Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0500
Vulnerability from certfr_avis - Published: 2026-04-27 - Updated: 2026-04-27
De multiples vulnérabilités ont été découvertes dans VMware Tanzu. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Tanzu Greenplum Platform Extension Framework versions ant\u00e9rieures \u00e0 8.0.0",
"product": {
"name": "N/A",
"vendor": {
"name": "VMware",
"scada": false
}
}
},
{
"description": "Tanzu Data Lake versions ant\u00e9rieures \u00e0 4.0.0",
"product": {
"name": "N/A",
"vendor": {
"name": "VMware",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2019-12384",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-12384"
},
{
"name": "CVE-2019-17267",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-17267"
},
{
"name": "CVE-2026-2229",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2229"
},
{
"name": "CVE-2018-19362",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-19362"
},
{
"name": "CVE-2026-33871",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33871"
},
{
"name": "CVE-2026-22737",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22737"
},
{
"name": "CVE-2026-3449",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-3449"
},
{
"name": "CVE-2023-43642",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-43642"
},
{
"name": "CVE-2021-21409",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21409"
},
{
"name": "CVE-2026-22036",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22036"
},
{
"name": "CVE-2023-1370",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1370"
},
{
"name": "CVE-2023-33201",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-33201"
},
{
"name": "CVE-2022-46175",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46175"
},
{
"name": "CVE-2026-24098",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24098"
},
{
"name": "CVE-2018-14719",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14719"
},
{
"name": "CVE-2026-24734",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24734"
},
{
"name": "CVE-2021-0341",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-0341"
},
{
"name": "CVE-2025-66614",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66614"
},
{
"name": "CVE-2020-9546",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9546"
},
{
"name": "CVE-2025-56200",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-56200"
},
{
"name": "CVE-2020-10673",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10673"
},
{
"name": "CVE-2020-35728",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-35728"
},
{
"name": "CVE-2020-36181",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36181"
},
{
"name": "CVE-2026-1527",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1527"
},
{
"name": "CVE-2020-9548",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9548"
},
{
"name": "CVE-2020-36182",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36182"
},
{
"name": "CVE-2020-24616",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-24616"
},
{
"name": "CVE-2026-41239",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41239"
},
{
"name": "CVE-2020-36185",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36185"
},
{
"name": "CVE-2022-37603",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37603"
},
{
"name": "CVE-2023-34610",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34610"
},
{
"name": "CVE-2024-47561",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47561"
},
{
"name": "CVE-2019-16942",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-16942"
},
{
"name": "CVE-2022-25883",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25883"
},
{
"name": "CVE-2026-34486",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34486"
},
{
"name": "CVE-2026-1525",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1525"
},
{
"name": "CVE-2018-1320",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1320"
},
{
"name": "CVE-2020-9547",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9547"
},
{
"name": "CVE-2026-29145",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-29145"
},
{
"name": "CVE-2025-24970",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24970"
},
{
"name": "CVE-2025-49128",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49128"
},
{
"name": "CVE-2020-36179",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36179"
},
{
"name": "CVE-2018-14718",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14718"
},
{
"name": "CVE-2020-10650",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10650"
},
{
"name": "CVE-2025-1647",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-1647"
},
{
"name": "CVE-2020-36186",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36186"
},
{
"name": "CVE-2026-23745",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23745"
},
{
"name": "CVE-2025-7962",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-7962"
},
{
"name": "CVE-2020-36189",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36189"
},
{
"name": "CVE-2019-20444",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-20444"
},
{
"name": "CVE-2020-35490",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-35490"
},
{
"name": "CVE-2023-34462",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34462"
},
{
"name": "CVE-2026-33870",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33870"
},
{
"name": "CVE-2023-34454",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34454"
},
{
"name": "CVE-2021-20190",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20190"
},
{
"name": "CVE-2024-29857",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29857"
},
{
"name": "CVE-2020-13949",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-13949"
},
{
"name": "CVE-2023-33202",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-33202"
},
{
"name": "CVE-2024-13009",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-13009"
},
{
"name": "CVE-2023-26115",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26115"
},
{
"name": "CVE-2025-54550",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-54550"
},
{
"name": "CVE-2025-54920",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-54920"
},
{
"name": "CVE-2024-34447",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-34447"
},
{
"name": "CVE-2019-16335",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-16335"
},
{
"name": "CVE-2023-34453",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34453"
},
{
"name": "CVE-2025-33042",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-33042"
},
{
"name": "CVE-2024-11831",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-11831"
},
{
"name": "CVE-2018-7489",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-7489"
},
{
"name": "CVE-2025-58057",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58057"
},
{
"name": "CVE-2026-34500",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34500"
},
{
"name": "CVE-2025-9624",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-9624"
},
{
"name": "CVE-2026-34043",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34043"
},
{
"name": "CVE-2024-26308",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26308"
},
{
"name": "CVE-2025-64718",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-64718"
},
{
"name": "CVE-2020-11113",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11113"
},
{
"name": "CVE-2025-62718",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62718"
},
{
"name": "CVE-2026-4800",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4800"
},
{
"name": "CVE-2026-33671",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33671"
},
{
"name": "CVE-2026-33532",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33532"
},
{
"name": "CVE-2025-68470",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68470"
},
{
"name": "CVE-2025-67721",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-67721"
},
{
"name": "CVE-2024-23454",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23454"
},
{
"name": "CVE-2020-10672",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10672"
},
{
"name": "CVE-2022-3510",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3510"
},
{
"name": "CVE-2022-3509",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3509"
},
{
"name": "CVE-2021-37137",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37137"
},
{
"name": "CVE-2019-14439",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14439"
},
{
"name": "CVE-2026-33750",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33750"
},
{
"name": "CVE-2025-66236",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66236"
},
{
"name": "CVE-2020-10969",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10969"
},
{
"name": "CVE-2024-48910",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-48910"
},
{
"name": "CVE-2024-8184",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-8184"
},
{
"name": "CVE-2025-11143",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-11143"
},
{
"name": "CVE-2026-34480",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34480"
},
{
"name": "CVE-2025-52999",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52999"
},
{
"name": "CVE-2025-7783",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-7783"
},
{
"name": "CVE-2026-33228",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33228"
},
{
"name": "CVE-2025-12758",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12758"
},
{
"name": "CVE-2024-21538",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21538"
},
{
"name": "CVE-2020-36187",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36187"
},
{
"name": "CVE-2026-40175",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40175"
},
{
"name": "CVE-2024-57083",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57083"
},
{
"name": "CVE-2022-38749",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38749"
},
{
"name": "CVE-2024-23953",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23953"
},
{
"name": "CVE-2026-29074",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-29074"
},
{
"name": "CVE-2025-68161",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68161"
},
{
"name": "CVE-2023-34455",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34455"
},
{
"name": "CVE-2024-29131",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29131"
},
{
"name": "CVE-2026-41240",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41240"
},
{
"name": "CVE-2026-26960",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-26960"
},
{
"name": "CVE-2020-11620",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11620"
},
{
"name": "CVE-2024-53382",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53382"
},
{
"name": "CVE-2018-12022",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-12022"
},
{
"name": "CVE-2024-47554",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47554"
},
{
"name": "CVE-2022-37601",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37601"
},
{
"name": "CVE-2018-5968",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-5968"
},
{
"name": "CVE-2025-61795",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61795"
},
{
"name": "CVE-2026-27903",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27903"
},
{
