Red Hat Multicluster Globalhub

Docker Moby <29.5.1: Decompression Binary Hijack in /containers/{id}/archive
CVE-2026-41567 7.5 - High - June 05, 2026

Moby is an open source container framework. In versions prior to 29.5.1 and in moby/moby v2 prior to v2.0.0-beta.14, when a compressed archive is uploaded to a container via `PUT /containers/{id}/archive` or piped through `docker cp -`, the daemon resolves decompression binaries (such as `xz` or `unpigz`) from the container's filesystem rather than the host's due to incorrect ordering of operations. A malicious container image containing a trojanized decompression binary can achieve arbitrary code execution with full daemon privileges, including host root UID and unrestricted capabilities, when a user uploads a compressed (xz or gzip) archive into that container. This issue is fixed in Docker Engine 29.5.1 and moby/moby v2.0.0-beta.14. Workarounds include only running containers from trusted images, using authorization plugins to restrict access to the `PUT /containers/{id}/archive` endpoint, and avoiding piping compressed archives into containers created from untrusted images

DLL preloading

Go crypto/x509 VerifyHostname DNS SAN quadratic overhead
CVE-2026-27145 7.5 - High - June 02, 2026

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

Unchecked Input for Loop Condition

Remote Unauth DoS in iskorotkov/avro <2.33 via Block-Count Loop
CVE-2026-46385 7.5 - High - May 29, 2026

iskorotkov/avro is a fast Go Avro codec. Prior to 2.33.0, the Avro array and map decoders looped over an attacker-controlled block-count value without checking the underlying reader's error state inside the loop body. Reader.ReadBlockHeader returns the count as a Go int, which is 64-bit on amd64 / arm64 targets so a producer can declare a block of up to math.MaxInt64 (~9.2 × 10¹) elements followed by EOF (or any truncated payload), and the decoder will attempt that many no-op iterations before propagating the error. The realistic ceiling is "indefinite until the worker is killed externally" a single hostile payload pins a CPU core until the process is OOM-killed, deadline-cancelled, or terminated. Remote, unauthenticated denial-of-service. This vulnerability is fixed in 2.33.0.

Resource Exhaustion

iskorotkov/avro Decoder Overflow/Truncation (pre2.33.0)
CVE-2026-46384 7.5 - High - May 29, 2026

iskorotkov/avro is a fast Go Avro codec. Prior to 2.33.0, several Avro decoder paths read attacker-controlled 64-bit values from the wire format and either narrowed them to platform-sized int before bounds-checking, or summed them with overflow-prone signed-int arithmetic. On 32-bit targets (GOARCH=386, arm, mips, wasm, etc.), the truncation paths can silently bypass byte-slice limits, select the wrong union branch, or hit the OCF negative-make panic via wrap. Three sub-issues are not 32-bit-specific: cumulative-size arithmetic overflow in arrayDecoder.Decode / mapDecoder.Decode / mapDecoderUnmarshaler.Decode (wraps at math.MaxInt64 on amd64 / arm64 and bypasses MaxSliceAllocSize / MaxMapAllocSize), math.MinInt negation in block-header handling, and make([]byte, size) with a negative size in OCF block reads all three panic or bypass caps on any platform, giving an attacker a denial-of-service primitive there. This vulnerability is fixed in 2.33.0.

Integer Overflow or Wraparound

golang.org/x/net/idna pre-0.55.0 IDN bug allows silent ASCII/Unicode mix
CVE-2026-39821 8.2 - High - May 22, 2026

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Improper Validation of Unsafe Equivalence in Input

Go net/mail 1.25.x-1.26.3: ParseAddress/Date CPU/Memory Exhaustion
CVE-2026-39820 7.5 - High - May 07, 2026

Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.

Unchecked Input for Loop Condition

DoS via consumePhrase in Go net/mail RFC 5322 parsing <1.26.3
CVE-2026-42499 7.5 - High - May 07, 2026

Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.

