Red Hat Linux OS and other open source products
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Red Hat product.
RSS Feeds for Red Hat security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Red Hat products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Red Hat Sorted by Most Security Vulnerabilities since 2018
Red Hat Enterprise Linux Server1534 vulnerabilities
RedHat Enterprise Linux (RHEL) Server. Includes software bundeled with RHEL server.
Red Hat Enterprise Linux Workstation1504 vulnerabilities
RedHat Enterprise Linux (RHEL) Workstation. Includes software bundled with RHEL Workstation.
Red Hat Enterprise Linux Desktop1493 vulnerabilities
RedHat Enterprise Linux (RHEL) Desktop. Includes software bundled with RHEL desktop
Recent Red Hat Security Advisories
| Advisory | Title | Published |
|---|---|---|
| RHSA-2026:5533 | (RHSA-2026:5533) Important: osbuild-composer security update | March 24, 2026 |
| RHSA-2026:5514 | (RHSA-2026:5514) Moderate: redhat-ds:11 security update | March 24, 2026 |
| RHSA-2026:5513 | (RHSA-2026:5513) Moderate: 389-ds:1.4 security update | March 24, 2026 |
| RHSA-2026:5512 | (RHSA-2026:5512) Moderate: redhat-ds:11 security update | March 24, 2026 |
| RHSA-2026:5511 | (RHSA-2026:5511) Moderate: 389-ds:1.4 security update | March 24, 2026 |
| RHSA-2026:5482 | (RHSA-2026:5482) Moderate: Red Hat JBoss Enterprise Application Platform 8.1.5 XP 6.0.3.GA release | March 23, 2026 |
| RHSA-2026:5463 | (RHSA-2026:5463) RHTAS 1.3.3 - Red Hat Trusted Artifact Signer Release | March 23, 2026 |
| RHSA-2026:5461 | (RHSA-2026:5461) Important: osbuild-composer security update | March 23, 2026 |
| RHSA-2026:5459 | (RHSA-2026:5459) RHTAS 1.3.3 - Red Hat Trusted Artifact Signer Release | March 23, 2026 |
| RHSA-2026:5452 | (RHSA-2026:5452) RHTAS 1.3.3 - Red Hat Trusted Artifact Signer Release | March 23, 2026 |
By the Year
In 2026 there have been 260 vulnerabilities in Red Hat with an average score of 6.8 out of ten. Last year, in 2025 Red Hat had 1099 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Red Hat in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.27.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 260 | 6.80 |
| 2025 | 1099 | 6.54 |
| 2024 | 1678 | 6.55 |
| 2023 | 1206 | 6.75 |
| 2022 | 1362 | 6.97 |
| 2021 | 1123 | 6.61 |
| 2020 | 663 | 6.40 |
| 2019 | 771 | 6.98 |
| 2018 | 760 | 7.16 |
It may take a day or so for new Red Hat vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-3260 | Mar 24, 2026 |
Undertow DoS via multipart/form-data resource exhaustionA flaw was found in Undertow. A remote attacker could exploit this vulnerability by sending an HTTP GET request containing multipart/form-data content. If the underlying application processes parameters using methods like `getParameterMap()`, the server prematurely parses and stores this content to disk. This could lead to resource exhaustion, potentially resulting in a Denial of Service (DoS). |
Camel Spring Boot
Apache Camel Hawtio
Jboss Data Grid
And others... |
| CVE-2026-1940 | Mar 23, 2026 |
GStreamer OOB Read in gst_wavparse_adtl_chunk()An incomplete fix for CVE-2024-47778 allows an out-of-bounds read in gst_wavparse_adtl_chunk() function. The patch added a size validation check lsize + 8 > size, but it does not account for the GST_ROUND_UP_2(lsize) used in the actual offset calculation. When lsize is an odd number, the parser advances more bytes than validated, causing OOB read. |
Enterprise Linux (RHEL)
|
| CVE-2026-4647 | Mar 23, 2026 |
BFD Library XCOFF Relocation Validation Defect DoSA flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF object files, where a relocation type value is not properly validated before being used. This can cause the program to read memory outside of intended bounds. As a result, affected tools may crash or expose unintended memory contents, leading to denial-of-service or limited information disclosure risks. |
Enterprise Linux (RHEL)
Openshift
|
| CVE-2026-4645 | Mar 23, 2026 |
Infinite Loop DoS via Crafted Boolean XPath in antchfx/xpathA flaw was found in the `github.com/antchfx/xpath` component. A remote attacker could exploit this vulnerability by submitting crafted Boolean XPath expressions that evaluate to true. This can cause an infinite loop in the `logicalQuery.Select` function, leading to 100% CPU utilization and a Denial of Service (DoS) condition for the affected system. |
Openshift Compliance Operator
Openshift File Integrity Operator
Migration Toolkit Applications
And others... |
| CVE-2026-4633 | Mar 23, 2026 |
Keycloak ID First Login Error Message CVE-2026-4633: User EnumerationA flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login flow when Organizations are enabled. This vulnerability allows an attacker to determine the existence of users, leading to information disclosure through user enumeration. |