"name": "CVE-2021-21295",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21295"
},
{
"name": "CVE-2024-45801",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45801"
},
{
"name": "CVE-2020-24750",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-24750"
},
{
"name": "CVE-2025-27821",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27821"
},
{
"name": "CVE-2022-41404",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41404"
},
{
"name": "CVE-2023-39410",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39410"
},
{
"name": "CVE-2024-25710",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25710"
},
{
"name": "CVE-2024-7254",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-7254"
},
{
"name": "CVE-2026-22732",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22732"
},
{
"name": "CVE-2024-29133",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29133"
},
{
"name": "CVE-2025-55163",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55163"
},
{
"name": "CVE-2026-34487",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34487"
},
{
"name": "CVE-2025-27555",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27555"
},
{
"name": "CVE-2025-65995",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-65995"
},
{
"name": "CVE-2022-3517",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3517"
},
{
"name": "CVE-2019-16943",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-16943"
},
{
"name": "CVE-2021-43797",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-43797"
},
{
"name": "CVE-2026-24842",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24842"
},
{
"name": "CVE-2017-7525",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-7525"
},
{
"name": "CVE-2026-23950",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23950"
},
{
"name": "CVE-2019-20330",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-20330"
},
{
"name": "CVE-2026-2950",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2950"
},
{
"name": "CVE-2020-14195",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14195"
},
{
"name": "CVE-2018-10237",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-10237"
},
{
"name": "CVE-2019-12814",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-12814"
},
{
"name": "CVE-2020-35491",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-35491"
},
{
"name": "CVE-2019-17531",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-17531"
},
{
"name": "CVE-2026-32280",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32280"
},
{
"name": "CVE-2023-52428",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52428"
},
{
"name": "CVE-2025-69873",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-69873"
},
{
"name": "CVE-2020-14061",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14061"
},
{
"name": "CVE-2024-6485",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-6485"
},
{
"name": "CVE-2025-67735",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-67735"
},
{
"name": "CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"name": "CVE-2025-68458",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68458"
},
{
"name": "CVE-2021-22569",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22569"
},
{
"name": "CVE-2020-11619",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11619"
},
{
"name": "CVE-2026-29786",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-29786"
},
{
"name": "CVE-2025-26791",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-26791"
},
{
"name": "CVE-2020-36183",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36183"
},
{
"name": "CVE-2026-25854",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-25854"
},
{
"name": "CVE-2021-22573",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22573"
},
{
"name": "CVE-2020-8840",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8840"
},
{
"name": "CVE-2026-2332",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2332"
},
{
"name": "CVE-2025-58056",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58056"
},
{
"name": "CVE-2026-1526",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1526"
},
{
"name": "CVE-2019-0205",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-0205"
},
{
"name": "CVE-2024-47875",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47875"
},
{
"name": "CVE-2022-41854",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41854"
},
{
"name": "CVE-2026-33672",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33672"
},
{
"name": "CVE-2020-8908",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8908"
},
{
"name": "CVE-2024-37890",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-37890"
},
{
"name": "CVE-2020-36184",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36184"
},
{
"name": "CVE-2023-42503",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-42503"
},
{
"name": "CVE-2024-56373",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56373"
},
{
"name": "CVE-2026-25639",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-25639"
},
{
"name": "CVE-2020-36180",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36180"
},
{
"name": "CVE-2024-28863",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28863"
},
{
"name": "CVE-2021-31684",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31684"
},
{
"name": "CVE-2022-25857",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
},
{
"name": "CVE-2022-38751",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38751"
},
{
"name": "CVE-2025-25193",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-25193"
},
{
"name": "CVE-2020-36518",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36518"
},
{
"name": "CVE-2026-22735",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22735"
},
{
"name": "CVE-2025-5889",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5889"
},
{
"name": "CVE-2024-30171",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-30171"
},
{
"name": "CVE-2026-24733",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24733"
},
{
"name": "CVE-2022-38900",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38900"
},
{
"name": "CVE-2025-68157",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68157"
},
{
"name": "CVE-2017-15095",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-15095"
},
{
"name": "CVE-2019-14540",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14540"
},
{
"name": "CVE-2024-36114",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36114"
},
{
"name": "CVE-2025-27789",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27789"
},
{
"name": "CVE-2019-12086",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-12086"
},
{
"name": "CVE-2025-48924",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48924"
},
{
"name": "CVE-2022-38752",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38752"
},
{
"name": "CVE-2025-8916",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-8916"
},
{
"name": "CVE-2025-8885",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-8885"
},
{
"name": "CVE-2025-41249",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-41249"
},
{
"name": "CVE-2022-38750",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38750"
},
{
"name": "CVE-2021-21290",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21290"
},
{
"name": "CVE-2018-11307",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-11307"
},
{
"name": "CVE-2026-26996",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-26996"
},
{
"name": "CVE-2020-10968",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10968"
},
{
"name": "CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"name": "CVE-2020-25649",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25649"
},
{
"name": "CVE-2025-68675",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68675"
},
{
"name": "CVE-2023-2976",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2976"
},
{
"name": "CVE-2017-17485",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-17485"
},
{
"name": "CVE-2026-34483",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34483"
},
{
"name": "CVE-2022-37599",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37599"
},
{
"name": "CVE-2026-32141",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32141"
},
{
"name": "CVE-2025-59419",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59419"
},
{
"name": "CVE-2022-1471",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
},
{
"name": "CVE-2019-14379",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14379"
},
{
"name": "CVE-2023-26136",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26136"
},
{
"name": "CVE-2026-33816",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33816"
},
{
"name": "CVE-2022-3171",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3171"
},
{
"name": "CVE-2026-25219",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-25219"
},
{
"name": "CVE-2020-11112",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11112"
},
{
"name": "CVE-2020-11111",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11111"
},
{
"name": "CVE-2026-31802",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31802"
},
{
"name": "CVE-2025-13465",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13465"
},
{
"name": "CVE-2025-22227",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22227"
},
{
"name": "CVE-2026-27904",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27904"
},
{
"name": "CVE-2026-1225",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1225"
},
{
"name": "CVE-2020-14060",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14060"
},
{
"name": "CVE-2020-36188",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36188"
},
{
"name": "CVE-2016-1000027",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1000027"
},
{
"name": "CVE-2024-57699",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57699"
},
{
"name": "CVE-2019-14892",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14892"
},
{
"name": "CVE-2019-20445",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-20445"
},
{
"name": "CVE-2025-48734",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48734"
},
{
"name": "CVE-2025-11226",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-11226"
},
{
"name": "CVE-2020-14062",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14062"
}
],
"initial_release_date": "2026-04-27T00:00:00",
"last_revision_date": "2026-04-27T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0500",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-04-27T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans VMware Tanzu. Elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans VMware Tanzu",
"vendor_advisories": [
{
"published_at": "2026-04-24",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 37405",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37405"
},
{
"published_at": "2026-04-24",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 37404",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37404"
}
]
}
CVE-2025-11226 (GCVE-0-2025-11226)
Vulnerability from cvelistv5 – Published: 2025-10-01 07:26 – Updated: 2026-06-25 16:04
VLAI
EPSS
Title
Conditional processing of logback.xml configuration file, in conjuction with Spring Framework and Janino
Summary
ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution.
