Openshift Gitops Red Hat Openshift Gitops

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Red Hat Openshift Gitops.

Recent Red Hat Openshift Gitops Security Advisories

Advisory Title Published
RHSA-2026:35994 (RHSA-2026:35994) Important: Red Hat OpenShift GitOps v1.19.5 security update July 6, 2026
RHSA-2026:35995 (RHSA-2026:35995) Important: Red Hat OpenShift GitOps v1.21.1 security update July 6, 2026
RHSA-2026:35993 (RHSA-2026:35993) Important: Red Hat OpenShift GitOps v1.20.5 security update July 6, 2026
RHSA-2026:20947 (RHSA-2026:20947) Important: Red Hat OpenShift GitOps v1.20.4 security update May 26, 2026
RHSA-2026:20946 (RHSA-2026:20946) Important: Red Hat OpenShift GitOps v1.18.6 security update May 26, 2026
RHSA-2026:20943 (RHSA-2026:20943) Important: Red Hat OpenShift GitOps v1.19.4 security update May 26, 2026
RHSA-2026:9699 (RHSA-2026:9699) Important: Red Hat OpenShift GitOps v1.20.2 security update April 22, 2026
RHSA-2026:9698 (RHSA-2026:9698) Important: Red Hat OpenShift GitOps v1.19.3 security update April 22, 2026
RHSA-2026:9697 (RHSA-2026:9697) Important: Red Hat OpenShift GitOps v1.18.5 security update April 22, 2026
RHSA-2026:3884 (RHSA-2026:3884) Important: Red Hat OpenShift GitOps v1.19.2 security update March 5, 2026

By the Year

In 2026 there have been 57 vulnerabilities in Red Hat Openshift Gitops with an average score of 7.8 out of ten. Last year, in 2025 Openshift Gitops had 3 security vulnerabilities published. That is, 54 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.83.




Year Vulnerabilities Average Score
2026 57 7.83
2025 3 7.00
2024 4 6.10
2023 2 6.70
2022 1 6.50

It may take a day or so for new Openshift Gitops vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Red Hat Openshift Gitops Security Vulnerabilities

OpenShift GitOps Argo CD ClusterRole Reconciliation Ownership Bypass (DoS)
CVE-2026-14251 7.7 - High - July 15, 2026

A flaw was found in the OpenShift GitOps operator. The ClusterRole reconciler does not validate resource ownership when reconciling ClusterRole objects. A namespace-scoped Argo CD instance can trigger deletion of a ClusterRole owned by a cluster-scoped Argo CD instance by crafting a name collision, resulting in a denial of service.

AuthZ

Argo CD Repo-server RCE via Unauth Remote Code Execution
CVE-2026-15416 8.9 - High - July 14, 2026

A flaw was identified in Argo CD, the GitOps engine used by Red Hat OpenShift GitOps, that could allow an unauthenticated attacker with network access to the Argo CD repo-server to achieve remote code execution. Under certain conditions, the attacker may then manipulate cached data to deploy malicious Kubernetes resources to managed clusters, potentially resulting in complete cluster compromise.

Missing Authentication for Critical Function

CRLF Injection in form-data <=4.0.5 via unsanitized field names and filenames
CVE-2026-12143 7.5 - High - June 12, 2026

form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line feed (LF), or double-quote (") characters. An application that passes attacker-controlled data as a field name or filename (for example, an API gateway that turns JSON object keys into multipart field names) allows the attacker to terminate the header line and inject additional headers, or to smuggle entire additional multipart parts, into the request the application forwards to a backend. This can let the attacker add or override form fields (e.g. set `is_admin=true`) seen by the downstream parser. This is an instance of CWE-93 (CRLF injection). The fix escapes CR, LF, and `"` as `%0D`, `%0A`, and `%22` in field names and filenames, matching the serialization browsers use per the WHATWG HTML multipart/form-data encoding algorithm. Exploitation requires the consuming application to use untrusted input as a field name or filename; applications that use only fixed/trusted field names are not affected. Fixed in 2.5.6, 3.0.5, and 4.0.6.

