Action not permitted
Modal body text goes here.
Modal Title
Modal Body
Vulnerability from cleanstart
Published
2026-06-08 12:38
Modified
2026-06-05 10:47
Summary
Security fixes for CVE-2024-24786, CVE-2024-35255, CVE-2025-22868, CVE-2025-30204, CVE-2025-61726, CVE-2025-61728, CVE-2025-61730, CVE-2025-61731, CVE-2025-61732, CVE-2025-68119, CVE-2025-68121, CVE-2026-25679, CVE-2026-27139, CVE-2026-27140, CVE-2026-27142, CVE-2026-27143, CVE-2026-27144, CVE-2026-27145, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32288, CVE-2026-32289, CVE-2026-33810, CVE-2026-33811, CVE-2026-33814, CVE-2026-39817, CVE-2026-39819, CVE-2026-39820, CVE-2026-39823, CVE-2026-39825, CVE-2026-39826, CVE-2026-39836, CVE-2026-40179, CVE-2026-42151, CVE-2026-42154, CVE-2026-42499, CVE-2026-42501, CVE-2026-42504, CVE-2026-42507, CVE-2026-44903, CVE-2026-46598, ghsa-8rm2-7qqf-34qm, ghsa-fw8g-cg8f-9j28, ghsa-vffh-x6r8-xx99, ghsa-wg65-39gg-5wfj applied in versions: 0.69.1-r0, 0.69.1-r1, 0.69.1-r2, 0.69.1-r3, 0.87.1-r0, 0.89.0-r0
Details
Multiple security vulnerabilities affect the prometheus-operator package. These issues are resolved in later releases. See references for individual vulnerability details.
References
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "prometheus-operator"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.89.0-r0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the prometheus-operator package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-UO11850",
"modified": "2026-06-05T10:47:49Z",
"published": "2026-06-08T12:38:40.185129Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-UO11850.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-24786"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-35255"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-22868"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-30204"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-61726"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-61728"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-61730"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-61731"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-61732"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-68119"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-68121"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25679"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27139"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27140"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27142"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27143"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27144"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27145"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32280"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32281"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32282"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32283"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32288"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32289"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33810"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33811"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33814"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-39817"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-39819"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-39820"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-39823"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-39825"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-39826"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-39836"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-40179"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42151"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42154"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42499"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42501"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42504"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42507"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-44903"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-46598"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8rm2-7qqf-34qm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-fw8g-cg8f-9j28"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-vffh-x6r8-xx99"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-wg65-39gg-5wfj"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24786"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35255"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22868"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30204"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61728"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61730"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61731"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61732"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68119"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68121"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25679"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27139"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27140"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27142"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27143"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27144"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27145"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32283"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32288"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32289"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33810"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33811"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33814"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39817"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39819"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39820"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39823"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39825"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39826"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39836"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40179"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42151"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42154"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42499"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42501"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42504"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42507"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44903"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46598"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2024-24786, CVE-2024-35255, CVE-2025-22868, CVE-2025-30204, CVE-2025-61726, CVE-2025-61728, CVE-2025-61730, CVE-2025-61731, CVE-2025-61732, CVE-2025-68119, CVE-2025-68121, CVE-2026-25679, CVE-2026-27139, CVE-2026-27140, CVE-2026-27142, CVE-2026-27143, CVE-2026-27144, CVE-2026-27145, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32288, CVE-2026-32289, CVE-2026-33810, CVE-2026-33811, CVE-2026-33814, CVE-2026-39817, CVE-2026-39819, CVE-2026-39820, CVE-2026-39823, CVE-2026-39825, CVE-2026-39826, CVE-2026-39836, CVE-2026-40179, CVE-2026-42151, CVE-2026-42154, CVE-2026-42499, CVE-2026-42501, CVE-2026-42504, CVE-2026-42507, CVE-2026-44903, CVE-2026-46598, ghsa-8rm2-7qqf-34qm, ghsa-fw8g-cg8f-9j28, ghsa-vffh-x6r8-xx99, ghsa-wg65-39gg-5wfj applied in versions: 0.69.1-r0, 0.69.1-r1, 0.69.1-r2, 0.69.1-r3, 0.87.1-r0, 0.89.0-r0",
"upstream": [
"CVE-2024-24786",
"CVE-2024-35255",
"CVE-2025-22868",
"CVE-2025-30204",
"CVE-2025-61726",
"CVE-2025-61728",
"CVE-2025-61730",
"CVE-2025-61731",
"CVE-2025-61732",
"CVE-2025-68119",
"CVE-2025-68121",
"CVE-2026-25679",
"CVE-2026-27139",
"CVE-2026-27140",
"CVE-2026-27142",
"CVE-2026-27143",
"CVE-2026-27144",
"CVE-2026-27145",
"CVE-2026-32280",
"CVE-2026-32281",
"CVE-2026-32282",
"CVE-2026-32283",
"CVE-2026-32288",
"CVE-2026-32289",
"CVE-2026-33810",
"CVE-2026-33811",
"CVE-2026-33814",
"CVE-2026-39817",
"CVE-2026-39819",
"CVE-2026-39820",
"CVE-2026-39823",