A successful attack requires the presence of Janino library and Spring Framework to be present on the user's class path. In addition, the attacker must have write access to a
configuration file. Alternatively, the attacker could inject a malicious
environment variable pointing to a malicious configuration file. In both
cases, the attack requires existing privilege.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| QOS.CH Sarl | Logback-core |
Affected:
0.9.20 , ≤ 1.5.18
(maven)
Unaffected: 1.5.19 Unaffected: 1.3.16 |
Credits
Heihu577
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11226",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T16:04:36.111603Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T16:04:42.152Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"logback-core"
],
"platforms": [
"Java"
],
"product": "Logback-core",
"vendor": "QOS.CH Sarl",
"versions": [
{
"lessThanOrEqual": "1.5.18",
"status": "affected",
"version": "0.9.20",
"versionType": "maven"
},
{
"status": "unaffected",
"version": "1.5.19"
},
{
"status": "unaffected",
"version": "1.3.16"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qos.ch_sarl:logback-core:*:*:java:*:*:*:*:*",
"versionEndIncluding": "1.5.18",
"versionStartIncluding": "0.9.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qos.ch_sarl:logback-core:1.5.19:*:java:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:qos.ch_sarl:logback-core:1.3.16:*:java:*:*:*:*:*",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Heihu577"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution.\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003eA successful attack requires the presence of Janino library and Spring Framework to be present on the user\u0027s class path. In addition, the attacker must\u0026nbsp; have write access to a \nconfiguration file. Alternatively, the attacker could inject a malicious \nenvironment variable pointing to a malicious configuration file. In both \ncases, the attack requires existing privilege.\n\n\n\u003c/div\u003e\u003cbr\u003e"
}
],
"value": "ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution.\n\n\n\nA successful attack requires the presence of Janino library and Spring Framework to be present on the user\u0027s class path. In addition, the attacker must\u00a0 have write access to a \nconfiguration file. Alternatively, the attacker could inject a malicious \nenvironment variable pointing to a malicious configuration file. In both \ncases, the attack requires existing privilege."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "No known exploitation\u003cbr\u003e"
}
],
"value": "No known exploitation"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Arbitrary code execution on previously compromised system"
}
]
},
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-242 Code Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "NOT_DEFINED",
"Safety": "PRESENT",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/S:P/AU:N/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T08:35:28.533Z",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"url": "https://logback.qos.ch/news.html#1.5.19"
},
{
"url": "https://logback.qos.ch/news.html#1.3.16"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Remove Janino from the Java classpath or update to logack version 1.5.19 or later. \u003cbr\u003e"
}
],
"value": "Remove Janino from the Java classpath or update to logack version 1.5.19 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Conditional processing of logback.xml configuration file, in conjuction with Spring Framework and Janino",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Remove Janino from the Java classpath or update to logack version 1.5.19 or later. \u003cbr\u003e"
}
],
"value": "Remove Janino from the Java classpath or update to logack version 1.5.19 or later."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2025-11226",
"datePublished": "2025-10-01T07:26:12.567Z",
"dateReserved": "2025-10-01T07:25:16.311Z",
"dateUpdated": "2026-06-25T16:04:42.152Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12758 (GCVE-0-2025-12758)
Vulnerability from cvelistv5 – Published: 2025-11-27 05:00 – Updated: 2026-01-29 23:06
VLAI
EPSS
Summary
Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Credits
Karol Wrótniak
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12758",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T16:27:54.528645Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-172",
"description": "CWE-172 Encoding Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T16:27:57.965Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://security.snyk.io/vuln/SNYK-JS-VALIDATOR-13653476"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-01-29T23:06:54.441Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://seclists.org/fulldisclosure/2026/Jan/27"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "validator",
"vendor": "n/a",
"versions": [
{
"lessThan": "13.15.22",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Karol Wr\u00f3tniak"
}
],
"descriptions": [
{
"lang": "en",
"value": "Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\\uFE0F, \\uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P",
"version": "3.1"
},
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-792",
"description": "Incomplete Filtering of One or More Instances of Special Elements",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-27T05:00:01.916Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"url": "https://security.snyk.io/vuln/SNYK-JS-VALIDATOR-13653476"
},
{
"url": "https://gist.github.com/koral--/ad31208b25b9e3d1e2e35f1d4d72572e"
},
{
"url": "https://github.com/validatorjs/validator.js/pull/2616"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2025-12758",
"datePublished": "2025-11-27T05:00:01.916Z",
"dateReserved": "2025-11-05T16:10:29.370Z",
"dateUpdated": "2026-01-29T23:06:54.441Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13465 (GCVE-0-2025-13465)
Vulnerability from cvelistv5 – Published: 2026-01-21 19:05 – Updated: 2026-06-30 12:07
VLAI
EPSS
Title
Prototype Pollution Vulnerability in Lodash _.unset and _.omit functions
Summary
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
This issue is patched on 4.17.23
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Assigner
References
76 references
Impacted products
126 products
Credits
Lukas Euler
Jordan Harband
Michał Lipiński
Ulises Gascón
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13465",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-21T19:43:10.513400Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-21T19:43:38.268Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"defaultStatus": "unknown",
"product": "RUGGEDCOM RST2428P",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T12:59:53.016Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
}
],
"x_adpType": "supplier"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7"
],
"defaultStatus": "affected",
"product": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2.6::el9",
"cpe:/a:redhat:ansible_automation_platform_developer:2.6::el9",
"cpe:/a:redhat:ansible_automation_platform_inside:2.6::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Ansible Automation Platform 2.6 for RHEL 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:cryostat:4::el9"
],
"defaultStatus": "affected",
"product": "Cryostat 4 on RHEL 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:cluster_observability_operator:1.4::el9"
],
"defaultStatus": "affected",
"product": "Cluster Observability Operator 1.4.0",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:apache_camel_hawtio:4.4::el9"
],
"defaultStatus": "affected",
"product": "HawtIO HawtIO 4.4.0",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux High Availability EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux High Availability (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_aus:8.4::highavailability"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux High Availability AUS (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus_long_life:8.4::highavailability"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux HighAvailability EUS EXTENSION (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:8.6::highavailability"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux High Availability E4S (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_tus:8.6::highavailability"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux High Availability TUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:8.8::highavailability"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux High Availability E4S (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_tus:8.8::highavailability"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux High Availability TUS (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::highavailability"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux High Availability E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::highavailability"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux High Availability E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::highavailability"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux High Availability EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::highavailability"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux High Availability EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::highavailability"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux High Availability (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:network_observ_optr:1.11::el9"