Build Keycloak
|
| CVE-2026-4628 | Mar 23, 2026 |
Keycloak UMA resource_set Endpoint: Access Control Bypass via PUTA flaw was found in Keycloak. An improper Access Control vulnerability in Keycloaks User-Managed Access (UMA) resource_set endpoint allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false restriction. This occurs due to incomplete enforcement of access control checks on PUT operations to the resource_set endpoint. This issue enables unauthorized modification of protected resources, impacting data integrity. |
Build Keycloak
Jboss Enterprise Application Platform
Jbosseapxp
And others... |
| CVE-2026-23536 | Mar 20, 2026 |
RedHat Feast Feature Server: /read-document RFR via unauthenticated POSTA security issue was discovered in the Feast Feature Server's `/read-document` endpoint that allows an unauthenticated remote attacker to read any file accessible to the server process. By sending a specially crafted HTTP POST request, an attacker can bypass intended access restrictions to potentially retrieve sensitive system files, application configurations, and credentials. |
Openshift Ai
|
| CVE-2026-4427 | Mar 19, 2026 |
Negative DataRow Length in pgproto3 Leading to DoSA flaw was found in pgproto3. A malicious or compromised PostgreSQL server can exploit this by sending a DataRow message with a negative field length. This input validation vulnerability can lead to a denial of service (DoS) due to a slice bounds out of range panic. |
Assisted Installer
Multicluster Engine
Multicluster Globalhub
And others... |
| CVE-2026-2369 | Mar 19, 2026 |
libsoup Integer Underflow Buffer OverreadA flaw was found in libsoup. An integer underflow vulnerability occurs when processing content with a zero-length resource, leading to a buffer overread. This can allow an attacker to potentially access sensitive information or cause an application level denial of service. |
Enterprise Linux (RHEL)
|
| CVE-2026-4426 | Mar 19, 2026 |
UB in libarchive Zisofs Decompressor Enables DoS via Malicious ISOA flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead to incorrect memory allocation and potential application crashes, resulting in a denial-of-service (DoS) condition. |
Enterprise Linux (RHEL)
Openshift
|
| CVE-2026-4424 | Mar 19, 2026 |
libarchive Heap OOB Read via Craft RAR ArchiveA flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction. |
Enterprise Linux (RHEL)
Openshift
|
| CVE-2026-4366 | Mar 18, 2026 |
Keycloak Improper HTTP Redirect Handling leads to Info DisclosureA flaw was identified in Keycloak, an identity and access management solution, where it improperly follows HTTP redirects when processing certain client configuration requests. This behavior allows an attacker to trick the server into making unintended requests to internal or restricted resources. As a result, sensitive internal services such as cloud metadata endpoints could be accessed. This issue may lead to information disclosure and enable attackers to map internal network infrastructure. |
Build Keycloak
Jboss Enterprise Application Platform
Jbosseapxp
And others... |
| CVE-2026-2575 | Mar 18, 2026 |
Keycloak DoS via max SAMLRequest over SAML Redirect BindingA flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryError (OOM) and subsequent process termination. This vulnerability allows an attacker to disrupt the availability of the service. |
Build Keycloak
|
| CVE-2026-2603 | Mar 18, 2026 |
Keycloak SAML Endpoint Bypass via Crafted IdP ResponseA flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication. |
Build Keycloak
|
| CVE-2026-2092 | Mar 18, 2026 |
Keycloak SAML Broker Unvalidated Encrypted Assertion AttackA flaw was found in Keycloak. Keycloak's Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious SAML response. This allows the attacker to inject an encrypted assertion for an arbitrary principal, leading to unauthorized access and potential information disclosure. |
Build Keycloak
|
| CVE-2026-4324 | Mar 17, 2026 |
SQLi via sort_by in Katello plugin (RedHat Satellite)A flaw was found in the Katello plugin for Red Hat Satellite. This vulnerability, caused by improper sanitization of user-provided input, allows a remote attacker to inject arbitrary SQL commands into the sort_by parameter of the /api/hosts/bootc_images API endpoint. This can lead to a Denial of Service (DoS) by triggering database errors, and potentially enable Boolean-based Blind SQL injection, which could allow an attacker to extract sensitive information from the database. |
Satellite
|
| CVE-2026-4271 | Mar 17, 2026 |