"CVE-2026-39825",
"CVE-2026-39826",
"CVE-2026-39836",
"CVE-2026-40179",
"CVE-2026-42151",
"CVE-2026-42154",
"CVE-2026-42499",
"CVE-2026-42501",
"CVE-2026-42504",
"CVE-2026-42507",
"CVE-2026-44903",
"CVE-2026-46598",
"ghsa-8rm2-7qqf-34qm",
"ghsa-fw8g-cg8f-9j28",
"ghsa-vffh-x6r8-xx99",
"ghsa-wg65-39gg-5wfj"
]
}
CVE-2026-39823 (GCVE-0-2026-39823)
Vulnerability from cvelistv5 – Published: 2026-05-07 19:41 – Updated: 2026-05-08 14:05
VLAI
EPSS
Title
Bypass of meta content URL escaping causes XSS in html/template
Summary
CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the <content> attribute, the escaper would fail to similarly escape it, leading to XSS.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Go standard library | html/template |
Affected:
0 , < 1.25.10
(semver)
Affected: 1.26.0-0 , < 1.26.3 (semver) |
Credits
Samy Ghannad
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-39823",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T14:05:34.310805Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T14:05:55.152Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "html/template",
"product": "html/template",
"programRoutines": [
{
"name": "tMetaContent"
},
{
"name": "Template.Execute"
},
{
"name": "Template.ExecuteTemplate"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.25.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.26.3",
"status": "affected",
"version": "1.26.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Samy Ghannad"
}
],
"descriptions": [
{
"lang": "en",
"value": "CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a \u003cmeta\u003e tag\u0027s \u003ccontent\u003e attribute. If the URL content were to insert ASCII whitespaces around the \u0027=\u0027 rune inside of the \u003ccontent\u003e attribute, the escaper would fail to similarly escape it, leading to XSS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T19:41:19.524Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/78913"
},
{
"url": "https://go.dev/cl/769920"
},
{
"url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4982"
}
],
"title": "Bypass of meta content URL escaping causes XSS in html/template"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-39823",
"datePublished": "2026-05-07T19:41:19.524Z",
"dateReserved": "2026-04-07T18:13:03.527Z",
"dateUpdated": "2026-05-08T14:05:55.152Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39825 (GCVE-0-2026-39825)
Vulnerability from cvelistv5 – Published: 2026-05-07 19:41 – Updated: 2026-05-08 21:30
VLAI
EPSS
Title
ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil
Summary
ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Go standard library | net/http/httputil |
Affected:
0 , < 1.25.10
(semver)
Affected: 1.26.0-0 , < 1.26.3 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-39825",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T16:46:43.329507Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T21:30:08.872Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "net/http/httputil",
"product": "net/http/httputil",
"programRoutines": [
{
"name": "cleanQueryParams"
},
{
"name": "ReverseProxy.ServeHTTP"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.25.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.26.3",
"status": "affected",
"version": "1.26.0-0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery\u0027s limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query \"a1=x\u0026a2=x\u0026...\u0026a10000=x\u0026hidden=y\" can forward the parameter \"hidden=y\" while hiding it from the proxy\u0027s Rewrite function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T19:41:18.453Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/770541"
},
{
"url": "https://go.dev/issue/78948"
},
{
"url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4976"
}
],
"title": "ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-39825",
"datePublished": "2026-05-07T19:41:18.453Z",
"dateReserved": "2026-04-07T18:13:03.527Z",
"dateUpdated": "2026-05-08T21:30:08.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39826 (GCVE-0-2026-39826)
Vulnerability from cvelistv5 – Published: 2026-05-07 19:41 – Updated: 2026-05-08 14:05
VLAI
EPSS
Title
Escaper bypass leads to XSS in html/template
Summary
If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the <script> block.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Go standard library | html/template |
Affected:
0 , < 1.25.10
(semver)
Affected: 1.26.0-0 , < 1.26.3 (semver) |
Credits
Mundur (https://github.com/M0nd0R)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-39826",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T14:04:40.842823Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T14:05:05.849Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "html/template",
"product": "html/template",
"programRoutines": [
{
"name": "isJSType"
},
{
"name": "Template.Execute"
},
{
"name": "Template.ExecuteTemplate"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.25.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.26.3",
"status": "affected",
"version": "1.26.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Mundur (https://github.com/M0nd0R)"
}
],
"descriptions": [
{
"lang": "en",
"value": "If a trusted template author were to write a \u003cscript\u003e tag containing an empty \u0027type\u0027 attribute or a \u0027type\u0027 attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the \u003cscript\u003e block."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T19:41:19.138Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/78981"
},
{
"url": "https://go.dev/cl/771180"
},
{
"url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4980"
}
],
"title": "Escaper bypass leads to XSS in html/template"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-39826",
"datePublished": "2026-05-07T19:41:19.138Z",
"dateReserved": "2026-04-07T18:13:03.528Z",
"dateUpdated": "2026-05-08T14:05:05.849Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39836 (GCVE-0-2026-39836)
Vulnerability from cvelistv5 – Published: 2026-05-07 19:41 – Updated: 2026-05-08 21:30
VLAI
EPSS
Title
Panic in Dial and LookupPort when handling NUL byte on Windows in net
Summary
The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-248 - Uncaught Exception
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Go standard library | net |
Affected:
0 , < 1.25.10
(semver)
Affected: 1.26.0-0 , < 1.26.3 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-39836",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T16:36:25.079035Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T21:30:15.127Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "net",
"product": "net",
"programRoutines": [
{
"name": "Resolver.lookupPort"
},
{
"name": "Resolver.lookupAddr"
},
{
"name": "Resolver.lookupTXT"
},
{
"name": "Resolver.lookupNS"
},
{
"name": "Resolver.lookupMX"
},
{
"name": "Resolver.lookupSRV"
},
{
"name": "Dial"
},
{
"name": "DialTimeout"
},
{
"name": "Dialer.Dial"
},
{
"name": "Dialer.DialContext"
},
{
"name": "Listen"
},
{
"name": "ListenConfig.Listen"
},
{
"name": "ListenConfig.ListenPacket"
},
{
"name": "ListenPacket"
},
{
"name": "LookupAddr"
},
{
"name": "LookupCNAME"
},
{
"name": "LookupHost"
},
{
"name": "LookupIP"
},
{
"name": "LookupMX"
},
{
"name": "LookupNS"
},
{
"name": "LookupPort"
},
{
"name": "LookupSRV"
},
{
"name": "LookupTXT"
},
{
"name": "ResolveIPAddr"
},
{
"name": "ResolveTCPAddr"
},
{
"name": "ResolveUDPAddr"
},
{
"name": "Resolver.LookupAddr"
},
{
"name": "Resolver.LookupCNAME"
},
{
"name": "Resolver.LookupHost"
},
{
"name": "Resolver.LookupIP"
},
{
"name": "Resolver.LookupIPAddr"
},
{
"name": "Resolver.LookupMX"
},
{
"name": "Resolver.LookupNS"
},
{
"name": "Resolver.LookupNetIP"
},
{
"name": "Resolver.LookupPort"
},
{
"name": "Resolver.LookupSRV"
},
{
"name": "Resolver.LookupTXT"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.25.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.26.3",
"status": "affected",
"version": "1.26.0-0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-248: Uncaught Exception",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T19:41:18.300Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/79006"
},
{