CRLF Injection

Go crypto/x509 VerifyHostname DNS SAN quadratic overhead
CVE-2026-27145 7.5 - High - June 02, 2026

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

Unchecked Input for Loop Condition

golang.org/x/net/idna pre-0.55.0 IDN bug allows silent ASCII/Unicode mix
CVE-2026-39821 8.2 - High - May 22, 2026

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Improper Validation of Unsafe Equivalence in Input

Auth Bypass in golang.org/x/crypto/ssh <0.52.0
CVE-2026-46595 7.1 - High - May 22, 2026

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

AuthZ

KnownHosts Revocation Check Failure in golang.org/x/crypto/ssh<0.52.0
CVE-2026-42508 7.4 - High - May 22, 2026

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked.

Improper Certificate Validation

go/crypto/ssh CPU DoS via oversized RSA/DSA keys before 0.52
CVE-2026-39829 7.5 - High - May 22, 2026

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

Improper Validation of Specified Quantity in Input

Resource Leak in golang.org/x/crypto/ssh <0.52.0 via Global Request Buffers
CVE-2026-39830 7.5 - High - May 22, 2026

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

Missing Release of Resource after Effective Lifetime

SSH Agent Constraint-Serialization Bug (v<0.52.0)
CVE-2026-39832 8.7 - High - May 22, 2026

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

Improper Preservation of Permissions

golang.org/x/crypto/ssh: CertChecker nil callback panic <0.52.0
CVE-2026-39835 7.5 - High - May 22, 2026

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

NULL Pointer Dereference

SSH Auth PartialSuccessError Permissions Discarded (golang.org/x/crypto/ssh <0.52.0)
CVE-2026-39828 8.8 - High - May 22, 2026

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

Improper Preservation of Permissions

Traefik 2.11.46/3.6.17/3.7.1 RCE via Gateway REST provider
CVE-2026-44774 8.3 - High - May 15, 2026

Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.46, 3.6.17, and 3.7.1, Traefik's Kubernetes Gateway API provider allows a tenant with HTTPRoute creation permissions to expose the REST provider handler, bypassing the providers.rest.insecure=false setting. The Gateway provider accepts any TraefikService backend reference whose name ends with @internal, making it possible to route traffic to rest@internal in addition to the intended api@internal. In shared Gateway deployments where the REST provider is enabled, this allows a low-privileged actor to gain live dynamic configuration write access to Traefik, enabling unauthorized reconfiguration of routers and services. This vulnerability is fixed in 2.11.46, 3.6.17, and 3.7.1.

Authorization

Argo CD 3.2.03.2.10/3.3.03.3.8: Unauthorized ServerSideDiff exfiltrates secrets
CVE-2026-42880 7.7 - High - May 07, 2026

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This issue has been patched in versions 3.2.11 and 3.3.9.

Information Disclosure

Go net/mail 1.25.x-1.26.3: ParseAddress/Date CPU/Memory Exhaustion
CVE-2026-39820 7.5 - High - May 07, 2026

Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.

Unchecked Input for Loop Condition

DoS via consumePhrase in Go net/mail RFC 5322 parsing <1.26.3
CVE-2026-42499 7.5 - High - May 07, 2026

Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.

Creation of Immutable Text Using String Concatenation

Double-free CVE-2026-33811 via LookupCNAME in Go net (<=1.26.2)
CVE-2026-33811 7.5 - High - May 07, 2026

When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

1341

Heap Exhaustion via Unvalidated Len in Prometheus Remote Read (<3.5.3/3.11.3)
CVE-2026-42154 7.5 - High - May 04, 2026

Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3.

Resource Exhaustion

Prometheus OAuth Client Secret Exposure via /-/config (pre 3.5.3/3.11.3)
CVE-2026-42151 7.5 - High - May 04, 2026

Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has been patched in versions 3.5.3 and 3.11.3.

Information Disclosure

Argo CD 3.2.0-3.2.10 & 3.3.0-3.3.8 ServerSideDiff Reveals K8s Secret Data
CVE-2026-43824 9.6 - Critical - May 02, 2026

In Argo CD 3.2.0 before 3.2.11 and 3.3.0 before 3.3.9, ServerSideDiff allows reading cleartext Kubernetes Secret data.