Creation of Immutable Text Using String Concatenation

Double-free CVE-2026-33811 via LookupCNAME in Go net (<=1.26.2)
CVE-2026-33811 7.5 - High - May 07, 2026

When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

1341

Apache Thrift CVE-2026-43869: Improper Cert Host Mismatch before 0.23.0
CVE-2026-43869 7.3 - High - May 05, 2026

Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Improper Validation of Certificate with Host Mismatch

Heap Exhaustion via Unvalidated Len in Prometheus Remote Read (<3.5.3/3.11.3)
CVE-2026-42154 7.5 - High - May 04, 2026

Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3.

Resource Exhaustion

Prometheus OAuth Client Secret Exposure via /-/config (pre 3.5.3/3.11.3)
CVE-2026-42151 7.5 - High - May 04, 2026

Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has been patched in versions 3.5.3 and 3.11.3.

Information Disclosure

Qt Quick SVG: Node ID flaw enables QML/JS injection via VectorImage
CVE-2025-14576 7.8 - High - April 30, 2026

Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.

Code Injection

OOB Read Vulnerability in Apache Thrift before 0.23.0
CVE-2026-41607 9.1 - Critical - April 28, 2026

Out-of-bounds Read vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Out-of-bounds Read

Apache Thrift <0.23.0: Uncontrolled Recursion Vulnerability
CVE-2026-41606 7.5 - High - April 28, 2026

Uncontrolled Recursion vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Stack Exhaustion

Apache Thrift Int Overflow or Wraparound <0.23.0; Fixed 0.23.0
CVE-2026-41605 7.7 - High - April 28, 2026

Integer Overflow or Wraparound vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Integer Overflow or Wraparound

CVE-2026-41604: OOB Read in Apache Thrift < 0.23.0
CVE-2026-41604 8.2 - High - April 28, 2026

Out-of-bounds Read vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Out-of-bounds Read

Apache Thrift CVE-2026-41603: Improper Cert Host Mismatch Before 0.23.0
CVE-2026-41603 8.2 - High - April 28, 2026

Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Improper Validation of Certificate with Host Mismatch

Apache Thrift Go TFramedTransport Integer Overflow (<0.23.0)
CVE-2026-41602 7.5 - High - April 28, 2026

Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Integer Overflow or Wraparound

Apache Thrift 0.23+ Mismatched Memory Mgmt Routines Vulnerability
CVE-2025-48431 7.5 - High - April 28, 2026

Mismatched Memory Management Routines vulnerability in Apache Thrift c_glib language bindings. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue. Description: Specially crafted requests can crash an c_glib-based Thrift server with a clean but fatal "free(): invalid pointer" error message.

Mismatched Memory Management Routines

Grafana Tempo Large Limit Memory Allocation DoS
CVE-2026-21728 7.5 - High - April 24, 2026

Tempo queries with large limits can cause large memory allocations which can impact the availability of the service, depending on its deployment strategy. Mitigation can be done by setting max_result_limit in the search config, e.g. to 262144 (2^18).

Resource Exhaustion

OpenFGA 0.1.41.13.1: Preshared Key Leak in /playground
CVE-2026-40293 7.5 - High - April 17, 2026

OpenFGA is an authorization/permission engine built for developers. In versions 0.1.4 through 1.13.1, when OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the /playground endpoint. The /playground endpoint is enabled by default and does not require authentication. It is intended for local development and debugging and is not designed to be exposed to production environments. Only those who run OpenFGA with `--authn-method` preshared, with the playground enabled, and with the playground endpoint accessible beyond localhost or trusted networks are vulnerable. To remediate the issue, users should upgrade to OpenFGA v1.14.0, or disable the playground by running `./openfga run --playground-enabled=false.`

Information Disclosure

Pyroscope API Secret Key Leak via Tencent COS Backend <1.15.2/1.16.1/1.17.0
CVE-2025-41118 7.5 - High - April 15, 2026

Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS). If the database is configured to use Tencent COS as the storage backend, an attacker could extract the secret_key configuration value from the Pyroscope API. To exploit this vulnerability, an attacker needs direct access to the Pyroscope API. We highly recommend limiting the public internet exposure of all our databases, such that they are only accessible by trusted users or internal systems. This vulnerability is fixed in versions: 1.15.x: 1.15.2 and above. 1.16.x: 1.16.1 and above. 1.17.x: 1.17.0 and above (i.e. all versions). Thanks to Théo Cusnir for reporting this vulnerability to us via our bug bounty program.