"url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
},
{
"url": "https://go.dev/cl/775320"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4971"
}
],
"title": "Panic in Dial and LookupPort when handling NUL byte on Windows in net"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-39836",
"datePublished": "2026-05-07T19:41:18.300Z",
"dateReserved": "2026-04-07T18:13:03.529Z",
"dateUpdated": "2026-05-08T21:30:15.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40179 (GCVE-0-2026-40179)
Vulnerability from cvelistv5 – Published: 2026-04-15 22:26 – Updated: 2026-04-16 14:21
VLAI
EPSS
Title
Prometheus: Stored XSS via metric names and label values in web UI tooltips and metrics explorer
Summary
Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into innerHTML without escaping. In both the Mantine UI and old React UI, chart tooltips on the Graph page render metric names containing HTML/JavaScript without sanitization. In the old React UI, the Metric Explorer fuzzy search results use dangerouslySetInnerHTML without escaping, and heatmap cell tooltips interpolate le label values without sanitization. With Prometheus v3.x defaulting to UTF-8 metric and label name validation, characters like <, >, and " are now valid in metric names and labels. An attacker who can inject metrics via a compromised scrape target, remote write, or OTLP receiver endpoint can execute arbitrary JavaScript in the browser of any Prometheus user who views the metric in the Graph UI, potentially enabling configuration exfiltration, data deletion, or Prometheus shutdown depending on enabled flags. This issue has been fixed in versions 3.5.2 and 3.11.2. If developers are unable to immediately update, the following workarounds are recommended: ensure that the remote write receiver (--web.enable-remote-write-receiver) and the OTLP receiver (--web.enable-otlp-receiver) are not exposed to untrusted sources; verify that all scrape targets are trusted and not under attacker control; avoid enabling admin or mutating API endpoints (e.g., --web.enable-admin-api or --web.enable-lifecycle) in environments where untrusted data may be ingested; and refrain from clicking untrusted links, particularly those containing functions such as label_replace, as they may generate poisoned label names and values.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/prometheus/prometheus/security… | x_refsource_CONFIRM |
| https://github.com/prometheus/prometheus/pull/18506 | x_refsource_MISC |
| https://github.com/prometheus/prometheus/commit/0… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| prometheus | prometheus |
Affected:
>= 3.0.0, < 3.5.2
Affected: >= 3.6.0, < 3.11.2 Affected: < 0.311.2-0.20260410083055-07c6232d159b |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40179",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-16T14:21:31.807163Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T14:21:42.130Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "prometheus",
"vendor": "prometheus",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.5.2"
},
{
"status": "affected",
"version": "\u003e= 3.6.0, \u003c 3.11.2"
},
{
"status": "affected",
"version": "\u003c 0.311.2-0.20260410083055-07c6232d159b"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into innerHTML without escaping. In both the Mantine UI and old React UI, chart tooltips on the Graph page render metric names containing HTML/JavaScript without sanitization. In the old React UI, the Metric Explorer fuzzy search results use dangerouslySetInnerHTML without escaping, and heatmap cell tooltips interpolate le label values without sanitization. With Prometheus v3.x defaulting to UTF-8 metric and label name validation, characters like \u003c, \u003e, and \" are now valid in metric names and labels. An attacker who can inject metrics via a compromised scrape target, remote write, or OTLP receiver endpoint can execute arbitrary JavaScript in the browser of any Prometheus user who views the metric in the Graph UI, potentially enabling configuration exfiltration, data deletion, or Prometheus shutdown depending on enabled flags. This issue has been fixed in versions 3.5.2 and 3.11.2. If developers are unable to immediately update, the following workarounds are recommended: ensure that the remote write receiver (--web.enable-remote-write-receiver) and the OTLP receiver (--web.enable-otlp-receiver) are not exposed to untrusted sources; verify that all scrape targets are trusted and not under attacker control; avoid enabling admin or mutating API endpoints (e.g., --web.enable-admin-api or --web.enable-lifecycle) in environments where untrusted data may be ingested; and refrain from clicking untrusted links, particularly those containing functions such as label_replace, as they may generate poisoned label names and values."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T22:26:46.909Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/prometheus/prometheus/security/advisories/GHSA-vffh-x6r8-xx99",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/prometheus/prometheus/security/advisories/GHSA-vffh-x6r8-xx99"
},
{
"name": "https://github.com/prometheus/prometheus/pull/18506",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/pull/18506"
},
{
"name": "https://github.com/prometheus/prometheus/commit/07c6232d159bfb474a077788be184d87adcfac3c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/commit/07c6232d159bfb474a077788be184d87adcfac3c"
}
],
"source": {
"advisory": "GHSA-vffh-x6r8-xx99",
"discovery": "UNKNOWN"
},
"title": "Prometheus: Stored XSS via metric names and label values in web UI tooltips and metrics explorer"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40179",
"datePublished": "2026-04-15T22:26:46.909Z",
"dateReserved": "2026-04-09T20:59:17.619Z",
"dateUpdated": "2026-04-16T14:21:42.130Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42151 (GCVE-0-2026-42151)
Vulnerability from cvelistv5 – Published: 2026-05-04 18:12 – Updated: 2026-06-30 03:15
VLAI
EPSS
Title
Prometheus Azure AD remote write OAuth client secret exposed via config API
Summary
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has been patched in versions 3.5.3 and 3.11.3.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
11 references
| URL | Tags |
|---|---|
| https://github.com/prometheus/prometheus/security… | x_refsource_CONFIRM |
| https://github.com/prometheus/prometheus/pull/18587 | x_refsource_MISC |
| https://github.com/prometheus/prometheus/pull/18590 | x_refsource_MISC |
| https://github.com/prometheus/prometheus/releases… | x_refsource_MISC |
| https://github.com/prometheus/prometheus/releases… | x_refsource_MISC |
| https://access.redhat.com/security/cve/CVE-2026-42151 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2466507 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| https://access.redhat.com/errata/RHSA-2026:25039 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:25504 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:25245 | vendor-advisoryx_refsource_REDHAT |
Impacted products
28 products
| Vendor | Product | Version | |
|---|---|---|---|
| prometheus | prometheus |
Affected:
< 3.5.3
Affected: >= 3.6.0, < 3.11.3 |
|
| Red Hat | Red Hat Hardened Images |
cpe:/a:redhat:hummingbird:1 |
|
| Red Hat | Custom Metric Autoscaler operator for Red Hat Openshift |
cpe:/a:redhat:openshift_custom_metrics_autoscaler:2 |
|
| Red Hat | File Integrity Operator |
cpe:/a:redhat:openshift_file_integrity_operator:1 |
|
| Red Hat | Logging Subsystem for Red Hat OpenShift |
cpe:/a:redhat:logging:6 |
|
| Red Hat | Network Observability Operator |
cpe:/a:redhat:network_observ_optr:1 |
|
| Red Hat | OpenShift Lightspeed |
cpe:/a:redhat:openshift_lightspeed |
|
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2 |
cpe:/a:redhat:acm:2 |
|
| Red Hat | Red Hat Ceph Storage 5 |
cpe:/a:redhat:ceph_storage:5 |
|
| Red Hat | Red Hat Ceph Storage 6 |
cpe:/a:redhat:ceph_storage:6 |
|
| Red Hat | Red Hat Ceph Storage 7 |
cpe:/a:redhat:ceph_storage:7 |
|
| Red Hat | Red Hat Ceph Storage 8 |
cpe:/a:redhat:ceph_storage:8 |
|
| Red Hat | Red Hat Ceph Storage 9 |
cpe:/a:redhat:ceph_storage:9 |
|
| Red Hat | Red Hat Edge Manager 1 |