Improper Removal of Sensitive Information Before Storage or Transfer

Qt Quick SVG: Node ID flaw enables QML/JS injection via VectorImage
CVE-2025-14576 7.8 - High - April 30, 2026

Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.

Code Injection

OOB Read Vulnerability in Apache Thrift before 0.23.0
CVE-2026-41607 9.1 - Critical - April 28, 2026

Out-of-bounds Read vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Out-of-bounds Read

Apache Thrift <0.23.0: Uncontrolled Recursion Vulnerability
CVE-2026-41606 7.5 - High - April 28, 2026

Uncontrolled Recursion vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Stack Exhaustion

Apache Thrift Int Overflow or Wraparound <0.23.0; Fixed 0.23.0
CVE-2026-41605 7.7 - High - April 28, 2026

Integer Overflow or Wraparound vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Integer Overflow or Wraparound

CVE-2026-41604: OOB Read in Apache Thrift < 0.23.0
CVE-2026-41604 8.2 - High - April 28, 2026

Out-of-bounds Read vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Out-of-bounds Read

Apache Thrift CVE-2026-41603: Improper Cert Host Mismatch Before 0.23.0
CVE-2026-41603 8.2 - High - April 28, 2026

Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Improper Validation of Certificate with Host Mismatch

Apache Thrift Go TFramedTransport Integer Overflow (<0.23.0)
CVE-2026-41602 7.5 - High - April 28, 2026

Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Integer Overflow or Wraparound

follow-redirects: Auth Header Leak via Cross-Domain Redirects (1.15.x)
CVE-2026-40895 7.5 - High - April 21, 2026

follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target. This vulnerability is fixed in 1.16.0.

Information Disclosure

Go lib spdystream <0.5.1 OOM via SPDY frame parsing
CVE-2026-35469 6.5 - Medium - April 16, 2026

spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count, the header count in parseHeaderValueBlock, and individual header field sizes all read as 32-bit integers and used directly as allocation sizes with no bounds checking. Because SPDY header blocks are zlib-compressed, a small on-the-wire payload can decompress into large attacker-controlled values. A remote peer that can send SPDY frames to a service using spdystream can exhaust process memory and cause an out-of-memory crash with a single crafted control frame. This issue has been fixed in version 0.5.1.

Allocation of Resources Without Limits or Throttling

CVE-2026-6388: ArgoCD Image Updater Cross-NS Escalation
CVE-2026-6388 9.1 - Critical - April 15, 2026

A flaw was found in ArgoCD Image Updater. This vulnerability allows an attacker, with permissions to create or modify an ImageUpdater resource in a multi-tenant environment, to bypass namespace boundaries. By exploiting insufficient validation, the attacker can trigger unauthorized image updates on applications managed by other tenants. This leads to cross-namespace privilege escalation, impacting application integrity through unauthorized application updates.

Insufficient Granularity of Access Control

Go crypto/x509 Intermediates DoS (<=1.26.2)
CVE-2026-32280 7.5 - High - April 08, 2026

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

Allocation of Resources Without Limits or Throttling

Go crypto/tls TLS 1.3 KeyUpdate deadlock DoS (1.25.9 & <1.26.2)
CVE-2026-32283 7.5 - High - April 08, 2026

If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.

Multiple Locks of a Critical Resource

Go 1.26.x crypto/x509 DNS Constraint Case Sensitivity
CVE-2026-33810 8.8 - High - April 08, 2026

When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

Improper Validation of Unsafe Equivalence in Input

GoJOSE JWE Decrypt Panic (DoS) Fixed v4.1.4/3.0.5
CVE-2026-34986 7.5 - High - April 06, 2026

Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.

Uncaught Exception

Lodash <4.18.0 _.template key-names RCE
CVE-2026-4800 8.1 - High - March 31, 2026

Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time. Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function(). Patches: Users should upgrade to version 4.18.0. Workarounds: Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.

Code Injection

Go jsonparser Delete Negative Slice Index DoS
CVE-2026-32285 7.5 - High - March 26, 2026

The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.