],
"defaultStatus": "affected",
"product": "Network Observability (NETOBSERV) 1.11.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:acm:2.12::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Advanced Cluster Management for Kubernetes 2.12",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:acm:2.13::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Advanced Cluster Management for Kubernetes 2.13",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:acm:2.15::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Advanced Cluster Management for Kubernetes 2.15",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:advanced_cluster_security:4.10::el8"
],
"defaultStatus": "affected",
"product": "Red Hat Advanced Cluster Security for Kubernetes 4.10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:advanced_cluster_security:4.8::el8"
],
"defaultStatus": "affected",
"product": "Red Hat Advanced Cluster Security for Kubernetes 4.8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:advanced_cluster_security:4.9::el8"
],
"defaultStatus": "affected",
"product": "Red Hat Advanced Cluster Security for Kubernetes 4.9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2.5::el8"
],
"defaultStatus": "affected",
"product": "Red Hat Ansible Automation Platform 2.5",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2.6::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Ansible Automation Platform 2.6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ceph_storage:7.1::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Ceph Storage 7.1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:jboss_data_grid:8"
],
"defaultStatus": "affected",
"product": "Red Hat Data Grid 8.6.0",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhdh:1.8::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Developer Hub 1.8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:discovery:2::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Discovery 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:2.25::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift AI 2.25",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:3.3::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift AI 3.3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.12::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.12",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.13::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.13",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.14::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.14",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.15::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.15",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.16::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.16",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.17::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.17",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.18::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.18",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.19::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.19",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.20::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.20",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.21::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.21",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3.27::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Spaces 3.27",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_gitops:1.17::el8"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift GitOps 1.17",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_gitops:1.18::el8"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift GitOps 1.18",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_gitops:1.19::el8"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift GitOps 1.19",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_pipelines:1.15::el8"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Pipelines 1.15",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_pipelines:1.20::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Pipelines 1.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:2.6::el8"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 2.6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.0::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.0",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.1::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.2::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:quay:3.16::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Quay 3.16",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:satellite:6.18::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Satellite 6.18",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:trusted_artifact_signer:1.2::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Trusted Artifact Signer 1.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:trusted_artifact_signer:1.3::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Trusted Artifact Signer 1.3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::resilientstorage"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux ResilientStorage E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::resilientstorage"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Resilient Storage E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::resilientstorage"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Resilient Storage EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::resilientstorage"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Resilient Storage EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::resilientstorage"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux Resilient Storage (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_engine:2.10::el9"
],
"defaultStatus": "affected",
"product": "multicluster engine for Kubernetes 2.10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_engine:2.6::el9"
],
"defaultStatus": "affected",
"product": "multicluster engine for Kubernetes 2.6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_engine:2.7::el9"
],
"defaultStatus": "affected",
"product": "multicluster engine for Kubernetes 2.7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_engine:2.8::el9"
],
"defaultStatus": "affected",
"product": "multicluster engine for Kubernetes 2.8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_engine:2.9::el9"
],
"defaultStatus": "affected",
"product": "multicluster engine for Kubernetes 2.9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:logging:5"
],
"defaultStatus": "affected",
"product": "Logging Subsystem for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:migration_toolkit_applications:8"
],
"defaultStatus": "affected",
"product": "Migration Toolkit for Applications 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhmt:1"
],
"defaultStatus": "affected",
"product": "Migration Toolkit for Containers",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:migration_toolkit_virtualization:2"
],
"defaultStatus": "affected",
"product": "Migration Toolkit for Virtualization",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:workload_availability_nhc:0"
],
"defaultStatus": "affected",
"product": "Node HealthCheck Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_lightspeed"
],
"defaultStatus": "affected",
"product": "OpenShift Lightspeed",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_pipelines:1"
],
"defaultStatus": "affected",
"product": "OpenShift Pipelines",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:red_hat_3scale_amp:2"
],
"defaultStatus": "affected",
"product": "Red Hat 3scale API Management Platform 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:acm:2"
],
"defaultStatus": "affected",
"product": "Red Hat Advanced Cluster Management for Kubernetes 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2"
],
"defaultStatus": "affected",
"product": "Red Hat Ansible Automation Platform 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_registry:2"
],
"defaultStatus": "affected",
"product": "Red Hat build of Apicurio Registry 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:optaplanner:::el6"
],
"defaultStatus": "affected",
"product": "Red Hat build of OptaPlanner 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ceph_storage:4"
],
"defaultStatus": "affected",
"product": "Red Hat Ceph Storage 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ceph_storage:5"
],
"defaultStatus": "affected",
"product": "Red Hat Ceph Storage 5",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ceph_storage:6"
],
"defaultStatus": "affected",
"product": "Red Hat Ceph Storage 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ceph_storage:8"
],
"defaultStatus": "affected",
"product": "Red Hat Ceph Storage 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:connectivity_link:1"
],
"defaultStatus": "affected",
"product": "Red Hat Connectivity Link 1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:edge_manager:1"
],
"defaultStatus": "affected",
"product": "Red Hat Edge Manager 1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:edge_manager:0"