cpe:/a:redhat:edge_manager:1 |
|
| Red Hat | Red Hat Enterprise Linux 10 |
cpe:/o:redhat:enterprise_linux:10 |
|
| Red Hat | Red Hat Enterprise Linux 7 |
cpe:/o:redhat:enterprise_linux:7 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
cpe:/o:redhat:enterprise_linux:8 |
|
| Red Hat | Red Hat Enterprise Linux 9 |
cpe:/o:redhat:enterprise_linux:9 |
|
| Red Hat | Red Hat OpenShift AI (RHOAI) |
cpe:/a:redhat:openshift_ai |
|
| Red Hat | Red Hat OpenShift Container Platform 4 |
cpe:/a:redhat:openshift:4 |
|
| Red Hat | Red Hat OpenShift distributed tracing 3 |
cpe:/a:redhat:openshift_distributed_tracing:3 |
|
| Red Hat | Red Hat OpenShift GitOps |
cpe:/a:redhat:openshift_gitops:1 |
|
| Red Hat | Red Hat OpenStack Platform 18.0 |
cpe:/a:redhat:openstack:18.0 |
|
| Red Hat | Red Hat Quay 3 |
cpe:/a:redhat:quay:3 |
|
| Red Hat | Red Hat Trusted Artifact Signer |
cpe:/a:redhat:trusted_artifact_signer:1 |
|
| Red Hat | Multicluster Global Hub |
cpe:/a:redhat:multicluster_globalhub |
|
| Red Hat | OpenShift Service Mesh 2 |
cpe:/a:redhat:service_mesh:2 |
|
| Red Hat | OpenShift Service Mesh 3 |
cpe:/a:redhat:service_mesh:3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42151",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T19:54:39.314002Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T19:55:09.255Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_custom_metrics_autoscaler:2"
],
"defaultStatus": "affected",
"product": "Custom Metric Autoscaler operator for Red Hat Openshift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_file_integrity_operator:1"
],
"defaultStatus": "affected",
"product": "File Integrity Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:logging:6"
],
"defaultStatus": "affected",
"product": "Logging Subsystem for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:network_observ_optr:1"
],
"defaultStatus": "affected",
"product": "Network Observability Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_lightspeed"
],
"defaultStatus": "affected",
"product": "OpenShift Lightspeed",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:acm:2"
],
"defaultStatus": "affected",
"product": "Red Hat Advanced Cluster Management for Kubernetes 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ceph_storage:5"
],
"defaultStatus": "affected",
"product": "Red Hat Ceph Storage 5",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ceph_storage:6"
],
"defaultStatus": "affected",
"product": "Red Hat Ceph Storage 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ceph_storage:7"
],
"defaultStatus": "affected",
"product": "Red Hat Ceph Storage 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ceph_storage:8"
],
"defaultStatus": "affected",
"product": "Red Hat Ceph Storage 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ceph_storage:9"
],
"defaultStatus": "affected",
"product": "Red Hat Ceph Storage 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:edge_manager:1"
],
"defaultStatus": "affected",
"product": "Red Hat Edge Manager 1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_distributed_tracing:3"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift distributed tracing 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_gitops:1"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift GitOps",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openstack:18.0"
],
"defaultStatus": "affected",
"product": "Red Hat OpenStack Platform 18.0",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:quay:3"
],
"defaultStatus": "affected",
"product": "Red Hat Quay 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:trusted_artifact_signer:1"
],
"defaultStatus": "affected",
"product": "Red Hat Trusted Artifact Signer",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_globalhub"
],
"defaultStatus": "unaffected",
"product": "Multicluster Global Hub",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:2"
],
"defaultStatus": "unaffected",
"product": "OpenShift Service Mesh 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3"
],
"defaultStatus": "unaffected",
"product": "OpenShift Service Mesh 3",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-04T18:12:16.917Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Prometheus, an open-source monitoring system. The `client_secret` field within the Azure Active Directory (AD) remote write OAuth configuration was incorrectly handled as a plain string instead of a secure Secret type. This misconfiguration allowed any user or process with access to the `/-/config` HTTP API endpoint to view the Azure OAuth client secret in plaintext. This vulnerability leads to information disclosure, potentially compromising the security of integrated Azure AD services."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-256",
"description": "Plaintext Storage of a Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T03:15:46.127Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-42151"
},
{
"name": "RHBZ#2466507",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466507"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42151.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25039"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25504"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25245"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:25039: Red Hat Hardened Images"
},
{
"lang": "en",
"value": "RHSA-2026:25504: Red Hat Hardened Images"
},
{
"lang": "en",
"value": "RHSA-2026:25245: Red Hat Hardened Images"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-04T19:02:26.983Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-04T18:12:16.917Z",
"value": "Made public."
}
],
"title": "github.com/prometheus/prometheus: Prometheus: Information disclosure of Azure OAuth client secret via config API",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "prometheus",
"vendor": "prometheus",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.3"
},
{
"status": "affected",
"version": "\u003e= 3.6.0, \u003c 3.11.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has been patched in versions 3.5.3 and 3.11.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312: Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T18:12:16.917Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/prometheus/prometheus/security/advisories/GHSA-wg65-39gg-5wfj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/prometheus/prometheus/security/advisories/GHSA-wg65-39gg-5wfj"
},
{
"name": "https://github.com/prometheus/prometheus/pull/18587",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/pull/18587"
},
{
"name": "https://github.com/prometheus/prometheus/pull/18590",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/pull/18590"
},
{
"name": "https://github.com/prometheus/prometheus/releases/tag/v3.11.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/releases/tag/v3.11.3"
},
{
"name": "https://github.com/prometheus/prometheus/releases/tag/v3.5.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/releases/tag/v3.5.3"
}
],
"source": {
"advisory": "GHSA-wg65-39gg-5wfj",
"discovery": "UNKNOWN"
},
"title": "Prometheus Azure AD remote write OAuth client secret exposed via config API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42151",
"datePublished": "2026-05-04T18:12:16.917Z",
"dateReserved": "2026-04-24T17:15:21.835Z",
"dateUpdated": "2026-06-30T03:15:46.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42154 (GCVE-0-2026-42154)
Vulnerability from cvelistv5 – Published: 2026-05-04 18:13 – Updated: 2026-06-30 03:16
VLAI
EPSS
Title
Prometheus: remote read endpoint allows denial of service via crafted snappy payload
Summary
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
12 references
| URL | Tags |
|---|---|
| https://github.com/prometheus/prometheus/security… | x_refsource_CONFIRM |
| https://github.com/prometheus/prometheus/pull/18584 | x_refsource_MISC |
| https://github.com/prometheus/prometheus/pull/18585 | x_refsource_MISC |
| https://github.com/prometheus/prometheus/releases… | x_refsource_MISC |
| https://github.com/prometheus/prometheus/releases… | x_refsource_MISC |