libsoup HTTP/2 UAF Auth Failure & DoSA flaw was found in libsoup, a library for handling HTTP requests. This vulnerability, known as a Use-After-Free, occurs in the HTTP/2 server implementation. A remote attacker can exploit this by sending specially crafted HTTP/2 requests that cause authentication failures. This can lead to the application attempting to access memory that has already been freed, potentially causing application instability or crashes, resulting in a Denial of Service (DoS). |
Enterprise Linux (RHEL)
|
| CVE-2026-3634 | Mar 17, 2026 |
libsoup CRLF Header Injection via Content-Type HeaderA flaw was found in libsoup. An attacker controlling the value used to set the Content-Type header can inject a Carriage Return Line Feed (CRLF) sequence due to improper input sanitization in the `soup_message_headers_set_content_type()` function. This vulnerability allows for the injection of arbitrary header-value pairs, potentially leading to HTTP header injection and response splitting attacks. |
Enterprise Linux (RHEL)
|
| CVE-2026-3633 | Mar 17, 2026 |
CRLF Injection in libsoup's soup_message_new via unescaped methodA flaw was found in libsoup. A remote attacker, by controlling the method parameter of the `soup_message_new()` function, could inject arbitrary headers and additional request data. This vulnerability, known as CRLF (Carriage Return Line Feed) injection, occurs because the method value is not properly escaped during request line construction, potentially leading to HTTP request injection. |
Enterprise Linux (RHEL)
|
| CVE-2026-3632 | Mar 17, 2026 |
libsoup Hostname Validation Flaw Enabling HTTP Smuggling & SSRFA flaw was found in libsoup, a library used by applications to send network requests. This vulnerability occurs because libsoup does not properly validate hostnames, allowing special characters to be injected into HTTP headers. A remote attacker could exploit this to perform HTTP smuggling, where they can send hidden, malicious requests alongside legitimate ones. In certain situations, this could lead to Server-Side Request Forgery (SSRF), enabling an attacker to force the server to make unauthorized requests to other internal or external systems. The impact is low, as SoupServer is not actually used in internet infrastructure. |
Enterprise Linux (RHEL)
|
| CVE-2026-3441 | Mar 15, 2026 |
Heap-based Overflow in GNU Binutils BFD Linker (CVE-2026-3441)A flaw was found in GNU Binutils. This heap-based buffer overflow vulnerability, specifically an out-of-bounds read in the bfd linker, allows an attacker to gain access to sensitive information. By convincing a user to process a specially crafted XCOFF object file, an attacker can trigger this flaw, potentially leading to information disclosure or an application level denial of service. |
Enterprise Linux (RHEL)
Openshift
|
| CVE-2026-3442 | Mar 15, 2026 |
BufOverflow bfd linker in GNU Binutils CVE-2026-3442A flaw was found in GNU Binutils. This vulnerability, a heap-based buffer overflow, specifically an out-of-bounds read, exists in the bfd linker component. An attacker could exploit this by convincing a user to process a specially crafted malicious XCOFF object file. Successful exploitation may lead to the disclosure of sensitive information or cause the application to crash, resulting in an application level denial of service. |
Enterprise Linux (RHEL)
Openshift
|
| CVE-2026-4111 | Mar 13, 2026 |
Infinite Loop in libarchive RAR5 Decompression causing DoSA flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives. |
Enterprise Linux (RHEL)
Openshift
|
| CVE-2026-4105 | Mar 13, 2026 |
systemd Improper Access Control in D-Bus RegisterMachineA flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system. |
Enterprise Linux (RHEL)
Openshift
|
| CVE-2025-57849 | Mar 13, 2026 |
Red Hat Fuse Container Priv Esc via Group-Writable /etc/passwdA container privilege escalation flaw was found in certain Fuse images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container. |
Jboss Fuse
|
| CVE-2025-8766 | Mar 13, 2026 |
RedHat Multi-Cloud Object Gateway Core PrivEsc via /etc/passwdA container privilege escalation flaw was found in certain Multi-Cloud Object Gateway Core images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container |
Openshift Data Foundation
|
| CVE-2026-2376 | Mar 12, 2026 |
Mirror Registry Authenticated Redirect Spoof (CVE-2026-2376)A flaw was found in mirror-registry where an authenticated user can trick the system into accessing unintended internal or restricted systems by providing malicious web addresses. When the application processes these addresses, it automatically follows redirects without verifying the final destination, allowing attackers to route requests to systems they should not have access to. |
Mirror Registry
Quay
|