Improper Validation of Specified Index, Position, or Offset in Input

DoS via Exponential Regex Expansion in path-to-regexp 8.4.0
CVE-2026-4926 7.5 - High - March 26, 2026

Impact: A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service. Patches: Fixed in version 8.4.0. Workarounds: Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.

Resource Exhaustion

goxmldsig <1.6.0 SignedInfo Ref Loop Variable Capture Flaw
CVE-2026-33487 7.5 - High - March 26, 2026

goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one that matches the signed element's ID. In Go versions before 1.22, or when `go.mod` uses an older version, there is a loop variable capture issue. The code takes the address of the loop variable `_ref` instead of its value. As a result, if more than one reference matches the ID or if the loop logic is incorrect, the `ref` pointer will always end up pointing to the last element in the `SignedInfo.References` slice after the loop. goxmlsig version 1.6.0 contains a patch.

Improper Verification of Cryptographic Signature

gRPC-Go Auth Bypass (1.79.2) via noncanonical :path
CVE-2026-33186 9.1 - Critical - March 20, 2026

gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.

AuthZ

Traefik mTLS Bypass via SNI Pre-Sniffing in v2.11.40-/3.6.11 & 3.7.0-ea.1
CVE-2026-32305 8.3 - High - March 20, 2026

Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the default TLS configuration, which does not require client certificates by default. This allows an attacker to bypass route-level mTLS enforcement and access services that should require mutual TLS authentication. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2.

authentification

Go <1.26: crypto/x509 Email Constraint Bug
CVE-2026-27137 7.5 - High - March 06, 2026

When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.

Improper Certificate Validation

Go net/url Host Validation Flaw in Parse (v<1.25.8, <1.26.1)
CVE-2026-25679 7.5 - High - March 06, 2026

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

Improper Validation of Syntactic Correctness of Input

Prototype Pollution in Immutable.js v<3.8.3/4.3.7/5.1.5 via mergeDeep API
CVE-2026-29063 8.8 - High - March 06, 2026

Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.

Prototype Pollution

Docker CLI Windows Low-Priv PrivEsc via Malicious CLI Plugins (<=29.1.5)
CVE-2025-15558 7.3 - High - March 04, 2026

Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are executed when a victim user opens Docker Desktop or invokes Docker CLI plugin features, and allow privilege-escalation if the docker CLI is executed as a privileged user. This issue affects Docker CLI: through 29.1.5 and Windows binaries acting as a CLI-plugin manager using the github.com/docker/cli/cli-plugins/manager https://pkg.go.dev/github.com/docker/cli@v29.1.5+incompatible/cli-plugins/manager  package, such as Docker Compose. This issue does not impact non-Windows binaries, and projects not using the plugin-manager code.

DLL preloading

fast-xml-parser <5.3.5: Entity Name wildcard XSS via DOCTYPE parsing
CVE-2026-25896 7.1 - High - February 20, 2026

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (&lt;, &gt;, &amp;, &quot;, &apos;) with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered. This vulnerability is fixed in 5.3.5.

Incorrect Regular Expression

fast-xml-parser XML Entity Expansion DoS 4.1.3-5.3.5
CVE-2026-26278 7.5 - High - February 19, 2026

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, its possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by `processEntities: false` option.

XEE

CVE-2025-69873: ajv 8.17.1 ReDoS via $data regex injection
CVE-2025-69873 7.5 - High - February 11, 2026

ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., "^(a|a)*$") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation. This issue is also fixed in version 6.14.0.

ReDoS

Go net/url: MEM BOMB via Unlimited Query Param Count
CVE-2025-61726 7.5 - High - January 28, 2026

The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.

Allocation of Resources Without Limits or Throttling

Information Disclosure in Go Viper Mapstructure WeakDecode via Error Messages
CVE-2025-11065 5.3 - Medium - January 26, 2026

A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts.

Generation of Error Message Containing Sensitive Information

npm CLI 10.9.0 LPE via Unsecured Module Loading
CVE-2026-0775 7 - High - January 23, 2026

npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of modules. The application loads modules from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-25430.

Incorrect Permission Assignment for Critical Resource

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Red Hat Openshift Gitops or by Red Hat? Click the Watch button to subscribe.

Red Hat
Vendor

subscribe