| https://access.redhat.com/security/cve/CVE-2026-42154 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2466505 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| https://access.redhat.com/errata/RHSA-2026:30651 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:25039 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:29770 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:25245 | vendor-advisoryx_refsource_REDHAT |
Impacted products
27 products
| Vendor | Product | Version | |
|---|---|---|---|
| prometheus | prometheus |
Affected:
< 3.5.3
Affected: >= 3.6.0, < 3.11.3 |
|
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2.13 |
cpe:/a:redhat:acm:2.13::el9 |
|
| Red Hat | Red Hat Hardened Images |
cpe:/a:redhat:hummingbird:1 |
|
| Red Hat | File Integrity Operator |
cpe:/a:redhat:openshift_file_integrity_operator:1 |
|
| Red Hat | Logging Subsystem for Red Hat OpenShift |
cpe:/a:redhat:logging:6 |
|
| Red Hat | Multicluster Global Hub |
cpe:/a:redhat:multicluster_globalhub |
|
| Red Hat | Network Observability Operator |
cpe:/a:redhat:network_observ_optr:1 |
|
| Red Hat | OpenShift Lightspeed |
cpe:/a:redhat:openshift_lightspeed |
|
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2 |
cpe:/a:redhat:acm:2 |
|
| Red Hat | Red Hat Ceph Storage 5 |
cpe:/a:redhat:ceph_storage:5 |
|
| Red Hat | Red Hat Ceph Storage 6 |
cpe:/a:redhat:ceph_storage:6 |
|
| Red Hat | Red Hat Ceph Storage 7 |
cpe:/a:redhat:ceph_storage:7 |
|
| Red Hat | Red Hat Ceph Storage 8 |
cpe:/a:redhat:ceph_storage:8 |
|
| Red Hat | Red Hat Ceph Storage 9 |
cpe:/a:redhat:ceph_storage:9 |
|
| Red Hat | Red Hat Edge Manager 1 |
cpe:/a:redhat:edge_manager:1 |
|
| Red Hat | Red Hat Enterprise Linux 10 |
cpe:/o:redhat:enterprise_linux:10 |
|
| Red Hat | Red Hat Enterprise Linux 7 |
cpe:/o:redhat:enterprise_linux:7 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
cpe:/o:redhat:enterprise_linux:8 |
|
| Red Hat | Red Hat Enterprise Linux 9 |
cpe:/o:redhat:enterprise_linux:9 |
|
| Red Hat | Red Hat OpenShift AI (RHOAI) |
cpe:/a:redhat:openshift_ai |
|
| Red Hat | Red Hat OpenShift Container Platform 4 |
cpe:/a:redhat:openshift:4 |
|
| Red Hat | Red Hat OpenShift GitOps |
cpe:/a:redhat:openshift_gitops:1 |
|
| Red Hat | Red Hat Quay 3 |
cpe:/a:redhat:quay:3 |
|
| Red Hat | Red Hat Trusted Artifact Signer |
cpe:/a:redhat:trusted_artifact_signer:1 |
|
| Red Hat | OpenShift Service Mesh 2 |
cpe:/a:redhat:service_mesh:2 |
|
| Red Hat | OpenShift Service Mesh 3 |
cpe:/a:redhat:service_mesh:3 |
|
| Red Hat | Red Hat OpenStack Platform 18.0 |
cpe:/a:redhat:openstack:18.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42154",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T20:18:48.754025Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T20:19:13.876Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:acm:2.13::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Advanced Cluster Management for Kubernetes 2.13",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_file_integrity_operator:1"
],
"defaultStatus": "affected",
"product": "File Integrity Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:logging:6"
],
"defaultStatus": "affected",
"product": "Logging Subsystem for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_globalhub"
],
"defaultStatus": "affected",
"product": "Multicluster Global Hub",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:network_observ_optr:1"
],
"defaultStatus": "affected",
"product": "Network Observability Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_lightspeed"
],
"defaultStatus": "affected",
"product": "OpenShift Lightspeed",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:acm:2"
],
"defaultStatus": "affected",
"product": "Red Hat Advanced Cluster Management for Kubernetes 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ceph_storage:5"
],
"defaultStatus": "affected",
"product": "Red Hat Ceph Storage 5",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ceph_storage:6"
],
"defaultStatus": "affected",
"product": "Red Hat Ceph Storage 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ceph_storage:7"
],
"defaultStatus": "affected",
"product": "Red Hat Ceph Storage 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ceph_storage:8"
],
"defaultStatus": "affected",
"product": "Red Hat Ceph Storage 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ceph_storage:9"
],
"defaultStatus": "affected",
"product": "Red Hat Ceph Storage 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:edge_manager:1"
],
"defaultStatus": "affected",
"product": "Red Hat Edge Manager 1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_gitops:1"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift GitOps",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:quay:3"
],
"defaultStatus": "affected",
"product": "Red Hat Quay 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:trusted_artifact_signer:1"
],
"defaultStatus": "affected",
"product": "Red Hat Trusted Artifact Signer",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:2"
],
"defaultStatus": "unaffected",
"product": "OpenShift Service Mesh 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3"
],
"defaultStatus": "unaffected",
"product": "OpenShift Service Mesh 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openstack:18.0"
],
"defaultStatus": "unaffected",
"product": "Red Hat OpenStack Platform 18.0",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-04T18:13:12.340Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Prometheus. An unauthenticated attacker can exploit the remote read endpoint (`/api/v1/read`) by sending a specially crafted, small snappy-compressed payload. This payload causes a disproportionately large memory allocation, leading to memory exhaustion and a Denial of Service (DoS) by crashing the Prometheus process."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T03:16:20.329Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-42154"
},
{
"name": "RHBZ#2466505",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466505"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42154.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30651"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25039"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:29770"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25245"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:30651: Red Hat Advanced Cluster Management for Kubernetes 2.13"
},
{
"lang": "en",
"value": "RHSA-2026:25039: Red Hat Hardened Images"
},
{
"lang": "en",
"value": "RHSA-2026:29770: Red Hat Hardened Images"
},
{
"lang": "en",
"value": "RHSA-2026:25245: Red Hat Hardened Images"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-04T19:02:19.626Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-04T18:13:12.340Z",
"value": "Made public."
}
],
"title": "github.com/prometheus/prometheus: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "prometheus",
"vendor": "prometheus",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.3"
},
{
"status": "affected",
"version": "\u003e= 3.6.0, \u003c 3.11.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T18:13:12.340Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/prometheus/prometheus/security/advisories/GHSA-8rm2-7qqf-34qm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/prometheus/prometheus/security/advisories/GHSA-8rm2-7qqf-34qm"
},
{
"name": "https://github.com/prometheus/prometheus/pull/18584",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/pull/18584"
},
{
"name": "https://github.com/prometheus/prometheus/pull/18585",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/pull/18585"
},
{
"name": "https://github.com/prometheus/prometheus/releases/tag/v3.11.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/releases/tag/v3.11.3"
},
{
"name": "https://github.com/prometheus/prometheus/releases/tag/v3.5.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/releases/tag/v3.5.3"
}
],
"source": {
"advisory": "GHSA-8rm2-7qqf-34qm",
"discovery": "UNKNOWN"
},
"title": "Prometheus: remote read endpoint allows denial of service via crafted snappy payload"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42154",
"datePublished": "2026-05-04T18:13:12.340Z",
"dateReserved": "2026-04-24T17:15:21.835Z",
