management for Kubernetes 2.14Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)Red Hat Trusted Artifact Signer 1.3Red Hat AI Inference Server 3.2Red Hat Ceph Storage 8Red Hat Quay 3.15Red Hat Enterprise Linux HighAvailability (v. 8)Red Hat OpenShift Dev SpacesRed Hat Enterprise Linux AppStream TUS (v.8.6)Red Hat AI Inference ServerRed Hat Enterprise Linux BaseOS TUS (v.8.8)Self Node Remediation OperatorNetwork Observability (NETOBSERV) 1.11.2Fence Agents Remediation OperatorRed Hat Satellite 6.16 for RHEL 8Red Hat Satellite 6.16 for RHEL 9Red Hat build of Quarkus Native builderRed Hat Enterprise Linux High Availability TUS (v.8.8)Red Hat Update Infrastructure 5Red Hat Advanced Cluster Security for Kubernetes 4.8Red Hat Enterprise Linux Resilient Storage E4S (v.9.2)Red Hat OpenShift Container Platform 4Red Hat Openshift Data Foundation 4Zero Trust Workload Identity Manager - Tech PreviewRed Hat Enterprise Linux High Availability E4S (v.8.6)Red Hat Quay 3Red Hat Enterprise Linux HighAvailability EUS EXTENSION (v.8.4)Service Telemetry Framework 1.5Red Hat OpenShift GitOps 1.18Red Hat Developer HubRed Hat Enterprise Linux BaseOS E4S (v.9.2)Red Hat Enterprise Linux BaseOS EUS (v.9.6)External Secrets Operator for Red Hat OpenShiftRed Hat Enterprise Linux BaseOS E4S (v.9.0)Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6Red Hat Enterprise Linux 10Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)Red Hat Enterprise Linux AppStream (v. 8)Red Hat Enterprise Linux BaseOS EUS (v. 10.0)Red Hat OpenShift AI 3.3OpenShift Service Mesh 3Red Hat Ansible Automation Platform 2Red Hat Enterprise Linux ResilientStorage E4S (v.9.0)OpenShift ServerlessRed Hat Enterprise Linux High Availability E4S (v.9.2)Red Hat Quay 3.12OpenShift LightspeedRed Hat Enterprise Linux AppStream TUS (v.8.8)Red Hat Ansible Automation Platform 2.6Red Hat Enterprise Linux AppStream EUS (v.9.4)Red Hat Enterprise Linux High Availability TUS (v.8.6)Red Hat Enterprise Linux BaseOS TUS (v.8.6)Red Hat Ansible Automation Platform Ansible Core 2Red Hat Advanced Cluster Security for Kubernetes 4.9Red Hat Enterprise Linux AppStream EUS (v.9.6)external secrets operator for Red Hat OpenShift - Tech PreviewRed Hat Satellite 6.18OpenShift API for Data ProtectionRed Hat Enterprise Linux Server HighAvailability (v. 7 ELS)Red Hat Certification Program for Red Hat Enterprise Linux 9Red Hat Enterprise Linux BaseOS (v. 10)Red Hat OpenShift Update ServiceRed Hat Enterprise Linux High Availability E4S (v.9.0)Red Hat Satellite 6Red Hat Enterprise Linux AppStream (v. 9)Red Hat Enterprise Linux High Availability E4S (v.8.8)Red Hat OpenShift AI (RHOAI)Dynamic Accelerator Slicer Operator for Red Hat OpenShiftRed Hat Enterprise Linux High Availability AUS (v.8.4)Confidential Compute AttestationRed Hat Edge Manager previewOpenShift Service Mesh 2Red Hat Enterprise Linux AppStream E4S (v.8.6)Red Hat Enterprise Linux AppStream E4S (v.9.0)Red Hat Enterprise Linux BaseOS (v. 9)mirror registry for Red Hat OpenShift 2.0Logging Subsystem for Red Hat OpenShiftRed Hat Enterprise Linux AI (RHEL AI) 3Red Hat OpenStack Platform 13 (Queens)Red Hat Enterprise Linux Server ResilientStorage (v. 7 ELS)Red Hat OpenShift GitOps 1.19Red Hat OpenStack Platform 17.1Red Hat Enterprise Linux BaseOS AUS (v. 8.2)Assisted Installer for Red Hat OpenShift Container Platform 2Red Hat Enterprise Linux AppStream AUS (v.8.4)Red Hat Offline Knowledge PortalRed Hat Connectivity Link 1Red Hat Enterprise Linux BaseOS AUS (v.8.6)Multicluster Global Hub 1.4.5
CWE ID-CWE-409
Improper Handling of Highly Compressed Data (Data Amplification)