Incorrect Permission Assignment for Critical Resource

Go crypto/x509 Intermediates DoS (<=1.26.2)
CVE-2026-32280 7.5 - High - April 08, 2026

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

Allocation of Resources Without Limits or Throttling

Go crypto/tls TLS 1.3 KeyUpdate deadlock DoS (1.25.9 & <1.26.2)
CVE-2026-32283 7.5 - High - April 08, 2026

If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.

Multiple Locks of a Critical Resource

Go 1.26.x crypto/x509 DNS Constraint Case Sensitivity
CVE-2026-33810 8.8 - High - April 08, 2026

When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

Improper Validation of Unsafe Equivalence in Input

Memory-safety flaw in Go pgx pgproto3 component
CVE-2026-33816 8.3 - High - April 07, 2026

Memory-safety vulnerability in github.com/jackc/pgx/v5.

Memory Corruption

Memory-Safety CVE-2026-33815 in pgx/v5 (Go Postgres Driver)
CVE-2026-33815 8.3 - High - April 07, 2026

Memory-safety vulnerability in github.com/jackc/pgx/v5.

Memory Corruption

GoJOSE JWE Decrypt Panic (DoS) Fixed v4.1.4/3.0.5
CVE-2026-34986 7.5 - High - April 06, 2026

Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.

Uncaught Exception

Moby Plugin Privilege Validation Bypass <29.3.1
CVE-2026-33997 8.4 - High - March 31, 2026

Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the daemon may incorrectly accept a privilege set that differs from the one approved by the user. Plugins that request exactly one privilege are also affected, because no comparison is performed at all. This issue has been patched in version 29.3.1.

off-by-five

Negative Field Length Panic in pgproto3/v2 DataRow.Decode
CVE-2026-32286 7.5 - High - March 26, 2026

The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic.

Improper Validation of Specified Index, Position, or Offset in Input

Go jsonparser Delete Negative Slice Index DoS
CVE-2026-32285 7.5 - High - March 26, 2026

The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.

Improper Validation of Specified Index, Position, or Offset in Input

goxmldsig <1.6.0 SignedInfo Ref Loop Variable Capture Flaw
CVE-2026-33487 7.5 - High - March 26, 2026

goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one that matches the signed element's ID. In Go versions before 1.22, or when `go.mod` uses an older version, there is a loop variable capture issue. The code takes the address of the loop variable `_ref` instead of its value. As a result, if more than one reference matches the ID or if the loop logic is incorrect, the `ref` pointer will always end up pointing to the last element in the `SignedInfo.References` slice after the loop. goxmlsig version 1.6.0 contains a patch.

Improper Verification of Cryptographic Signature

NATS-Server <2.11.15 / <2.12.6 | Static creds via argv exposed in /debug/vars
CVE-2026-33247 7.5 - High - March 25, 2026

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, if a nats-server is run with static credentials for all clients provided via argv (the command-line), then those credentials are visible to any user who can see the monitoring port, if that too is enabled. The `/debug/vars` end-point contains an unredacted copy of argv. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, configure credentials inside a configuration file instead of via argv, and do not enable the monitoring port if using secrets in argv. Best practice remains to not expose the monitoring port to the Internet, or to untrusted network sources.

Insertion of Sensitive Information Into Debugging Code

NATSServer WebSocket Memory Exhaustion before Auth (2.11.15/2.12.6)
CVE-2026-33219 7.5 - High - March 25, 2026

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data. This is a milder variant of CVE-2026-27571. That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable websockets if not required for project deployment.

Allocation of Resources Without Limits or Throttling

NATS-Server <2.11.15 & 2.12.0-<2.12.6: Leafnode Port Pre-Auth Crash
CVE-2026-33218 7.5 - High - March 25, 2026

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable leafnode support if not needed or restrict network connections to the leafnode port, if plausible without compromising the service offered.