"dateUpdated": "2026-06-30T03:16:20.329Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42499 (GCVE-0-2026-42499)
Vulnerability from cvelistv5 – Published: 2026-05-07 19:41 – Updated: 2026-06-30 03:15
VLAI
EPSS
Title
Quadratic string concatenation in consumePhrase in net/mail
Summary
Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
11 references
| URL | Tags |
|---|---|
| https://go.dev/issue/78987 | |
| https://go.dev/cl/771520 | |
| https://groups.google.com/g/golang-announce/c/qcC… | |
| https://pkg.go.dev/vuln/GO-2026-4977 | |
| https://access.redhat.com/security/cve/CVE-2026-42499 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2467809 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| https://access.redhat.com/errata/RHSA-2026:33120 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:33123 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:33142 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:33150 | vendor-advisoryx_refsource_REDHAT |
Impacted products
65 products
| Vendor | Product | Version | |
|---|---|---|---|
| Go standard library | net/mail |
Affected:
0 , < 1.25.10
(semver)
Affected: 1.26.0-0 , < 1.26.3 (semver) |
|
| Red Hat | Red Hat OpenShift Service Mesh 3.0 |
cpe:/a:redhat:service_mesh:3.0::el9 |
|
| Red Hat | Red Hat OpenShift Service Mesh 3.1 |
cpe:/a:redhat:service_mesh:3.1::el9 |
|
| Red Hat | Red Hat OpenShift Service Mesh 3.2 |
cpe:/a:redhat:service_mesh:3.2::el9 |
|
| Red Hat | Red Hat OpenShift Service Mesh 3.3 |
cpe:/a:redhat:service_mesh:3.3::el9 |
|
| Red Hat | Assisted Installer for Red Hat OpenShift Container Platform 2 |
cpe:/a:redhat:assisted_installer:2 |
|
| Red Hat | cert-manager Operator for Red Hat OpenShift |
cpe:/a:redhat:cert_manager:1 |
|
| Red Hat | Confidential Compute Attestation |
cpe:/a:redhat:confidential_compute_attestation:1 |
|
| Red Hat | Cryostat 4 |
cpe:/a:redhat:cryostat:4 |
|
| Red Hat | Custom Metric Autoscaler operator for Red Hat Openshift |
cpe:/a:redhat:openshift_custom_metrics_autoscaler:2 |
|
| Red Hat | External Secrets Operator for Red Hat OpenShift |
cpe:/a:redhat:external_secrets_operator:1 |
|
| Red Hat | File Integrity Operator |
cpe:/a:redhat:openshift_file_integrity_operator:1 |
|
| Red Hat | Logging Subsystem for Red Hat OpenShift |
cpe:/a:redhat:logging:6 |
|
| Red Hat | Logical Volume Manager Storage |
cpe:/a:redhat:lvms:4 |
|
| Red Hat | Migration Toolkit for Applications 8 |
cpe:/a:redhat:migration_toolkit_applications:8 |
|
| Red Hat | Migration Toolkit for Containers |
cpe:/a:redhat:rhmt:1 |
|
| Red Hat | Multiarch Tuning Operator |
cpe:/a:redhat:multiarch_tuning_operator |
|
| Red Hat | Network Observability Operator |
cpe:/a:redhat:network_observ_optr:1 |
|
| Red Hat | OpenShift API for Data Protection |
cpe:/a:redhat:openshift_api_data_protection:1 |
|
| Red Hat | OpenShift Developer Tools and Services |
cpe:/a:redhat:ocp_tools |
|
| Red Hat | OpenShift Lightspeed |
cpe:/a:redhat:openshift_lightspeed |
|
| Red Hat | OpenShift Pipelines |
cpe:/a:redhat:openshift_pipelines:1 |
|
| Red Hat | OpenShift Serverless |
cpe:/a:redhat:serverless:1 |
|
| Red Hat | OpenShift Service Mesh 2 |
cpe:/a:redhat:service_mesh:2 |
|
| Red Hat | OpenShift Service Mesh 3 |
cpe:/a:redhat:service_mesh:3 |
|
| Red Hat | Power monitoring for Red Hat OpenShift |
cpe:/a:redhat:openshift_power_monitoring |
|
| Red Hat | Red Hat Advanced Cluster Security 4 |
cpe:/a:redhat:advanced_cluster_security:4 |
|
| Red Hat | Red Hat Ceph Storage 5 |
cpe:/a:redhat:ceph_storage:5 |
|
| Red Hat | Red Hat Ceph Storage 6 |
cpe:/a:redhat:ceph_storage:6 |
|
| Red Hat | Red Hat Ceph Storage 9 |
cpe:/a:redhat:ceph_storage:9 |
|
| Red Hat | Red Hat Certification Program for Red Hat Enterprise Linux 9 |
cpe:/a:redhat:certifications:9 |
|
| Red Hat | Red Hat Developer Hub |
cpe:/a:redhat:rhdh:1 |
|
| Red Hat | Red Hat Enterprise Linux 10 |
cpe:/o:redhat:enterprise_linux:10 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
cpe:/o:redhat:enterprise_linux:8 |
|
| Red Hat | Red Hat Enterprise Linux 9 |
cpe:/o:redhat:enterprise_linux:9 |
|
| Red Hat | Red Hat Hardened Images |
cpe:/a:redhat:hummingbird:1 |
|
| Red Hat | Red Hat OpenShift AI (RHOAI) |
cpe:/a:redhat:openshift_ai |
|
| Red Hat | Red Hat OpenShift Cluster Manager CLI |
cpe:/a:redhat:openshift_cluster_manager_cli:1 |
|
| Red Hat | Red Hat OpenShift Container Platform 4 |
cpe:/a:redhat:openshift:4 |
|
| Red Hat | Red Hat Openshift Data Foundation 4 |
cpe:/a:redhat:openshift_data_foundation:4 |
|
| Red Hat | Red Hat OpenShift Dev Spaces |
cpe:/a:redhat:openshift_devspaces:3 |
|
| Red Hat | Red Hat OpenShift Dev Workspaces Operator |
cpe:/a:redhat:devworkspace |
|
| Red Hat | Red Hat OpenShift distributed tracing 3 |
cpe:/a:redhat:openshift_distributed_tracing:3 |
|
| Red Hat | Red Hat OpenShift for Windows Containers |
cpe:/a:redhat:windows_machine_config |
|
| Red Hat | Red Hat OpenShift GitOps |
cpe:/a:redhat:openshift_gitops:1 |
|
| Red Hat | Red Hat OpenShift Virtualization 4 |
cpe:/a:redhat:container_native_virtualization:4 |
|
| Red Hat | Red Hat OpenStack Platform 18.0 |
cpe:/a:redhat:openstack:18.0 |
|
| Red Hat | Red Hat Quay 3 |
cpe:/a:redhat:quay:3 |
|
| Red Hat | Red Hat Service Interconnect 1 |
cpe:/a:redhat:service_interconnect:1 |
|
| Red Hat | Red Hat Service Interconnect 2 |
cpe:/a:redhat:service_interconnect:2 |
|
| Red Hat | Red Hat Trusted Artifact Signer |
cpe:/a:redhat:trusted_artifact_signer:1 |
|
| Red Hat | Security Profiles Operator |
cpe:/a:redhat:openshift_security_profiles_operator:1 |
|
| Red Hat | Zero Trust Workload Identity Manager |
cpe:/a:redhat:zero_trust_workload_identity_manager:1 |
|
| Red Hat | Zero Trust Workload Identity Manager - Tech Preview |
cpe:/a:redhat:zero_trust_workload_identity_manager:0 |
|
| Red Hat | Red Hat OpenStack Platform 16.2 |
cpe:/a:redhat:openstack:16.2 |
|
| Red Hat | Red Hat OpenStack Platform 17.1 |
cpe:/a:redhat:openstack:17.1 |
|
| Red Hat | Gatekeeper 3 |
cpe:/a:redhat:gatekeeper:3 |
|
| Red Hat | Multicluster Engine for Kubernetes |
cpe:/a:redhat:multicluster_engine |
|
| Red Hat | Multicluster Global Hub |
cpe:/a:redhat:multicluster_globalhub |
|
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2 |
cpe:/a:redhat:acm:2 |
|
| Red Hat | Red Hat Ansible Automation Platform 2 |
cpe:/a:redhat:ansible_automation_platform:2 |
|
| Red Hat | Red Hat Edge Manager 1 |
cpe:/a:redhat:edge_manager:1 |
|
| Red Hat | Red Hat Enterprise Linux AI (RHEL AI) 3 |
cpe:/a:redhat:enterprise_linux_ai:3 |
|
| Red Hat | Red Hat Lightspeed for Runtimes Operator |
cpe:/a:redhat:lightspeed_for_runtimes:1 |
|
| Red Hat | Red Hat Satellite 6 |
cpe:/a:redhat:satellite:6 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-42499",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T16:55:28.873015Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T21:29:59.662Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.0::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.0",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.1::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.2::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3.3::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 3.3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:assisted_installer:2"
],
"defaultStatus": "affected",
"product": "Assisted Installer for Red Hat OpenShift Container Platform 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:cert_manager:1"
],
"defaultStatus": "affected",
"product": "cert-manager Operator for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:confidential_compute_attestation:1"
],
"defaultStatus": "affected",
"product": "Confidential Compute Attestation",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:cryostat:4"
],
"defaultStatus": "affected",
"product": "Cryostat 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_custom_metrics_autoscaler:2"
],
"defaultStatus": "affected",
"product": "Custom Metric Autoscaler operator for Red Hat Openshift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:external_secrets_operator:1"
],
"defaultStatus": "affected",
"product": "External Secrets Operator for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_file_integrity_operator:1"
],
"defaultStatus": "affected",