| CVE-2026-3099 | Mar 12, 2026 |
Libsoup Digest Auth Replay Vulnerability (nonce & nc tracking)A flaw was found in Libsoup. The server-side digest authentication implementation in the SoupAuthDomainDigest class does not properly track issued nonces or enforce the required incrementing nonce-count (nc) attribute. This vulnerability allows a remote attacker to capture a single valid authentication header and replay it repeatedly. Consequently, the attacker can bypass authentication and gain unauthorized access to protected resources, impersonating the legitimate user. |
Enterprise Linux (RHEL)
|
| CVE-2026-2366 | Mar 12, 2026 |
Keycloak Admin API Auth Bypass: Org Membership EnumerationA flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled. |
Build Keycloak
|
| CVE-2026-3234 | Mar 12, 2026 |
Apache mod_proxy_cluster CRLF Injection (CVE-2026-3234)A flaw was found in mod_proxy_cluster. This vulnerability, a Carriage Return Line Feed (CRLF) injection in the decodeenc() function, allows a remote attacker to bypass input validation. By injecting CRLF sequences into the cluster configuration, an attacker can corrupt the response body of INFO endpoint responses. Exploitation requires network access to the MCMP protocol port, but no authentication is needed. |
Enterprise Linux (RHEL)
Jboss Core Services
|
| CVE-2026-3429 | Mar 11, 2026 |
Keycloak REST API Privilege Escalation via MFA Credential DeleteA flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victims password can delete the victims registered MFA/OTP credential without first proving possession of that factor. The attacker can then register their own MFA device, effectively taking full control of the account. This weakness undermines the intended protection provided by multi-factor authentication. |
Build Keycloak
Jboss Enterprise Application Platform
Jbosseapxp
And others... |
| CVE-2026-3911 | Mar 11, 2026 |
Keycloak UserResource viewusers Role IDP DisclosureA flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized information disclosure could expose sensitive user data. |
Build Keycloak
|
| CVE-2026-26130 | Mar 10, 2026 |
Mar 2026: ASP.NET Core Denial of Service VulnerabilityAllocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network. |
|
| CVE-2026-26127 | Mar 10, 2026 |
Mar 2026: .NET Denial of Service VulnerabilityOut-of-bounds read in .NET allows an unauthorized attacker to deny service over a network. |
|
| CVE-2026-3047 | Mar 05, 2026 |
Keycloak SAML Broker Auth Bypass via Disabled ClientA flaw was found in org.keycloak.broker.saml. When a disabled Security Assertion Markup Language (SAML) client is configured as an Identity Provider (IdP)-initiated broker landing target, it can still complete the login process and establish a Single Sign-On (SSO) session. This allows a remote attacker to gain unauthorized access to other enabled clients without re-authentication, effectively bypassing security restrictions. |
Build Keycloak
|
| CVE-2026-3009 | Mar 05, 2026 |
Keycloak IdentityBroker Auth Bypass via Disabled IdPA security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider. |
Build Keycloak
Jboss Enterprise Application Platform
Jbosseapxp
And others... |
| CVE-2025-12801 | Mar 04, 2026 |
NFSv3 rpc.mountd Privilege Escalation via Directory Bypass (CVE-2025-12801)A vulnerability was recently discovered in the rpc.mountd daemon in the nfs-utils package for Linux, that allows a NFSv3 client to escalate the privileges assigned to it in the /etc/exports file at mount time. In particular, it allows the client to access any subdirectory or subtree of an exported directory, regardless of the set file permissions, and regardless of any 'root_squash' or 'all_squash' attributes that would normally be expected to apply to that client. |
Enterprise Linux (RHEL)
Openshift
Rhel Eus
And others... |
| CVE-2026-27446 | Mar 04, 2026 |
CVE-2026-27446: Missing Auth on Core Protocol in Apache Artemis 2.50.0-2.51.0Missing Authentication for Critical Function (CWE-306) vulnerability in Apache Artemis, Apache ActiveMQ Artemis. An unauthenticated remote attacker can use the Core protocol to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. This could potentially result in message injection into any queue and/or message exfiltration from any queue via the rogue broker. This impacts environments that allow both: - incoming Core protocol connections from untrusted sources to the broker - outgoing Core protocol connections from the broker to untrusted targets This issue affects: - Apache Artemis from 2.50.0 through 2.51.0 - Apache ActiveMQ Artemis from 2.11.0 through 2.44.0. Users are recommended to upgrade to Apache Artemis version 2.52.0, which fixes the issue. The issue can be mitigated by one of the