Improper Input Validation

NATS-Server <=2.11.15 & 2.12.0-2.12.6: ACL bypass in $MQTT.>
CVE-2026-33217 8.1 - High - March 25, 2026

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using ACLs on message subjects, these ACLs were not applied in the `$MQTT.>` namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.

AuthZ

NATS Server 2.11.15/2.12.6: MQTT passwords exposed via monitoring endpoint.
CVE-2026-33216 8.6 - High - March 25, 2026

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints. Versions 2.11.14 and 2.12.6 contain a fix. As a workaround, ensure monitoring end-points are adequately secured. Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users.

Unprotected Storage of Credentials

NATS-Server 2.x Leafnode Crash via Compression Pre-Auth
CVE-2026-29785 7.5 - High - March 25, 2026

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if the nats-server has the "leafnode" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a panic. This happens pre-authentication and requires that compression be enabled (which it is, by default, when leafnodes are used). Versions 2.11.14 and 2.12.5 contain a fix. As a workaround, disable compression on the leafnode port.

NULL Pointer Dereference

NATS-Server 2.2.0-2.11.14/2.12.0-2.12.4 WS Frame Panic Before Auth
CVE-2026-27889 7.5 - High - March 25, 2026

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.2.0 and prior to versions 2.11.14 and 2.12.5, a missing sanity check on a WebSockets frame could trigger a server panic in the nats-server. This happens before authentication, and so is exposed to anyone who can connect to the websockets port. Versions 2.11.14 and 2.12.5 contains a fix. A workaround is available. The vulnerability only affects deployments which use WebSockets and which expose the network port to untrusted end-points. If one is able to do so, a defense in depth of restricting either of these will mitigate the attack.

Integer Overflow or Wraparound

gRPC-Go Auth Bypass (1.79.2) via noncanonical :path
CVE-2026-33186 9.1 - Critical - March 20, 2026

gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.

AuthZ

Negative DataRow Length in pgproto3 Leading to DoS
CVE-2026-4427 - March 19, 2026

Go <1.26: crypto/x509 Email Constraint Bug
CVE-2026-27137 7.5 - High - March 06, 2026

When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.

Improper Certificate Validation

Go net/url Host Validation Flaw in Parse (v<1.25.8, <1.26.1)
CVE-2026-25679 7.5 - High - March 06, 2026

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

Improper Validation of Syntactic Correctness of Input

Docker CLI Windows Low-Priv PrivEsc via Malicious CLI Plugins (<=29.1.5)
CVE-2025-15558 7.3 - High - March 04, 2026

Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are executed when a victim user opens Docker Desktop or invokes Docker CLI plugin features, and allow privilege-escalation if the docker CLI is executed as a privileged user. This issue affects Docker CLI: through 29.1.5 and Windows binaries acting as a CLI-plugin manager using the github.com/docker/cli/cli-plugins/manager https://pkg.go.dev/github.com/docker/cli@v29.1.5+incompatible/cli-plugins/manager  package, such as Docker Compose. This issue does not impact non-Windows binaries, and projects not using the plugin-manager code.

DLL preloading

Go net/url: MEM BOMB via Unlimited Query Param Count
CVE-2025-61726 7.5 - High - January 28, 2026

The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.

Allocation of Resources Without Limits or Throttling

Grafana Dashboard Permissions PrivEsc via API Scope Bypass
CVE-2026-21721 8.1 - High - January 27, 2026

The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organizationinternal privilege escalation.

AuthZ

urllib3 v1.22v2.6.3 Redirect Stream Decompress Bomb (preload_content=False)
CVE-2026-21441 7.5 - High - January 07, 2026

urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source.

Data Amplification

Nx npm package tampering: FS scan and credential exfil to GitHub
CVE-2025-10894 9.6 - Critical - September 24, 2025

Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them to GitHub as a repo under user's accounts.

Embedded Malicious Code

Operator SDK <0.15.2 RCE via insecure user_setup /etc/passwd
CVE-2025-7195 6.4 - Medium - August 07, 2025

Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file is created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.

Incorrect Default Permissions

CIRCL FourQ RCE via Low-Order Point Injection in Diffie-Hellman
CVE-2025-8556 3.7 - Low - August 06, 2025

A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange.

Improper Validation of Specified Type of Input