],
"defaultStatus": "affected",
"product": "Red Hat Edge Manager preview",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:jboss_fuse:7"
],
"defaultStatus": "affected",
"product": "Red Hat Fuse 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_data_foundation:4"
],
"defaultStatus": "affected",
"product": "Red Hat Openshift Data Foundation 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_distributed_tracing:3"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift distributed tracing 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_gitops:1"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift GitOps",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:container_native_virtualization:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Virtualization 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
],
"defaultStatus": "affected",
"product": "Red Hat Process Automation 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:satellite:6"
],
"defaultStatus": "affected",
"product": "Red Hat Satellite 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:red_hat_single_sign_on:7"
],
"defaultStatus": "affected",
"product": "Red Hat Single Sign-On 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:trusted_profile_analyzer:2"
],
"defaultStatus": "affected",
"product": "Red Hat Trusted Profile Analyzer",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:amq_streams:2"
],
"defaultStatus": "affected",
"product": "streams for Apache Kafka 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:amq_streams:3"
],
"defaultStatus": "affected",
"product": "streams for Apache Kafka 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2.6::el10",
"cpe:/a:redhat:ansible_automation_platform_developer:2.6::el10"
],
"defaultStatus": "unaffected",
"product": "Red Hat Ansible Automation Platform 2.6 for RHEL 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:confidential_compute_attestation:1"
],
"defaultStatus": "unaffected",
"product": "Confidential Compute Attestation",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:gatekeeper:3"
],
"defaultStatus": "unaffected",
"product": "Gatekeeper 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_engine"
],
"defaultStatus": "unaffected",
"product": "Multicluster Engine for Kubernetes",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:2"
],
"defaultStatus": "unaffected",
"product": "OpenShift Service Mesh 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3"
],
"defaultStatus": "unaffected",
"product": "OpenShift Service Mesh 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:advanced_cluster_security:4"
],
"defaultStatus": "unaffected",
"product": "Red Hat Advanced Cluster Security 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:directory_server:11"
],
"defaultStatus": "unaffected",
"product": "Red Hat Directory Server 11",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:directory_server:12"
],
"defaultStatus": "unaffected",
"product": "Red Hat Directory Server 12",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:directory_server:13"
],
"defaultStatus": "unaffected",
"product": "Red Hat Directory Server 13",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat JBoss Enterprise Application Platform 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:8"
],
"defaultStatus": "unaffected",
"product": "Red Hat JBoss Enterprise Application Platform 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:jbosseapxp"
],
"defaultStatus": "unaffected",
"product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3"
],
"defaultStatus": "unaffected",
"product": "Red Hat OpenShift Dev Spaces",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:quay:3"
],
"defaultStatus": "unaffected",
"product": "Red Hat Quay 3",
"vendor": "Red Hat"
}
],
"datePublic": "2026-01-21T19:05:28.846Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Lodash. A prototype pollution vulnerability in the _.unset and _.omit functions allows an attacker able to control property paths to delete methods from global prototypes. By removing essential functionalities, this can result in a denial of service."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:07:25.844Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2025-13465"
},
{
"name": "RHBZ#2431740",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431740"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-13465.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33371"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:3958"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:1845"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:18480"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:24331"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:18868"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:4782"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25089"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:2818"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:2438"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:2462"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:2469"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:2465"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:2484"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:2819"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:2817"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:2816"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:2452"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:2900"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:5633"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:8229"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13548"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13829"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:4466"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:4467"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:3962"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:3960"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33154"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:4630"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:2675"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:2694"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:3782"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19712"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:3870"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:3422"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:2990"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:15091"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:4423"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:14774"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:2661"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20088"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:2672"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21658"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:2078"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20042"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:2651"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:17469"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:2119"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:2984"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:6192"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:3869"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:3874"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:3884"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:3710"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:3825"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:2145"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:2147"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:2148"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:2149"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:6497"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:6567"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:14870"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:14871"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:6288"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:2926"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:3087"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:13542"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:9848"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:5636"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:8218"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:11414"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:33371: Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server"
},
{
"lang": "en",
"value": "RHSA-2026:3958: Red Hat Ansible Automation Platform 2.6 for RHEL 9"
},
{
"lang": "en",
"value": "RHSA-2026:1845: Cryostat 4 on RHEL 9"
},
{
"lang": "en",
"value": "RHSA-2026:18480: Red Hat Enterprise Linux AppStream (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:24331: Red Hat Enterprise Linux AppStream (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:18868: Red Hat Enterprise Linux AppStream (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:4782: Cluster Observability Operator 1.4.0"
},
{
"lang": "en",
"value": "RHSA-2026:25089: HawtIO HawtIO 4.4.0"
},
{
"lang": "en",