following: - Remove Core protocol support from any acceptor receiving connections from untrusted sources. Incoming Core protocol connections are supported by default via the "artemis" acceptor listening on port 61616. See the "protocols" URL parameter configured for the acceptor. An acceptor URL without this parameter supports all protocols by default, including Core. - Use two-way SSL (i.e. certificate-based authentication) in order to force every client to present the proper SSL certificate when establishing a connection before any message protocol handshake is attempted. This will prevent unauthenticated exploitation of this vulnerability. - Implement and deploy a Core interceptor to deny all Core downstream federation connect packets. Such packets have a type of (int) -16 or (byte) 0xfffffff0. Documentation for interceptors is available at https://artemis.apache.org/components/artemis/documentation/latest/intercepting-operations.html . |
|
| CVE-2025-10990 | Feb 27, 2026 |
REXML ReDoS via Hex Char Ref ParsingA flaw was found in REXML. A remote attacker could exploit inefficient regular expression (regex) parsing when processing hex numeric character references (&#x...;) in XML documents. This could lead to a Regular Expression Denial of Service (ReDoS), impacting the availability of the affected component. This issue is the result of an incomplete fix for CVE-2024-49761. |
Satellite
Satellite Utils
Satellite Capsule
And others... |
| CVE-2025-12150 | Feb 27, 2026 |
Keycloak WebAuthn Auth Attestation Bypass (fmt none)A flaw was found in Keycloaks WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is configured to require direct attestation. This can lead to weakened authentication integrity and unauthorized authenticator registration. |
Build Keycloak
|
| CVE-2026-0980 | Feb 27, 2026 |
RCE via Malicious Username in RubyIPMI (Red Hat Satellite BMC)A flaw was found in rubyipmi, a gem used in the Baseboard Management Controller (BMC) component of Red Hat Satellite. An authenticated attacker with host creation or update permissions could exploit this vulnerability by crafting a malicious username for the BMC interface. This could lead to remote code execution (RCE) on the system. |
Satellite
|
| CVE-2026-0871 | Feb 27, 2026 |
Keycloak RBAC Bypass: Unauthorized Attribute Modification via manageusersA flaw was found in Keycloak. An administrator with `manage-users` permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the system is configured to restrict such modifications. |
Build Keycloak
Jboss Enterprise Application Platform
Jbosseapxp
And others... |
| CVE-2025-13327 | Feb 27, 2026 |
uv ZIP Parsing Flaw Enables Code Execution During Package InstallA flaw was found in uv. This vulnerability allows an attacker to execute malicious code during package resolution or installation via specially crafted ZIP (Zipped Information Package) archives that exploit parsing differentials, requiring user interaction to install an attacker-controlled package. |
Ai Inference Server
Openshift Ai
|
| CVE-2025-9909 | Feb 27, 2026 |
Credentials Theft via Double-Slash Gateway Path in Ansible Automation PlatformA flaw was found in the Red Hat Ansible Automation Platform Gateway route creation component. This vulnerability allows credential theft via the creation of misleading routes using a double-slash (//) prefix in the gateway_path. A malicious or socially engineered administrator can configure a honey-pot route to intercept and exfiltrate user credentials, potentially maintaining persistent access or creating a backdoor even after their permissions are revoked. |
Ansible Automation Platform Inside
Ansible Automation Platform
Ansible Automation Platform Developer
And others... |
| CVE-2025-9908 | Feb 27, 2026 |
Ansible EDA Event Streams Header Leakage (CVE-2025-9908)A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Streams. This vulnerability allows an authenticated user to gain access to sensitive internal infrastructure headers (such as X-Trusted-Proxy and X-Envoy-*) and event stream URLs via crafted requests and job templates. By exfiltrating these headers, an attacker could spoof trusted requests, escalate privileges, or perform malicious event injection. |
Ansible Automation Platform
Ansible Automation Platform Inside
Ansible Automation Platform Developer
And others... |
| CVE-2025-9907 | Feb 27, 2026 |
Sensitive Data Exposure via test_headers in Red Hat Ansible EDA Event Stream APIA flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Stream API. This vulnerability allows exposure of sensitive client credentials and internal infrastructure headers via the test_headers field when an event stream is in test mode. The possible outcome includes leakage of internal infrastructure details, accidental disclosure of user or system credentials, privilege escalation if high-value tokens are exposed, and persistent sensitive data exposure to all users with read access on the event stream. |