"product": "File Integrity Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:logging:6"
],
"defaultStatus": "affected",
"product": "Logging Subsystem for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:lvms:4"
],
"defaultStatus": "affected",
"product": "Logical Volume Manager Storage",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:migration_toolkit_applications:8"
],
"defaultStatus": "affected",
"product": "Migration Toolkit for Applications 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhmt:1"
],
"defaultStatus": "affected",
"product": "Migration Toolkit for Containers",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multiarch_tuning_operator"
],
"defaultStatus": "affected",
"product": "Multiarch Tuning Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:network_observ_optr:1"
],
"defaultStatus": "affected",
"product": "Network Observability Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_api_data_protection:1"
],
"defaultStatus": "affected",
"product": "OpenShift API for Data Protection",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ocp_tools"
],
"defaultStatus": "affected",
"product": "OpenShift Developer Tools and Services",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_lightspeed"
],
"defaultStatus": "affected",
"product": "OpenShift Lightspeed",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_pipelines:1"
],
"defaultStatus": "affected",
"product": "OpenShift Pipelines",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:serverless:1"
],
"defaultStatus": "affected",
"product": "OpenShift Serverless",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:2"
],
"defaultStatus": "affected",
"product": "OpenShift Service Mesh 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:3"
],
"defaultStatus": "affected",
"product": "OpenShift Service Mesh 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_power_monitoring"
],
"defaultStatus": "affected",
"product": "Power monitoring for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:advanced_cluster_security:4"
],
"defaultStatus": "affected",
"product": "Red Hat Advanced Cluster Security 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ceph_storage:5"
],
"defaultStatus": "affected",
"product": "Red Hat Ceph Storage 5",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ceph_storage:6"
],
"defaultStatus": "affected",
"product": "Red Hat Ceph Storage 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ceph_storage:9"
],
"defaultStatus": "affected",
"product": "Red Hat Ceph Storage 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:certifications:9"
],
"defaultStatus": "affected",
"product": "Red Hat Certification Program for Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhdh:1"
],
"defaultStatus": "affected",
"product": "Red Hat Developer Hub",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_cluster_manager_cli:1"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Cluster Manager CLI",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_data_foundation:4"
],
"defaultStatus": "affected",
"product": "Red Hat Openshift Data Foundation 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Spaces",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:devworkspace"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Workspaces Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_distributed_tracing:3"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift distributed tracing 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:windows_machine_config"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift for Windows Containers",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_gitops:1"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift GitOps",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:container_native_virtualization:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Virtualization 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openstack:18.0"
],
"defaultStatus": "affected",
"product": "Red Hat OpenStack Platform 18.0",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:quay:3"
],
"defaultStatus": "affected",
"product": "Red Hat Quay 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_interconnect:1"
],
"defaultStatus": "affected",
"product": "Red Hat Service Interconnect 1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_interconnect:2"
],
"defaultStatus": "affected",
"product": "Red Hat Service Interconnect 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:trusted_artifact_signer:1"
],
"defaultStatus": "affected",
"product": "Red Hat Trusted Artifact Signer",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_security_profiles_operator:1"
],
"defaultStatus": "affected",
"product": "Security Profiles Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:zero_trust_workload_identity_manager:1"
],
"defaultStatus": "affected",
"product": "Zero Trust Workload Identity Manager",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:zero_trust_workload_identity_manager:0"
],
"defaultStatus": "affected",
"product": "Zero Trust Workload Identity Manager - Tech Preview",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openstack:16.2"
],
"defaultStatus": "unaffected",
"product": "Red Hat OpenStack Platform 16.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openstack:17.1"
],
"defaultStatus": "unaffected",
"product": "Red Hat OpenStack Platform 17.1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:gatekeeper:3"
],
"defaultStatus": "unknown",
"product": "Gatekeeper 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_engine"
],
"defaultStatus": "unknown",
"product": "Multicluster Engine for Kubernetes",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:multicluster_globalhub"
],
"defaultStatus": "unknown",
"product": "Multicluster Global Hub",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:acm:2"
],
"defaultStatus": "unknown",
"product": "Red Hat Advanced Cluster Management for Kubernetes 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2"
],
"defaultStatus": "unknown",
"product": "Red Hat Ansible Automation Platform 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:edge_manager:1"
],
"defaultStatus": "unknown",
"product": "Red Hat Edge Manager 1",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"defaultStatus": "unknown",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:lightspeed_for_runtimes:1"
],
"defaultStatus": "unknown",
"product": "Red Hat Lightspeed for Runtimes Operator",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:satellite:6"
],
"defaultStatus": "unknown",
"product": "Red Hat Satellite 6",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-07T19:41:18.615Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the `net/mail` package within the Go standard library. A remote attacker could provide specially crafted, pathological email addresses. When these malformed email addresses are parsed by the `consumePhrase` function, it can lead to excessive resource consumption due to quadratic string concatenation, resulting in a Denial of Service (DoS) condition."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1046",
"description": "Creation of Immutable Text Using String Concatenation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T03:15:52.901Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-42499"
},
{
"name": "RHBZ#2467809",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467809"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42499.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33120"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33123"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33142"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33150"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:33120: Red Hat OpenShift Service Mesh 3.0"
},
{
"lang": "en",
"value": "RHSA-2026:33123: Red Hat OpenShift Service Mesh 3.1"
},
{
"lang": "en",
"value": "RHSA-2026:33142: Red Hat OpenShift Service Mesh 3.2"
},
{
"lang": "en",
"value": "RHSA-2026:33150: Red Hat OpenShift Service Mesh 3.3"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-07T20:00:51.685Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-07T19:41:18.615Z",
"value": "Made public."