"value": "RHSA-2026:2818: Red Hat Enterprise Linux High Availability EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:2438: Red Hat Enterprise Linux High Availability (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:2462: Red Hat Enterprise Linux High Availability AUS (v.8.4), Red Hat Enterprise Linux HighAvailability EUS EXTENSION (v.8.4)"
},
{
"lang": "en",
"value": "RHSA-2026:2469: Red Hat Enterprise Linux High Availability E4S (v.8.6), Red Hat Enterprise Linux High Availability TUS (v.8.6)"
},
{
"lang": "en",
"value": "RHSA-2026:2465: Red Hat Enterprise Linux High Availability E4S (v.8.8), Red Hat Enterprise Linux High Availability TUS (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:2484: Red Hat Enterprise Linux High Availability E4S (v.9.0), Red Hat Enterprise Linux ResilientStorage E4S (v.9.0)"
},
{
"lang": "en",
"value": "RHSA-2026:2819: Red Hat Enterprise Linux High Availability E4S (v.9.2), Red Hat Enterprise Linux Resilient Storage E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:2817: Red Hat Enterprise Linux High Availability EUS (v.9.4), Red Hat Enterprise Linux Resilient Storage EUS (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:2816: Red Hat Enterprise Linux High Availability EUS (v.9.6), Red Hat Enterprise Linux Resilient Storage EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:2452: Red Hat Enterprise Linux High Availability (v. 9), Red Hat Enterprise Linux Resilient Storage (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:2900: Network Observability (NETOBSERV) 1.11.2"
},
{
"lang": "en",
"value": "RHSA-2026:5633: Red Hat Advanced Cluster Management for Kubernetes 2.12"
},
{
"lang": "en",
"value": "RHSA-2026:8229: Red Hat Advanced Cluster Management for Kubernetes 2.13"
},
{
"lang": "en",
"value": "RHSA-2026:13548: Red Hat Advanced Cluster Management for Kubernetes 2.15"
},
{
"lang": "en",
"value": "RHSA-2026:13829: Red Hat Advanced Cluster Security for Kubernetes 4.10"
},
{
"lang": "en",
"value": "RHSA-2026:4466: Red Hat Advanced Cluster Security for Kubernetes 4.8"
},
{
"lang": "en",
"value": "RHSA-2026:4467: Red Hat Advanced Cluster Security for Kubernetes 4.9"
},
{
"lang": "en",
"value": "RHSA-2026:3962: Red Hat Ansible Automation Platform 2.5"
},
{
"lang": "en",
"value": "RHSA-2026:3960: Red Hat Ansible Automation Platform 2.6"
},
{
"lang": "en",
"value": "RHSA-2026:33154: Red Hat Ceph Storage 7.1"
},
{
"lang": "en",
"value": "RHSA-2026:4630: Red Hat Data Grid 8.6.0"
},
{
"lang": "en",
"value": "RHSA-2026:2675: Red Hat Developer Hub 1.8"
},
{
"lang": "en",
"value": "RHSA-2026:2694: Red Hat Discovery 2"
},
{
"lang": "en",
"value": "RHSA-2026:3782: Red Hat OpenShift AI 2.25"
},
{
"lang": "en",
"value": "RHSA-2026:19712: Red Hat OpenShift AI 3.3"
},
{
"lang": "en",
"value": "RHSA-2026:3870: Red Hat OpenShift Container Platform 4.12"
},
{
"lang": "en",
"value": "RHSA-2026:3422: Red Hat OpenShift Container Platform 4.13"
},
{
"lang": "en",
"value": "RHSA-2026:2990: Red Hat OpenShift Container Platform 4.14"
},
{
"lang": "en",
"value": "RHSA-2026:15091: Red Hat OpenShift Container Platform 4.14"
},
{
"lang": "en",
"value": "RHSA-2026:4423: Red Hat OpenShift Container Platform 4.15"
},
{
"lang": "en",
"value": "RHSA-2026:14774: Red Hat OpenShift Container Platform 4.15"
},
{
"lang": "en",
"value": "RHSA-2026:2661: Red Hat OpenShift Container Platform 4.16"
},
{
"lang": "en",
"value": "RHSA-2026:20088: Red Hat OpenShift Container Platform 4.16"
},
{
"lang": "en",
"value": "RHSA-2026:2672: Red Hat OpenShift Container Platform 4.17"
},
{
"lang": "en",
"value": "RHSA-2026:21658: Red Hat OpenShift Container Platform 4.18"
},
{
"lang": "en",
"value": "RHSA-2026:2078: Red Hat OpenShift Container Platform 4.18"
},
{
"lang": "en",
"value": "RHSA-2026:20042: Red Hat OpenShift Container Platform 4.19"
},
{
"lang": "en",
"value": "RHSA-2026:2651: Red Hat OpenShift Container Platform 4.19"
},
{
"lang": "en",
"value": "RHSA-2026:17469: Red Hat OpenShift Container Platform 4.20"
},
{
"lang": "en",
"value": "RHSA-2026:2119: Red Hat OpenShift Container Platform 4.20"
},
{
"lang": "en",
"value": "RHSA-2026:2984: Red Hat OpenShift Container Platform 4.21"
},
{
"lang": "en",
"value": "RHSA-2026:6192: Red Hat OpenShift Dev Spaces 3.27"
},
{
"lang": "en",
"value": "RHSA-2026:3869: Red Hat OpenShift GitOps 1.17"
},
{
"lang": "en",
"value": "RHSA-2026:3874: Red Hat OpenShift GitOps 1.18"
},
{
"lang": "en",
"value": "RHSA-2026:3884: Red Hat OpenShift GitOps 1.19"
},
{
"lang": "en",
"value": "RHSA-2026:3710: Red Hat OpenShift Pipelines 1.15"
},
{
"lang": "en",
"value": "RHSA-2026:3825: Red Hat OpenShift Pipelines 1.2"
},
{
"lang": "en",
"value": "RHSA-2026:2145: Red Hat OpenShift Service Mesh 2.6"
},
{
"lang": "en",
"value": "RHSA-2026:2147: Red Hat OpenShift Service Mesh 3.0"
},
{
"lang": "en",
"value": "RHSA-2026:2148: Red Hat OpenShift Service Mesh 3.1"
},
{
"lang": "en",
"value": "RHSA-2026:2149: Red Hat OpenShift Service Mesh 3.2"
},
{
"lang": "en",
"value": "RHSA-2026:6497: Red Hat Quay 3.16"
},
{
"lang": "en",
"value": "RHSA-2026:6567: Red Hat Quay 3.16"
},
{
"lang": "en",
"value": "RHSA-2026:14870: Red Hat Satellite 6.18"
},
{
"lang": "en",
"value": "RHSA-2026:14871: Red Hat Satellite 6.18"
},
{
"lang": "en",
"value": "RHSA-2026:6288: Red Hat Satellite 6.18"
},
{
"lang": "en",
"value": "RHSA-2026:2926: Red Hat Trusted Artifact Signer 1.2"
},
{
"lang": "en",
"value": "RHSA-2026:3087: Red Hat Trusted Artifact Signer 1.3"
},
{
"lang": "en",
"value": "RHSA-2026:13542: multicluster engine for Kubernetes 2.10"
},
{
"lang": "en",
"value": "RHSA-2026:9848: multicluster engine for Kubernetes 2.6"
},
{
"lang": "en",
"value": "RHSA-2026:5636: multicluster engine for Kubernetes 2.7"
},
{
"lang": "en",
"value": "RHSA-2026:8218: multicluster engine for Kubernetes 2.8"
},
{
"lang": "en",
"value": "RHSA-2026:11414: multicluster engine for Kubernetes 2.9"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-21T20:01:28.774Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-01-21T19:05:28.846Z",
"value": "Made public."
}
],
"title": "lodash: prototype pollution in _.unset and _.omit functions",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this issue, implement strict input validation before passing any property paths to the _.unset and _.omit functions to block attempts to access the prototype chain. Ensure that strings like __proto__, constructor and prototype are blocked, for example."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"https://github.com/lodash/lodash"
],
"packageName": "lodash",
"product": "Lodash",
"repo": "https://github.com/lodash/lodash",
"vendor": "Lodash",
"versions": [
{
"lessThanOrEqual": "4.17.22",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"https://github.com/lodash/lodash"
],
"product": "Lodash-amd",
"repo": "https://github.com/lodash/lodash",
"vendor": "Lodash-amd",
"versions": [
{
"lessThanOrEqual": "4.17.22",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"https://github.com/lodash/lodash"
],
"product": "lodash-es",
"repo": "https://github.com/lodash/lodash",
"vendor": "lodash-es",
"versions": [
{
"lessThanOrEqual": "4.17.22",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"https://github.com/lodash/lodash"
],
"product": "lodash.unset",
"repo": "https://github.com/lodash/lodash",
"vendor": "lodash.unset",
"versions": [
{
"status": "affected",
"version": "4.0.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lukas Euler"
},
{
"lang": "en",
"type": "analyst",
"value": "Jordan Harband"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Micha\u0142 Lipi\u0144ski"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ulises Gasc\u00f3n"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eLodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the \u003ccode\u003e_.unset\u003c/code\u003e\u0026nbsp;and \u003ccode\u003e_.omit\u003c/code\u003e\u0026nbsp;functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.\u003c/p\u003e\u003cp\u003eThe issue permits deletion of properties but does not allow overwriting their original behavior.\u003c/p\u003e\u003cp\u003eThis issue is patched on 4.17.23\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset\u00a0and _.omit\u00a0functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.\n\nThe issue permits deletion of properties but does not allow overwriting their original behavior.\n\nThis issue is patched on 4.17.23"
}
],
"impacts": [
{
"capecId": "CAPEC-77",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-77 Manipulating User-Controlled Variables"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-21T19:05:28.846Z",
"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
"shortName": "openjs"
},
"references": [
{
"url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg"
}
],
"source": {
"advisory": "GHSA-xxjr-mmjv-4gpg",
"discovery": "EXTERNAL"
},
"title": "Prototype Pollution Vulnerability in Lodash _.unset and _.omit functions",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
"assignerShortName": "openjs",
"cveId": "CVE-2025-13465",
"datePublished": "2026-01-21T19:05:28.846Z",
"dateReserved": "2025-11-20T02:16:12.128Z",
"dateUpdated": "2026-06-30T12:07:25.844Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-1647 (GCVE-0-2025-1647)
Vulnerability from cvelistv5 – Published: 2025-05-15 16:26 – Updated: 2025-06-01 11:02
VLAI
EPSS
Title
XSS in Bootstrap title attribute for Tooltip and Popover
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Bootstrap allows Cross-Site Scripting (XSS).This issue affects Bootstrap: from 3.4.1 before 4.0.0.