Ansible Automation Platform Inside
Ansible Automation Platform
Ansible Automation Platform Developer
And others... |
| CVE-2025-9572 | Feb 27, 2026 |
Authorization Bypass in Foreman GraphQL API (CVE-2025-9572)n authorization flaw in Foreman's GraphQL API allows low-privileged users to access metadata beyond their assigned permissions. Unlike the REST API, which correctly enforces access controls, the GraphQL endpoint does not apply proper filtering, leading to an authorization bypass. |
Satellite
Satellite Utils
Satellite Capsule
And others... |
| CVE-2026-28295 | Feb 26, 2026 |
GVfs FTP Backend IP/Port Spoofing Allows Client Port ScanningA flaw was found in the FTP GVfs backend. A malicious FTP server can exploit this vulnerability by providing an arbitrary IP address and port in its passive mode (PASV) response. The client unconditionally trusts this information and attempts to connect to the specified endpoint, allowing the malicious server to probe for open ports accessible from the client's network. |
Enterprise Linux (RHEL)
|
| CVE-2026-27830 | Feb 26, 2026 |
c3p0 0.12.0- Deserialization RCE via userOverridesAsStringc3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objects and `javax.naming.Reference` instances. Several c3p0 `ConnectionPoolDataSource` implementations have a property called `userOverridesAsString` which conceptually represents a `Map<String,Map<String,String>>`. Prior to v0.12.0, that property was maintained as a hex-encoded serialized object. Any attacker able to reset this property, on an existing `ConnectionPoolDataSource` or via maliciously crafted serialized objects or `javax.naming.Reference` instances could be tailored execute unexpected code on the application's `CLASSPATH`. The danger of this vulnerability was strongly magnified by vulnerabilities in c3p0's main dependency, mchange-commons-java. This library includes code that mirrors early implementations of JNDI functionality, including ungated support for remote `factoryClassLocation` values. Attackers could set c3p0's `userOverridesAsString` hex-encoded serialized objects that include objects "indirectly serialized" via JNDI references. Deserialization of those objects and dereferencing of the embedded `javax.naming.Reference` objects could provoke download and execution of malicious code from a remote `factoryClassLocation`. Although hazard presented by c3p0's vulnerabilites are exarcerbated by vulnerabilities in mchange-commons-java, use of Java-serialized-object hex as the format for a writable Java-Bean property, of objects that may be exposed across JNDI interfaces, represents a serious independent fragility. The `userOverridesAsString` property of c3p0 `ConnectionPoolDataSource` classes has been reimplemented to use a safe CSV-based format, rather than rely upon potentially dangerous Java object deserialization. c3p0-0.12.0+ and above depend upon mchange-commons-java 0.4.0+, which gates support for remote `factoryClassLocation` values by configuration parameters that default to restrictive values. c3p0 additionally enforces the new mchange-commons-java `com.mchange.v2.naming.nameGuardClassName` to prevent injection of unexpected, potentially remote JNDI names. There is no supported workaround for versions of c3p0 prior to 0.12.0. |
|
| CVE-2026-27727 | Feb 25, 2026 |
mchange-commons-java RCE via JNDI before 0.4.0mchange-commons-java, a library that provides Java utilities, includes code that mirrors early implementations of JNDI functionality, including support for remote `factoryClassLocation` values, by which code can be downloaded and invoked within a running application. If an attacker can provoke an application to read a maliciously crafted `jaxax.naming.Reference` or serialized object, they can provoke the download and execution of malicious code. Implementations of this functionality within the JDK were disabled by default behind a System property that defaults to `false`, `com.sun.jndi.ldap.object.trustURLCodebase`. However, since mchange-commons-java includes an independent implementation of JNDI derefencing, libraries (such as c3p0) that resolve references via that implementation could be provoked to download and execute malicious code even after the JDK was hardened. Mirroring the JDK patch, mchange-commons-java's JNDI functionality is gated by configuration parameters that default to restrictive values starting in version 0.4.0. No known workarounds are available. Versions prior to 0.4.0 should be avoided on application CLASSPATHs. |