}
],
"title": "net/mail: golang: net/mail: Denial of Service via pathological email address parsing",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "net/mail",
"product": "net/mail",
"programRoutines": [
{
"name": "addrParser.consumePhrase"
},
{
"name": "AddressParser.Parse"
},
{
"name": "AddressParser.ParseList"
},
{
"name": "Header.AddressList"
},
{
"name": "ParseAddress"
},
{
"name": "ParseAddressList"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.25.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.26.3",
"status": "affected",
"version": "1.26.0-0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T19:41:18.615Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/78987"
},
{
"url": "https://go.dev/cl/771520"
},
{
"url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4977"
}
],
"title": "Quadratic string concatenation in consumePhrase in net/mail"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-42499",
"datePublished": "2026-05-07T19:41:18.615Z",
"dateReserved": "2026-04-28T00:21:12.791Z",
"dateUpdated": "2026-06-30T03:15:52.901Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42501 (GCVE-0-2026-42501)
Vulnerability from cvelistv5 – Published: 2026-05-07 19:41 – Updated: 2026-05-08 15:48
VLAI
EPSS
Title
Malicious module proxy can bypass checksum database in cmd/go
Summary
A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can serve altered versions of the Go toolchain. When selecting a different version of the Go toolchain than the currently installed toolchain (due to the GOTOOLCHAIN environment variable, or a go.work or go.mod with a toolchain line), the go command will download and execute a toolchain provided by the module proxy. A malicious module proxy can bypass checksum database validation for this downloaded toolchain. Since this vulnerability affects the security of toolchain downloads, setting GOTOOLCHAIN to a fixed version is not sufficient. You must upgrade your base Go toolchain. The go tool always validates the hash of a toolchain before executing it, so fixed versions will refuse to execute any cached, altered versions of the toolchain. The go tool trusts go.sum files to contain accurate hashes of the current module's dependencies. A malicious proxy exploiting this vulnerability to serve an altered module will have caused an incorrect hash to be recorded in the go.sum. Users who have configured a non-trusted GOPROXY can determine if they have been affected by running "rm go.sum ; go mod tidy ; go mod verify", which will revalidate all dependencies of the current module. The specific flaw in more detail: The go command consults the checksum database to validate downloaded modules, when a module is not listed in the go.sum file. It verifies that the module hash reported by the checksum database matches the hash of the downloaded module. If, however, the checksum database returns a successful response that contains no entry for the module, the go command incorrectly permitted validation to succeed. A module proxy may mirror or proxy the checksum database, in which case the go command will not connect to the checksum database directly. Checksums reported by the checksum database are cryptographically signed, so a malicious proxy cannot alter the reported checksum for a module. However, a proxy which returns an empty checksum response, or a checksum response for an unrelated module, could cause the go command to proceed as if a downloaded module has been validated.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Go toolchain | cmd/go |
Affected:
0 , < 1.25.10
(semver)
Affected: 1.26.0-0 , < 1.26.3 (semver) |
Credits
Mundur (https://github.com/M0nd0R)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-42501",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T15:48:05.053316Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347 Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T15:48:47.404Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "cmd/go",
"product": "cmd/go",
"vendor": "Go toolchain",
"versions": [
{
"lessThan": "1.25.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.26.3",
"status": "affected",
"version": "1.26.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Mundur (https://github.com/M0nd0R)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A malicious module proxy can exploit a flaw in the go command\u0027s validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can serve altered versions of the Go toolchain. When selecting a different version of the Go toolchain than the currently installed toolchain (due to the GOTOOLCHAIN environment variable, or a go.work or go.mod with a toolchain line), the go command will download and execute a toolchain provided by the module proxy. A malicious module proxy can bypass checksum database validation for this downloaded toolchain. Since this vulnerability affects the security of toolchain downloads, setting GOTOOLCHAIN to a fixed version is not sufficient. You must upgrade your base Go toolchain. The go tool always validates the hash of a toolchain before executing it, so fixed versions will refuse to execute any cached, altered versions of the toolchain. The go tool trusts go.sum files to contain accurate hashes of the current module\u0027s dependencies. A malicious proxy exploiting this vulnerability to serve an altered module will have caused an incorrect hash to be recorded in the go.sum. Users who have configured a non-trusted GOPROXY can determine if they have been affected by running \"rm go.sum ; go mod tidy ; go mod verify\", which will revalidate all dependencies of the current module. The specific flaw in more detail: The go command consults the checksum database to validate downloaded modules, when a module is not listed in the go.sum file. It verifies that the module hash reported by the checksum database matches the hash of the downloaded module. If, however, the checksum database returns a successful response that contains no entry for the module, the go command incorrectly permitted validation to succeed. A module proxy may mirror or proxy the checksum database, in which case the go command will not connect to the checksum database directly. Checksums reported by the checksum database are cryptographically signed, so a malicious proxy cannot alter the reported checksum for a module. However, a proxy which returns an empty checksum response, or a checksum response for an unrelated module, could cause the go command to proceed as if a downloaded module has been validated."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T19:41:19.691Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/775321"
},
{
"url": "https://go.dev/issue/79070"
},
{
"url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4984"
}
],
"title": "Malicious module proxy can bypass checksum database in cmd/go"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-42501",
"datePublished": "2026-05-07T19:41:19.691Z",
"dateReserved": "2026-04-28T00:21:12.791Z",
"dateUpdated": "2026-05-08T15:48:47.404Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42504 (GCVE-0-2026-42504)
Vulnerability from cvelistv5 – Published: 2026-06-02 22:01 – Updated: 2026-06-26 20:22
VLAI
EPSS
Title
Quadratic complexity in WordDecoder.DecodeHeader in mime
Summary
Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-407 - Inefficient Algorithmic Complexity
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Go standard library | mime |
Affected:
0 , < 1.25.11
(semver)
Affected: 1.26.0-0 , < 1.26.4 (semver) |
Credits
p4p3r (https://hackerone.com/p4p3r_hak)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-42504",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T14:05:39.682615Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407 Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T14:06:13.623Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "mime",
"product": "mime",
"programRoutines": [
{
"name": "WordDecoder.DecodeHeader"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.25.11",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.26.4",
"status": "affected",
"version": "1.26.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "p4p3r (https://hackerone.com/p4p3r_hak)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T20:22:46.010Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/79217"
},
{
"url": "https://go.dev/cl/774481"
},
{
"url": "https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-5038"
}
],
"title": "Quadratic complexity in WordDecoder.DecodeHeader in mime"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-42504",
"datePublished": "2026-06-02T22:01:37.219Z",
"dateReserved": "2026-04-28T00:21:12.792Z",
"dateUpdated": "2026-06-26T20:22:46.010Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…