Severity
5.6 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
Credits
Johan Carlsson (joaxcar)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1647",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-15T20:03:33.381810Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T20:06:50.236Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-06-01T11:02:28.106Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Bootstrap",
"vendor": "Bootstrap",
"versions": [
{
"lessThan": "4.0.0",
"status": "affected",
"version": "3.4.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Johan Carlsson (joaxcar)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Bootstrap allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Bootstrap: from 3.4.1 before 4.0.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Bootstrap allows Cross-Site Scripting (XSS).This issue affects Bootstrap: from 3.4.1 before 4.0.0."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T16:26:07.587Z",
"orgId": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"shortName": "HeroDevs"
},
"references": [
{
"url": "https://www.herodevs.com/vulnerability-directory/cve-2025-1647"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XSS in Bootstrap title attribute for Tooltip and Popover",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"assignerShortName": "HeroDevs",
"cveId": "CVE-2025-1647",
"datePublished": "2025-05-15T16:26:07.587Z",
"dateReserved": "2025-02-24T18:35:21.344Z",
"dateUpdated": "2025-06-01T11:02:28.106Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22227 (GCVE-0-2025-22227)
Vulnerability from cvelistv5 – Published: 2025-07-16 09:31 – Updated: 2026-06-23 16:32
VLAI
EPSS
Title
CVE-2025-22227: Authentication Leak On Redirect With Reactor Netty HTTP Client
Summary
In some specific scenarios with chained redirects, Reactor Netty HTTP client leaks credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| VMware | Reactor Netty |
Affected:
1.0.x , < 1.0.49 (Reactor BOM 2020.0.48)
(commercial)
Affected: 1.1.x , < 1.1.32 (Reactor BOM 2022.0.27 and 2023.0.20) (commercial) Affected: 1.2.x , < 1.2.8 (Reactor BOM 2024.0.8) (OSS) Affected: 1.3.x , < 1.3.0-M5 (Reactor BOM 2025.0.0-M5) (OSS) |
Date Public
2025-07-16 09:26
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22227",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-16T14:29:51.229735Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T16:32:45.532Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Reactor Netty",
"product": "Reactor Netty",
"vendor": "VMware",
"versions": [
{
"lessThan": "1.0.49 (Reactor BOM 2020.0.48)",
"status": "affected",
"version": "1.0.x",
"versionType": "commercial"
},
{
"lessThan": "1.1.32 (Reactor BOM 2022.0.27 and 2023.0.20)",
"status": "affected",
"version": "1.1.x",
"versionType": "commercial"
},
{
"lessThan": "1.2.8 (Reactor BOM 2024.0.8)",
"status": "affected",
"version": "1.2.x",
"versionType": "OSS"
},
{
"lessThan": "1.3.0-M5 (Reactor BOM 2025.0.0-M5)",
"status": "affected",
"version": "1.3.x",
"versionType": "OSS"
}
]
}
],
"datePublic": "2025-07-16T09:26:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn some specific scenarios with chained redirects, Reactor Netty HTTP client leaks credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "In some specific scenarios with chained redirects, Reactor Netty HTTP client leaks credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-16T09:31:15.293Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2025-22227"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2025-22227: Authentication Leak On Redirect With Reactor Netty HTTP Client",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2025-22227",
"datePublished": "2025-07-16T09:31:15.293Z",
"dateReserved": "2025-01-02T04:29:59.191Z",
"dateUpdated": "2026-06-23T16:32:45.532Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-24970 (GCVE-0-2025-24970)
Vulnerability from cvelistv5 – Published: 2025-02-10 21:57 – Updated: 2025-04-16 15:37
VLAI
EPSS
Title
SslHandler doesn't correctly validate packets which can lead to native crash when using native SSLEngine
Summary
Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
5 references
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24970",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T15:30:54.865019Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T15:31:38.061Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-04-16T15:37:17.191Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250221-0005/"
},
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-24970-netty-vulnerability-detection"
},
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-24970-netty-vulnerability-mitigation"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"product": "netty",
"vendor": "netty",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.1.91.Final, \u003c= 4.1.117.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn\u0027t correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T21:57:28.730Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw"
},
{
"name": "https://github.com/netty/netty/commit/87f40725155b2f89adfde68c7732f97c153676c4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/netty/netty/commit/87f40725155b2f89adfde68c7732f97c153676c4"
}
],
"source": {
"advisory": "GHSA-4g8c-wm8x-jfhw",
"discovery": "UNKNOWN"
},
"title": "SslHandler doesn\u0027t correctly validate packets which can lead to native crash when using native SSLEngine"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24970",
"datePublished": "2025-02-10T21:57:28.730Z",
"dateReserved": "2025-01-29T15:18:03.210Z",
"dateUpdated": "2025-04-16T15:37:17.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-25193 (GCVE-0-2025-25193)
Vulnerability from cvelistv5 – Published: 2025-02-10 22:02 – Updated: 2025-02-21 18:03
VLAI
EPSS
Title
Denial of Service attack on windows app using Netty
Summary
Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.
