Red Hat Rhdh
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Red Hat Rhdh.
By the Year
In 2026 there have been 1 vulnerability in Red Hat Rhdh with an average score of 6.5 out of ten. Last year, in 2025 Rhdh had 5 security vulnerabilities published. Right now, Rhdh is on track to have less security vulnerabilities in 2026 than it did last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.46.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1 | 6.50 |
| 2025 | 5 | 6.04 |
| 2024 | 3 | 6.37 |
It may take a day or so for new Rhdh vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Rhdh Security Vulnerabilities
Red Hat Dev Hub Orchestrator Plug. DoS via GQL Input Injection
CVE-2026-3118
6.5 - Medium
- February 25, 2026
A security flaw was identified in the Orchestrator Plugin of Red Hat Developer Hub (Backstage). The issue occurs due to insufficient input validation in GraphQL query handling. An authenticated user can inject specially crafted input into API requests, which disrupts backend query processing. This results in the entire Backstage application crashing and restarting, leading to a platform-wide Denial of Service (DoS). As a result, legitimate users temporarily lose access to the platform.
SQL Injection
Nodemailer DoS via crafted email header triggers infinite recursion
CVE-2025-14874
7.5 - High
- December 18, 2025
A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.
Improper Check or Handling of Exceptional Conditions
Email Parser Vulnerability: Quoted External Address Escapes Recipient
CVE-2025-13033
7.5 - High
- November 14, 2025
A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker's external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access controls.
Improper Validation of Syntactic Correctness of Input
Insufficient Access Control in Red Hat Developer Hub Container Image
CVE-2025-5417
6.1 - Medium
- August 19, 2025
An insufficient access control vulnerability was found in the Red Hat Developer Hub rhdh/rhdh-hub-rhel9 container image. The Red Hat Developer Hub cluster admin/user, who has standard user access to the cluster, and the Red Hat Developer Hub namespace, can access the rhdh/rhdh-hub-rhel9 container image and modify the image's content. This issue affects the confidentiality and integrity of the data, and any changes made are not permanent, as they reset after the pod restarts.
Incorrect Privilege Assignment
CIRCL FourQ RCE via Low-Order Point Injection in Diffie-Hellman
CVE-2025-8556
3.7 - Low
- August 06, 2025
A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange.
Improper Validation of Specified Type of Input
serialize-javascript XSS via unsanitized regex input
CVE-2024-11831
5.4 - Medium
- February 10, 2025
A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.
XSS
Keycloak XSS via Malicious ACS URLs (CVE-2023-6717)
CVE-2023-6717
6 - Medium
- April 25, 2024
A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete KC instance.
XSS
Keycloak OIDC checkLoginIframe DoS via unvalidated cross-origin messages
CVE-2024-1249
7.4 - High
- April 17, 2024
A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages.
Origin Validation Error
Red Hat Developer Hub (RHDH) Access Token Leak via Catalog-Import
CVE-2023-6944
5.7 - Medium
- January 04, 2024
A flaw was found in the Red Hat Developer Hub (RHDH). The catalog-import function leaks GitLab access tokens on the frontend when the base64 encoded GitLab token includes a newline at the end of the string. The sanitized error can display on the frontend, including the raw access token. Upon gaining access to this token and depending on permissions, an attacker could push malicious code to repositories, delete resources in Git, revoke or generate new keys, and sign code illegitimately.
Generation of Error Message Containing Sensitive Information
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Rhdh or by Red Hat? Click the Watch button to subscribe.