Severity
5.5 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/netty/netty/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/netty/netty/commit/d1fbda62d3a… | x_refsource_MISC |
| https://security.netapp.com/advisory/ntap-2025022… |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25193",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T15:22:08.933112Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T15:22:12.545Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-389x-839f-4rhx"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-02-21T18:03:38.211Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250221-0006/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "netty",
"vendor": "netty",
"versions": [
{
"status": "affected",
"version": "\u003c= 4.1.118"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T22:02:17.197Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/netty/netty/security/advisories/GHSA-389x-839f-4rhx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-389x-839f-4rhx"
},
{
"name": "https://github.com/netty/netty/commit/d1fbda62d3a47835d3fb35db8bd42ecc205a5386",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/netty/netty/commit/d1fbda62d3a47835d3fb35db8bd42ecc205a5386"
}
],
"source": {
"advisory": "GHSA-389x-839f-4rhx",
"discovery": "UNKNOWN"
},
"title": "Denial of Service attack on windows app using Netty"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-25193",
"datePublished": "2025-02-10T22:02:17.197Z",
"dateReserved": "2025-02-03T19:30:53.400Z",
"dateUpdated": "2025-02-21T18:03:38.211Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-26791 (GCVE-0-2025-26791)
Vulnerability from cvelistv5 – Published: 2025-02-14 00:00 – Updated: 2025-02-14 15:30
VLAI
EPSS
Summary
DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).
Severity
4.5 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26791",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-14T15:30:30.796687Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-14T15:30:49.790Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://ensy.zip/posts/dompurify-323-bypass/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "DOMPurify",
"vendor": "Cure53",
"versions": [
{
"lessThan": "3.2.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cure53:dompurify:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.2.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-14T08:21:32.805Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/cure53/DOMPurify/releases/tag/3.2.4"
},
{
"url": "https://github.com/cure53/DOMPurify/commit/d18ffcb554e0001748865da03ac75dd7829f0f02"
},
{
"url": "https://nsysean.github.io/posts/dompurify-323-bypass/"
},
{
"url": "https://ensy.zip/posts/dompurify-323-bypass/"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-26791",
"datePublished": "2025-02-14T00:00:00.000Z",
"dateReserved": "2025-02-14T00:00:00.000Z",
"dateUpdated": "2025-02-14T15:30:49.790Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27555 (GCVE-0-2025-27555)
Vulnerability from cvelistv5 – Published: 2026-02-24 10:09 – Updated: 2026-03-11 15:10
VLAI
EPSS
Title
Apache Airflow: Connection Secrets not masked in UI when Connection are added via Airflow cli
Summary
Airflow versions before 2.11.1 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive connection parameters were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.11.1 or a later version, which addresses this issue. Users who previously used the CLI to set connections should manually delete entries with those connection sensitive values from the log table. This is similar but not the same issue as CVE-2024-50378
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/apache/airflow/pull/61882 | patch |
| https://lists.apache.org/thread/nxovkp319jo8vg498… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Airflow |
Affected:
0 , < 2.11.1
(semver)
|
Credits
sw0rd1ight
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-27555",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-24T15:39:35.868005Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T15:40:05.895Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org/",
"defaultStatus": "unaffected",
"packageName": "apache-airflow",
"product": "Apache Airflow",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.11.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "sw0rd1ight"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Airflow versions before 2.11.1 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive connection parameters were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.11.1 or a later version, which addresses this issue. Users who previously used the CLI to set connections should manually delete entries with those connection sensitive values from the log table. This is similar but not the same issue as CVE-2024-50378"
}
],
"value": "Airflow versions before 2.11.1 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive connection parameters were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.11.1 or a later version, which addresses this issue. Users who previously used the CLI to set connections should manually delete entries with those connection sensitive values from the log table. This is similar but not the same issue as CVE-2024-50378"
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T15:10:06.311Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/airflow/pull/61882"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/nxovkp319jo8vg498gql1yswtb2frbkw"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Airflow: Connection Secrets not masked in UI when Connection are added via Airflow cli",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-27555",
"datePublished": "2026-02-24T10:09:59.703Z",
"dateReserved": "2025-03-01T16:50:26.767Z",
"dateUpdated": "2026-03-11T15:10:06.311Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-27789 (GCVE-0-2025-27789)
Vulnerability from cvelistv5 – Published: 2025-03-11 19:09 – Updated: 2025-03-11 19:53
VLAI
EPSS
Title
Inefficient RexExp complexity in generated code with .replace when transpiling named capturing groups
Summary
Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the `.replace` method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to `.replace`). Generated code is vulnerable if all the following conditions are true: Using Babel to compile regular expression named capturing groups, using the `.replace` method on a regular expression that contains named capturing groups, and the code using untrusted strings as the second argument of `.replace`. This problem has been fixed in `@babel/helpers` and `@babel/runtime` 7.26.10 and 8.0.0-alpha.17. It's likely that individual users do not directly depend on `@babel/helpers`, and instead depend on `@babel/core` (which itself depends on `@babel/helpers`). Upgrading to `@babel/core` 7.26.10 is not required, but it guarantees use of a new enough `@babel/helpers` version. Note that just updating Babel dependencies is not enough; one will also need to re-compile the code. No known workarounds are available.
Severity
6.2 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/babel/babel/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/babel/babel/pull/17173 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27789",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-11T19:53:22.902147Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-11T19:53:42.811Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "babel",
"vendor": "babel",
"versions": [
{
"status": "affected",
"version": "\u003c 7.26.10"
},
{
"status": "affected",
"version": "\u003e= 8.0.0-alpha.0, \u003c 8.0.0-alpha.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the `.replace` method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to `.replace`). Generated code is vulnerable if all the following conditions are true: Using Babel to compile regular expression named capturing groups, using the `.replace` method on a regular expression that contains named capturing groups, and the code using untrusted strings as the second argument of `.replace`. This problem has been fixed in `@babel/helpers` and `@babel/runtime` 7.26.10 and 8.0.0-alpha.17. It\u0027s likely that individual users do not directly depend on `@babel/helpers`, and instead depend on `@babel/core` (which itself depends on `@babel/helpers`). Upgrading to `@babel/core` 7.26.10 is not required, but it guarantees use of a new enough `@babel/helpers` version. Note that just updating Babel dependencies is not enough; one will also need to re-compile the code. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-11T19:09:28.146Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/babel/babel/security/advisories/GHSA-968p-4wvh-cqc8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/babel/babel/security/advisories/GHSA-968p-4wvh-cqc8"
},
{
"name": "https://github.com/babel/babel/pull/17173",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/babel/babel/pull/17173"
}
],
"source": {
"advisory": "GHSA-968p-4wvh-cqc8",
"discovery": "UNKNOWN"
},
"title": "Inefficient RexExp complexity in generated code with .replace when transpiling named capturing groups"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27789",
"datePublished": "2025-03-11T19:09:28.146Z",
"dateReserved": "2025-03-06T18:06:54.462Z",
"dateUpdated": "2025-03-11T19:53:42.811Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…